Lessons From the Rustock Takedown

By Gunter OllmannAs a follow-up to the Rustock botnet news, Microsoft have identified themselves as the key instigators of the takedown.
This is the second time Microsoft’s legal team has been actively
involved in combating the botnet menace – and they obviously learned
from their previous attempt at trying to takedown the Waledac botnet.

As a follow-up to the Rustock botnet news, Microsoft have identified themselves as the key instigators of the takedown.

This is the second time Microsoft’s legal team has been actively
involved in combating the botnet menace – and they obviously learned
from their previous attempt at trying to takedown the Waledac botnet.

The Wall Street Journal has some additional information about the Rustock takedown.

Having taken a closer look at the specifics of the Rustock botnet –
e.g. the CnC infrastructure, the criminals operating patterns, the DNS
structure and domain registrations, malware evolution and dissections,
etc. – it’s likely that this particular botnet has been beheaded and
unlikely that the botnet operators will be able to regain control
anytime soon (without exposing themselves).

Having said that though,
while the CnC infrastructure for this particular botnet is no longer in
the control of the criminals that developed the botnet, the criminals
that infected the victims, that distributed the malware, that issued the
remote commands, that monetized the spam delivery of the botnet, and
the folks that wanted the spam sent, are all out there – still plying
their trade and are unaffected. Hopefully, with confiscation of the
physical infrastructure components that served up the CnC’s, there’s
enough evidence to trace back the specific botnet operators – and I’m
sure that those criminals are feeling kind of nervous right about now.

On the aspect of the botnet beheading though –and the way in which it
was conducted – I thought it would be worth mentioning the following:

  1. The botnet victims are still out there. They remain infected –
    beaconing away, trying to locate their lost CnC servers for all to see.
    Someone still needs to help those folks out and secure those systems or
    else they’ll be victims of the next botnet that comes along.
  2. The criminals behind Rustock are only temporarily out of business.
    Sure, they lost some CnC servers and their existing botnet victims – but
    all the other components are still available to them to build and
    replace the botnet they lost. The malware they are using is still very
    successful at infecting their victims’ computers and the vectors they
    use for causing the installation of malware upon those victims hasn’t
    been touched. The Rustock botnet operators (like all professional botnet
    criminals) are adept at growing botnets – so the loss of their CnC
    servers is likely only a temporary setback in the path of rebuilding.
  3. If you read the Microsoft and Wall Street Journal stories of the
    physical takedown, you should probably note that the servers (and
    drives) hosting the CnC services were removed and are now being
    investigated. This could cause a problem from some organizations totally
    unaffiliated with the Rustock botnet. As with any Internet server
    hosting facility, most servers (or racks of servers) have many different
    companies being served from the same physical device. For those other
    companies unfortunately collocated on the same infrastructure – well, I
    guess they’re also temporarily out of business. I hope they secured any
    confidential data they may have had stored on those taken-away servers.
    It does beg the question as to whether Microsoft’s legal approach to
    botnet takedown poses a risk to legitimate businesses that get caught in
    the collateral damage. I’ve also got to wonder how things would be
    handled if the criminals CnC servers were hosted within some cloud
    providers infrastructure and whether the collateral damage would be much
    higher in the future – or whether different legal tactics need to be
    adopted in that case.

Gunter Ollmann is the vice president of research at Damballa.

Suggested articles

Discussion

  • Anonymous on

    "It does beg the question as to whether Microsoft’s legal approach to botnet takedown poses a risk to legitimate businesses that get caught in the collateral damage"

     

    Or perhaps, MS competitors information happened to be found on the co-lo drives...

  • Anonymous on

    Really good independant article on the Rustock takedown at LockBoxx:
    http://lockboxx.blogspot.com/2011/03/rustock-botnet.html

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.