Rustock Botnet Takedown

Science & Technology/Student Living by

If you typically stock up on “V1aGr4” and “C!AL!$” from suppliers who email you individually, expect to have a bit more trouble over the coming weeks. Last week, Microsoft shut down the largest source of spam emails on the Internet, the Rustock botnet.

A botnet is a large collection of computers which have been commandeered, and are all working together with malicious intent. A botnet’s strength lies in its numbers. Only by exploiting tens or hundreds of thousands of machines can the botnet succeed at its purpose: sending massive amounts of spam emails.

The infection spreads from computer to computer, and each infected machine registers itself with a command server. It receives instructions about what it should do from this command server. In the case of Rustock, these instructions were often to check the infected machines contact list for email addresses, and begin sending spam messages to those people, and any other emails it can get a hold of. A single Rustock-infected machine was observed sending spam messages at a rate of 10,000 per hour. At its peak, Rustock sent over 30 billion emails per day, which consisted of 33 per cent  of all spam emails.

The Rustock botnet was not only a nuisance, but posed a serious health hazard. Much of the spam sent by Rustock promoted fake drugs, using the name Pfizer. These drugs often contained dangerous chemicals and were harmful to those who consumed them. While many might wonder “Who actually clicks on those links?” in truth there are people who not only click on the questionable links but purchase the products they advertise. Social engineering techniques are often used to convince individuals to purchase illegitimate drugs from the maintainers of the botnet.

Taking down a botnet is no easy task. The coordinators of a botnet often do everything they can to protect themselves. Because the botnet relies on social engineering and phishing techniques to spread, computers are infected when users visit links, and there is no simple fix. While most viruses can be fought with anti-virus software, a botnet is a more complex beast. Often, the best solution is to target those responsible for its distribution, cutting off the head of the organization. Microsoft teamed up with Pfizer, the University of Washington, FireEye, and U.S. marshals in a technical and legal crusade against Rustock. Microsoft and Pfizer both had to generate legitimate reasons and data to back their requests for the seizure of the command centers for the botnet. Once the plea was successful, the seizure of these computers was executed by federal marshals. When left without a commanding server, the botnet is useless. Usually, after taking the command servers down, the search begins for those responsible. Often the perpetrators end up being charged as criminals, as creating and deploying a botnet is one of the most serious forms of cyber crime.

This is not the first instance of a well-executed search and destroy for a massive botnet. In early 2010, Microsoft successfully seized control of the domain names used by another large botnet: Waledec. Transferring control of these domain names to Microsoft crippled the botnet. Controlling these sorts of threats is something that would not be possible without collaboration between many different companies and governments. Unfortunately, there are many more cyber criminals out there than anyone has time to track down and prosecute. However, Microsoft has taken measures to eliminate some of the more prolific organizations.

Spam has more serious implications than many think, and should not be taken lightly. Many people have spam filters on their email inboxes, however, some messages still get through. It’s important to be vigilant when browsing the Internet, especially when giving away personal information. Avoid clicking on suspicious looking links and always verify the sender of an email before reading it. Help control the botnet population by using up-to-date antivirus software, and being smart about your Internet browsing.