Lessons From the Rustock Takedown

By Gunter Ollmann

As a follow-up to the Rustock botnet news, Microsoft have identified themselves as the key instigators of the takedown. This is the second time Microsoft’s legal team has been actively involved in combating the botnet menace – and they obviously learned from their previous attempt at trying to takedown the Waledac botnet.

The Wall Street Journal has some additional information about the Rustock takedown.

Having taken a closer look at the specifics of the Rustock botnet – e.g. the CnC infrastructure, the criminals operating patterns, the DNS structure and domain registrations, malware evolution and dissections, etc. – it’s likely that this particular botnet has been beheaded and unlikely that the botnet operators will be able to regain control anytime soon (without exposing themselves).

Having said that though, while the CnC infrastructure for this particular botnet is no longer in the control of the criminals that developed the botnet, the criminals that infected the victims, that distributed the malware, that issued the remote commands, that monetized the spam delivery of the botnet, and the folks that wanted the spam sent, are all out there – still plying their trade and are unaffected. Hopefully, with confiscation of the physical infrastructure components that served up the CnC’s, there’s enough evidence to trace back the specific botnet operators – and I’m sure that those criminals are feeling kind of nervous right about now.

On the aspect of the botnet beheading though –and the way in which it was conducted – I thought it would be worth mentioning the following:

1. The botnet victims are still out there. They remain infected – beaconing away, trying to locate their lost CnC servers for all to see. Someone still needs to help those folks out and secure those systems or else they’ll be victims of the next botnet that comes along.
2. The criminals behind Rustock are only temporarily out of business. Sure, they lost some CnC servers and their existing botnet victims – but all the other components are still available to them to build and replace the botnet they lost. The malware they are using is still very successful at infecting their victims’ computers and the vectors they use for causing the installation of malware upon those victims hasn’t been touched. The Rustock botnet operators (like all professional botnet criminals) are adept at growing botnets – so the loss of their CnC servers is likely only a temporary setback in the path of rebuilding.
3. If you read the Microsoft and Wall Street Journal stories of the physical takedown, you should probably note that the servers (and drives) hosting the CnC services were removed and are now being investigated. This could cause a problem from some organizations totally unaffiliated with the Rustock botnet. As with any Internet server hosting facility, most servers (or racks of servers) have many different companies being served from the same physical device. For those other companies unfortunately collocated on the same infrastructure – well, I guess they’re also temporarily out of business. I hope they secured any confidential data they may have had stored on those taken-away servers. It does beg the question as to whether Microsoft’s legal approach to botnet takedown poses a risk to legitimate businesses that get caught in the collateral damage. I’ve also got to wonder how things would be handled if the criminals CnC servers were hosted within some cloud providers infrastructure and whether the collateral damage would be much higher in the future – or whether different legal tactics need to be adopted in that case.

Gunter Ollmann is the vice president of research at Damballa.

Commenting on this Article is closed.