Welcome to WebmasterWorld Guest from 54.242.224.250

Forum Moderators: phranque

Message Too Old, No Replies

Microsoft Takes Down Rustock Botnet - Removes 39% of Email Spam

     
12:19 am on Mar 19, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


How about some good news? The Microsoft Digital Crimes Unit has dismantled a huge and complex botnet called Rustock, an operation given the credit (or blame) for 39% of all email spam.

Writing on the TechNet blog, Richard Boscovich, Senior Attorney for the Microsoft Digital Crimes Unit explained the complex of legal and technical action that lead to this success.


To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis.

Specifically, servers were seized from five hosting providers operating in seven cities in the U.S., including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus and, with help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it.

This case and this operation are ongoing and our investigators are now inspecting the evidence gathered from the seizures to learn what we can about the botnetís operations.

[blogs.technet.com...]
12:23 am on Mar 19, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


More detail offered by PC World

With the Rustock takedown -- the first of several that are now in the works -- the Internet community has polished a technique for getting rid of complex global networks of malicious computers, said Barry Greene, president of the Internet Software Consortium, makers of the BIND Domain Name System (DNS) software. It all started months ago, as a large group of Internet researchers observed Rustock and developed techniques to destroy it. Then a much smaller trusted group was deputized and given the job of managing the takedown with law enforcement...

Because infected Rustock machines have a Plan B to connect to their controllers on specific Internet domains when the regular command and control servers are taken offline, Microsoft also had to work with Chinese authorities to prevent Rustock's operators from setting up new domains.

[pcworld.com...]
12:54 am on Mar 19, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


The Mega-D botnet, famous for sending billions of spam emails promoting sexual performance remedies, along with the Srizbi and Rustock botnets was effectively turned off due to the closure of McColo.


There are several large Botnet's besides this one.
12:59 am on Mar 19, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


An Internet service provider associated with online crime and child #*$!ography briefly came back online over the weekend before being cut off again, according to security vendors.

McColo, whose servers are in San Jose, California, was cut off from the Internet last week by its upstream providers after an investigation by computer security analysts and the Washington Post.

But McColo came back online on Saturday after connecting with Swedish ISP (Internet service provider) TeliaSonera, which has a router in San Jose, according to Ross Thomas, writing on the blog for security vendor Sophos.

After complaints, TeliaSonera quickly moved to cut off McColo again, Thomas wrote. But the brief renewal in connectivity did allow cybercriminals running botnets out of McColo's networks to take steps to preserve their operations.
2:59 am on Mar 19, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


This is, to me, one of the most heartening accomplishments of recent times. The international community simply must bring some "law and order" to the web, or email spam will be the least of our problems.

And in this case, we have technical, academic and legal cooperation from many countries at work. It's a beginning and much praise goes to Microsoft for fighting the good fight. I want to work and live on a safer web than what we've had to date.
6:36 am on Mar 19, 2011 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2522
votes: 37


@tedster, what are the threats? By far the worst that I can think of are DDOS attacks which are not dependent on hosting.
11:35 am on Mar 19, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


Adsense users will be happy to know that this Botnet also did 'Click Fraud' on web advertisements; hopefully this will save them some money.

Here is the name of one of the companies raided by the FBI.

"Ecommerce Inc. of the Far West Side, named in Microsoft's suit that was unsealed late Thursday, was among the companies raided. Other cities involved included Chicago, Kansas City and Dallas."

[dispatch.com...]
4:27 pm on Mar 19, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


By far the worst that I can think of are DDOS attacks which are not dependent on hosting.

DDOS attacks need to be coordinated to switch the zombie computers from spam mode to DDOS attack mode - so some central location needs to communicate with the infected computers. That communication does require web hosting, yes, but it would also depend on IP addresses and domain names.

According to PCMag [pcmag.com] "If you read the court order you'll see appendices listing large numbers of domain names, IP addresses, and names of ISPs/hosting services."

The potential for extensive damage depends on what servers are placed under DDOS attack. Some would only mean that a favorite site is not available. But other servers could be much more important to international banking or law enforcement, for example.
4:52 pm on Mar 19, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 13, 2004
posts:826
votes: 10


Windows PowerShell 2.0 and WinRM 2.0 for Windows Vista (KB968930)
More information:
[go.microsoft.com...]

This seems like an optional install to me, but MS keeps calling it an "important" update.

I wonder if this update might give MS some botnet detection capabilities? MS has been strongly suggesting this be installed for a few weeks now (some correlation?).

Just think it's likely Microsoft could shut down every windows PC on Earth. Now that's a botnet! What if Microsoft just up and closed down one day, HMMM.

But CHEERS MS for shutting down botnets!
5:50 pm on Mar 19, 2011 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 14, 2008
posts:2910
votes: 62


MS has been strongly suggesting this be installed for a few weeks now (some correlation?).

And you won't because they might be trying to trick you or something?

I don't 'get' windows users ... Just don't get em ... If I was a Windows user and worried about installing their updates for some reason I would switch to a different OS and if not, I would install the updates ... I really don't get what the deal is with Windows users and not wanting to install updates?

As if any update they want someone to install is going to be any more invasive than their system already is or will be built into the next computer someone buys. People buying Windows based computers without any question and then refusing to install the updates they create for them would seem like it could be more than a small part of the issue.

I wonder if it's possible to track back a spam email sent by a botnet to the infected computer doing the actual sending and sue the owner for irresponsibility if the computer remained infected because they refused to install the update(s) that would have fixed the issue?
12:15 am on Mar 21, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 16, 2003
posts:145
votes: 0


Spam has virtually dispappeared from my email. What a relief!
8:42 am on Mar 22, 2011 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 5, 2006
posts:3337
votes: 25


Still getting about one a day in my work quarentine and one every two days in personal accounts. That is a marked improvement and the type of content has changed. No more offers of enhancement for my "endowments" but still getting phishing messages. No doubt it will be back to normal in a couple of weeks.
8:22 pm on Mar 22, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 13, 2004
posts:826
votes: 10


And you won't because they might be trying to trick you or something?
TMS Wow! What a rant from a mistaken inference.
If I was a Windows user
Since you're not a windows user; Microsoft rates their updates; Critical, Important, Recommended, Optional, and in some cases even Risky (My Term).
At the link I provided this particular update was tagged "Recommended" not "Important". So the Update team seems to have promoted this update to "Important", and to get back on topic, the timing is intriguing.

This is a remote administrator's and Powershell remote management update, unlikely to be used on a Vista "Home" system, pretty much by definition. So the intrigue was; it's quite a coincidence. This is a big update, not likely to be needed by a home user, BUT, it certainly could be useful for detecting botnet activity, and perhaps even notify innocent users!

Regardless of OS, users update immediately, delay and check for problems and update, or simply don't update at all. Microsoft actually provides quite a choice and a chance to be thoughtful about the process. And in this case they were somewhat inconsistent in their terminology.

Finally, I can't wait till the IPhone botnet takes down the cell phone system with a Denial of Service attack.
Ah, can't happen.
4:32 am on Mar 27, 2011 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 14, 2008
posts:2910
votes: 62


Ah, I see bumski ... I may have been mistaken in your case, but there are soooo many times I can remember hearing people say, 'Oh, Windows wants me to install another update ... I'm going to wait.', It's not even funny, so it's been one of those 'rants in hiding' for a long time ... lol1

Sorry you got it, but I hear stuff like that from Windows users all too often it seems like and I keep thinking, 'If you don't like it, buy something different!', lol2.

Finally, I can't wait till the IPhone botnet takes down the cell phone system with a Denial of Service attack.

lol3 ... But that is a scary thought...
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members