As a follow-up to the Rustock botnet news, Microsoft have identified themselves as the key instigators of the takedown.
This is the second time Microsoft’s legal team has been actively
involved in combating the botnet menace – and they obviously learned
from their previous attempt at trying to takedown the Waledac botnet.
The Wall Street Journal has some additional information about the Rustock takedown.
Having taken a closer look at the specifics of the Rustock botnet –
e.g. the CnC infrastructure, the criminals operating patterns, the DNS
structure and domain registrations, malware evolution and dissections,
etc. – it’s likely that this particular botnet has been beheaded and
unlikely that the botnet operators will be able to regain control
anytime soon (without exposing themselves).
Having said that though,
while the CnC infrastructure for this particular botnet is no longer in
the control of the criminals that developed the botnet, the criminals
that infected the victims, that distributed the malware, that issued the
remote commands, that monetized the spam delivery of the botnet, and
the folks that wanted the spam sent, are all out there – still plying
their trade and are unaffected. Hopefully, with confiscation of the
physical infrastructure components that served up the CnC’s, there’s
enough evidence to trace back the specific botnet operators – and I’m
sure that those criminals are feeling kind of nervous right about now.
On the aspect of the botnet beheading though –and the way in which it
was conducted – I thought it would be worth mentioning the following:
- The botnet victims are still out there. They remain infected –
beaconing away, trying to locate their lost CnC servers for all to see.
Someone still needs to help those folks out and secure those systems or
else they’ll be victims of the next botnet that comes along. - The criminals behind Rustock are only temporarily out of business.
Sure, they lost some CnC servers and their existing botnet victims – but
all the other components are still available to them to build and
replace the botnet they lost. The malware they are using is still very
successful at infecting their victims’ computers and the vectors they
use for causing the installation of malware upon those victims hasn’t
been touched. The Rustock botnet operators (like all professional botnet
criminals) are adept at growing botnets – so the loss of their CnC
servers is likely only a temporary setback in the path of rebuilding. - If you read the Microsoft and Wall Street Journal stories of the
physical takedown, you should probably note that the servers (and
drives) hosting the CnC services were removed and are now being
investigated. This could cause a problem from some organizations totally
unaffiliated with the Rustock botnet. As with any Internet server
hosting facility, most servers (or racks of servers) have many different
companies being served from the same physical device. For those other
companies unfortunately collocated on the same infrastructure – well, I
guess they’re also temporarily out of business. I hope they secured any
confidential data they may have had stored on those taken-away servers.
It does beg the question as to whether Microsoft’s legal approach to
botnet takedown poses a risk to legitimate businesses that get caught in
the collateral damage. I’ve also got to wonder how things would be
handled if the criminals CnC servers were hosted within some cloud
providers infrastructure and whether the collateral damage would be much
higher in the future – or whether different legal tactics need to be
adopted in that case.
Gunter Ollmann is the vice president of research at Damballa.