In March, Microsoft announced that its Digital Crimes Unit had scored a major victory in the war against hackers with the takedown of the Rustock botnet. Since then, the company has continued to monitor the activity of the network and the machines infected with the Rustock-related malware and found that the botnet is now less than half the size that it was before the takedown.
The Rustock botnet was a huge player in the global spam and cybercrime machine, and researchers reported a precipitous drop in spam levels after the takedown. That drop was temporary, but the more lasting effect of the Rustock takedown was the disinfection of a huge number of the PCs that previously had been part of the botnet.
In the three months following the takedown, Microsoft officials found that the number of unique machines connecting to the control server for Rustock that the company has sinkholed dropped by more than 56 percent. India still has the highest number of infected PCs and the United States moved up from number four on that list in March, to number two in June.
“In short, since the time of the initial takedown, we estimate the
Rustock botnet is now less than half the size it was when we took it
down in March. That’s great news and the infection reduction has
happened much more quickly than it did for Waledac over a similar period
of time last year, but we still have a long way to go,” Richard Boscovich of the Microsoft Digital Crimes Unit said in a blog post about the Rustock takedown.
“The good news is that we are making progress. The tech industry, policy
makers and consumer advocacy groups have helped curb cyber threats
through the development of safer products and by increasing public
awareness of cybercrime. As we continue our efforts to fight cybercrime,
one thing is clear: these threats cannot be tackled alone. It was
through the combined effort of Microsoft, the judicial system and the
industry that Rustock was successfully taken down.”
Although there has been a huge reduction in the number of active infected PCs trying to contact the Rustock command-and-control servers that Microsoft controls, it’s interesting to note that there are still several hundred thousand unique IP addresses that are compromised by the malware and trying to phone home for instructions. That’s a big user population that hasn’t figured out that their machines are infected.
Microsoft has released a special version of its Security Intelligence Report that covers the Rustock activity since the takedown in March.