homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

Microsoft Takes Down Rustock Botnet - Removes 39% of Email Spam

 12:19 am on Mar 19, 2011 (gmt 0)

How about some good news? The Microsoft Digital Crimes Unit has dismantled a huge and complex botnet called Rustock, an operation given the credit (or blame) for 39% of all email spam.

Writing on the TechNet blog, Richard Boscovich, Senior Attorney for the Microsoft Digital Crimes Unit explained the complex of legal and technical action that lead to this success.

To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis.

Specifically, servers were seized from five hosting providers operating in seven cities in the U.S., including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus and, with help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it.

This case and this operation are ongoing and our investigators are now inspecting the evidence gathered from the seizures to learn what we can about the botnetís operations.




 12:23 am on Mar 19, 2011 (gmt 0)

More detail offered by PC World

With the Rustock takedown -- the first of several that are now in the works -- the Internet community has polished a technique for getting rid of complex global networks of malicious computers, said Barry Greene, president of the Internet Software Consortium, makers of the BIND Domain Name System (DNS) software. It all started months ago, as a large group of Internet researchers observed Rustock and developed techniques to destroy it. Then a much smaller trusted group was deputized and given the job of managing the takedown with law enforcement...

Because infected Rustock machines have a Plan B to connect to their controllers on specific Internet domains when the regular command and control servers are taken offline, Microsoft also had to work with Chinese authorities to prevent Rustock's operators from setting up new domains.



 12:54 am on Mar 19, 2011 (gmt 0)

The Mega-D botnet, famous for sending billions of spam emails promoting sexual performance remedies, along with the Srizbi and Rustock botnets was effectively turned off due to the closure of McColo.

There are several large Botnet's besides this one.


 12:59 am on Mar 19, 2011 (gmt 0)

An Internet service provider associated with online crime and child #*$!ography briefly came back online over the weekend before being cut off again, according to security vendors.

McColo, whose servers are in San Jose, California, was cut off from the Internet last week by its upstream providers after an investigation by computer security analysts and the Washington Post.

But McColo came back online on Saturday after connecting with Swedish ISP (Internet service provider) TeliaSonera, which has a router in San Jose, according to Ross Thomas, writing on the blog for security vendor Sophos.

After complaints, TeliaSonera quickly moved to cut off McColo again, Thomas wrote. But the brief renewal in connectivity did allow cybercriminals running botnets out of McColo's networks to take steps to preserve their operations.


 2:59 am on Mar 19, 2011 (gmt 0)

This is, to me, one of the most heartening accomplishments of recent times. The international community simply must bring some "law and order" to the web, or email spam will be the least of our problems.

And in this case, we have technical, academic and legal cooperation from many countries at work. It's a beginning and much praise goes to Microsoft for fighting the good fight. I want to work and live on a safer web than what we've had to date.


 6:36 am on Mar 19, 2011 (gmt 0)

@tedster, what are the threats? By far the worst that I can think of are DDOS attacks which are not dependent on hosting.


 11:35 am on Mar 19, 2011 (gmt 0)

Adsense users will be happy to know that this Botnet also did 'Click Fraud' on web advertisements; hopefully this will save them some money.

Here is the name of one of the companies raided by the FBI.

"Ecommerce Inc. of the Far West Side, named in Microsoft's suit that was unsealed late Thursday, was among the companies raided. Other cities involved included Chicago, Kansas City and Dallas."



 4:27 pm on Mar 19, 2011 (gmt 0)

By far the worst that I can think of are DDOS attacks which are not dependent on hosting.

DDOS attacks need to be coordinated to switch the zombie computers from spam mode to DDOS attack mode - so some central location needs to communicate with the infected computers. That communication does require web hosting, yes, but it would also depend on IP addresses and domain names.

According to PCMag [pcmag.com] "If you read the court order you'll see appendices listing large numbers of domain names, IP addresses, and names of ISPs/hosting services."

The potential for extensive damage depends on what servers are placed under DDOS attack. Some would only mean that a favorite site is not available. But other servers could be much more important to international banking or law enforcement, for example.


 4:52 pm on Mar 19, 2011 (gmt 0)

Windows PowerShell 2.0 and WinRM 2.0 for Windows Vista (KB968930)
More information:

This seems like an optional install to me, but MS keeps calling it an "important" update.

I wonder if this update might give MS some botnet detection capabilities? MS has been strongly suggesting this be installed for a few weeks now (some correlation?).

Just think it's likely Microsoft could shut down every windows PC on Earth. Now that's a botnet! What if Microsoft just up and closed down one day, HMMM.

But CHEERS MS for shutting down botnets!


 5:50 pm on Mar 19, 2011 (gmt 0)

MS has been strongly suggesting this be installed for a few weeks now (some correlation?).

And you won't because they might be trying to trick you or something?

I don't 'get' windows users ... Just don't get em ... If I was a Windows user and worried about installing their updates for some reason I would switch to a different OS and if not, I would install the updates ... I really don't get what the deal is with Windows users and not wanting to install updates?

As if any update they want someone to install is going to be any more invasive than their system already is or will be built into the next computer someone buys. People buying Windows based computers without any question and then refusing to install the updates they create for them would seem like it could be more than a small part of the issue.

I wonder if it's possible to track back a spam email sent by a botnet to the infected computer doing the actual sending and sue the owner for irresponsibility if the computer remained infected because they refused to install the update(s) that would have fixed the issue?


 12:15 am on Mar 21, 2011 (gmt 0)

Spam has virtually dispappeared from my email. What a relief!


 8:42 am on Mar 22, 2011 (gmt 0)

Still getting about one a day in my work quarentine and one every two days in personal accounts. That is a marked improvement and the type of content has changed. No more offers of enhancement for my "endowments" but still getting phishing messages. No doubt it will be back to normal in a couple of weeks.


 8:22 pm on Mar 22, 2011 (gmt 0)

And you won't because they might be trying to trick you or something?
TMS Wow! What a rant from a mistaken inference.
If I was a Windows user
Since you're not a windows user; Microsoft rates their updates; Critical, Important, Recommended, Optional, and in some cases even Risky (My Term).
At the link I provided this particular update was tagged "Recommended" not "Important". So the Update team seems to have promoted this update to "Important", and to get back on topic, the timing is intriguing.

This is a remote administrator's and Powershell remote management update, unlikely to be used on a Vista "Home" system, pretty much by definition. So the intrigue was; it's quite a coincidence. This is a big update, not likely to be needed by a home user, BUT, it certainly could be useful for detecting botnet activity, and perhaps even notify innocent users!

Regardless of OS, users update immediately, delay and check for problems and update, or simply don't update at all. Microsoft actually provides quite a choice and a chance to be thoughtful about the process. And in this case they were somewhat inconsistent in their terminology.

Finally, I can't wait till the IPhone botnet takes down the cell phone system with a Denial of Service attack.
Ah, can't happen.


 4:32 am on Mar 27, 2011 (gmt 0)

Ah, I see bumski ... I may have been mistaken in your case, but there are soooo many times I can remember hearing people say, 'Oh, Windows wants me to install another update ... I'm going to wait.', It's not even funny, so it's been one of those 'rants in hiding' for a long time ... lol1

Sorry you got it, but I hear stuff like that from Windows users all too often it seems like and I keep thinking, 'If you don't like it, buy something different!', lol2.

Finally, I can't wait till the IPhone botnet takes down the cell phone system with a Denial of Service attack.

lol3 ... But that is a scary thought...

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved