// Home / News / Security

Microsoft knocks massive spambot offline

By Nicole Kobie

Posted on 18 Mar 2011 at 07:59

Microsoft has helped knock offline a massive spam botnet, known as Rustock.

Working alongside network security firm FireEye, the University of Washington, the Dutch High Tech Crime Unit and Chinese authorities, Microsoft used “knowledge gained” in last year’s takedown of Waledac to target “a larger, more notorious and complex botnet known as Rustock,” said Richard Boscovich, senior attorney for Microsoft’s digital crimes unit (DCU), in a blog post.

A large botnet can be used for almost any cybercrime a bot-herder can dream up

Rustock has infected a million computers worldwide, and sends as many as a billion spam emails a day, Microsoft claimed.

“Although its behaviour has fluctuated over time, Rustock has been reported to be among the world’s largest spambots, at times capable of sending 30 billion spam emails per day," said Boscovich.

"DCU researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes – a rate of 240,000 spam mails per day. Moreover, much of the spam observed coming from Rustock posed a danger to public health, advertising counterfeit or unapproved knock-off versions of pharmaceuticals.”

While Rustock didn’t send malware, spam is a “symptom of greater threats to internet health,” said Boscovich.

“Although Rustock’s primary use appears to have been to send spam, it’s important to note that a large botnet can be used for almost any cybercrime a bot-herder can dream up," he said. "Botnets are powerful and, with a simple command, can be switched from a spambot to a password thief or DDOS attacker.”

Legal and technical measures

Microsoft used legal and technical measures to cut Rustock off, shutting down the communication between the botnet’s command and control centre and the computers infected by it.

In order to claim control of Rustock’s servers, Microsoft argued to US courts that the as-yet-unknown operators of the botnet were infringing the software company’s trademark by using the Microsoft logo in spam it sent out.

“However, Rustock’s infrastructure was much more complicated than Waledac’s, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to-peer command and control servers to control the botnet,” said Boscovich.

“To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the US Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis,” he said, saying servers were seized from five hosting providers in seven cities.

Microsoft warned malware criminals that it wasn’t finished with botnets: “We will continue to invest similar operations in the future as well in our mission to annihilate botnets and make the internet a safer place for everyone,” said Boscovich.