Spam botnet Rustock beheaded

Introduction

Bots and botnets comprise one of the biggest threats to the Internet and its users. Successful botnets have proven to be quite resistant against authorities' removal attempts. However, recent news report of a success story: beheading the spam botnet Rustock.

Today's security article will examine this account.

Taking down botnets in general

History shows that it has been very difficult to take down big botnets. Their complexity and how they are managed, in addition to their national diversity, have attributed to their resistance against national authorities' attempts to target the cybercriminals behind the botnets.

One of the more successful attempts to terminate a botnet was mentioned in our security article last autumn - Ways to use botnets - the story about the Waledac botnet. That botnet was targeted in a joint operation between Microsoft and other security experts, and used the legal system to cut off communication between the Waledac command and control servers and the bots at the domain level.

In that article, we predicted:

It seems safe to assume that similar initiatives will be taken towards malicious botnets, which turn out to be difficult to stop by other means.

Our prediction came true!

Another example is the initiative by the police in the Netherland to take-down the Taurus botnet. Norman was involved in that operation as described in this Norman security blog item from 15 November last year.

Other botnets have also been approached in similar manner, with varying success. However, it seems like one characteristic of successful action against malware is cooperation between different stakeholders, as we discussed in this security article from late 2008.

One of the main problems in taking down a botnet is that the bots (or zombie computers) normally remain infected with malicious software even if they lose their connection to the 'hosts'. If cybercriminals succeeds in reestablishing this connection at a later point in time, the botnet is up and running again.

The Rustock botnet

The botnet Rustock has been around for several years, and was one of the major botnets. At one point in time, it was estimated that spam sent from this botnet accounted for 80% of all spam, and that it was capable of sending 30 billion email spam messages in one single day. Much of this spam was advertising fake pharmaceuticals, typically Viagra.

The structure of Rustock was set up like this:

1. The bot herder(s)
2. Main command tier (few computers)
3. Command and control (C&C) servers  (this became the target for the Rustock take-down)
4. Bots (infected computers - estimated to about one million computers around the world)

Analysis of the bots enabled identification of the C&C servers. Unlike other botnets, the C&C servers used in Rustock were not identified by domain names. Their identities were hard coded in the botnet malware by IP address. This meant that one had to use a different technique to take down Rustock than the one used to severe communication between C&C servers and zombies in the Waledac case - i.e. cut the communication at the domain name level.

The termination of Rustock's management system

The Rustock botnet was approached in a similar manner at Waledac. A joint operation was conducted between Microsoft and the following entities:

• Security vendor FireEye
• The University of Washington
• Drug maker Pfizer
• The Dutch police

Involved were also Internet Service Providers (ISPs) and Computer Emergency Response Teams (CERTs) around the world, including the Chinese CNCERT/CC.

Like in the Waledac case, the legal system in the United States was used. Microsoft filed a (sealed) complaint against John Does 1-11 by the U.S. District Court Western District of Washington at Seattle.

Microsoft alleged that these "John Does" had violated Federal and state law. This violation consisted of operating a computer botnet, which caused unlawful intrusion, intellectual property violations and dissemination of unsolicited bulk email to the injury of Microsoft and the public.

The court allowed Microsoft to work with the U.S. Marshals Service. Evidence were physically captured onsite, including taking servers from hosting providers for analysis. Servers were seized from five providers operating in seven U.S. cities. Almost all the C&C servers were located within the U.S.

However, it seems like Rustock had a backup system for connecting zombie computers to C&C servers using domain names. To avoid this backup mechanism to function, many hundred domain names were seized. In addition Microsoft also acquired even more unused - potential - domain names to prevent these from being used for future illegitimate purposes.

The change is spam level

In order for this operation to be successful, one requirement was a high level of security involved. Thus, the public were not aware of the process.

The first observation that something special was happening seem to have come from security expert Brian Krebs, who wrote on his blog 16 March:

(...) late Wednesday morning Eastern Time, dozens of Internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously.

Such an action suggests that anti-spam activists have succeeded in executing possibly the largest botnet takedown in the history of the Internet. Spam data compiled by the Composite Spam Blocklist, the entity that monitors global junk e-mail volumes for the anti-spam outfit Spamhaus.org, shows that at around 2:45 p.m. GMT (10:45 a.m. EDT) spam sent via the Rustock botnet virtually disappeared.  

The day after Microsoft blogged about their involvement, as the U.S. court had unsealed the case documents.

Several spam-monitoring organizations have reported that the volume of spam decreased considerably after the takedown of Rustock. IBM's Internet Security Systems has an interesting overview over spam from different countries. This shows that U.S., Israel and U.K. were the countries that had the highest reduction in outgoing spam traffic.

The future of Rustock

Whether the Rustock botnet is permanently removed as a major spam vehicle remains to be seen. However, it is expected to be difficult for the bot herder(s) to be able to re-include all the zombie computers into the botnet.

What is still a potential problem is that around one million computers in the world are infected with the Rustock client. They need to be cleaned, and this is a task that may include efforts from e.g. ISPs and the antimalware industry.

Hopefully this story shows that joint efforts against cybercrime are a feasible approach, and that Rustock never reappears.

References and selected further information

Norman has a special botnet information page with links to lots of our information about bots and botnets.

For information about the successful Rustock take-down, the web resources below are recommended reading. 

• Krebs on Security: Rustock Botnet Flatlined, Spam Volumes Plummet (16 March)
• Microsoft Malware Protection Center: Operation b107 - Rustock Botnet Takedown (17 March)
• Microsoft on the Issues: Taking Down Botnets: Microsoft and the Rustock Botnet  (17 March)
• PC World: With Rustock, a New Twist on Fighting Internet Crime (18 March)
• FireEye Malware Intelligence Lab: An overview of Rustock (19 March)
• UNITED STATES DISTRICT COURT, WESTERN DISTRICT OF WASHINGTON AT SEATTLE.: MICROSOFT CORPORATION, Plaintiff, vs. JOHN DOES 1-11, CONTROLLING A COMPUTER BOTNET THEREBY INJURING MICROSOFT AND ITS CUSTOMERS (18 March)
   [Lots of relevant legal documents]
• IBM Internet Security Systems: The Rustock Takedown and Global Spam Volumes (21 March)
• Krebs on Security: Homegrown: Rustock Botnet Fed by U.S. Firms (21 March)
• Ars Technica: How Operation b107 decapitated the Rustock botnet (22 March)
• The Register: RUSTOCK TAKEDOWN: How the world's worst botnet was KO'd (23 March)