U.S. hosting firms accounted for the bulk of the command and control centers for the Rustock botnet, with many firms claiming that they had no idea they were harboring an illegal criminal network on their infrastructure, according to a story in Krebsonsecurity.com.
Threatpost reported last week that the vast majority of
Rustock’s 100 plus command and control servers were based out of
legitimate data centers in the U.S. In a blog post Monday, Krebs provides a boots on the ground account of the raid on Wholesale Internet, a U.S. hosting company that unwittingly ran Rustock command and control servers. The account suggests that Microsoft Corp. was the tip of the spear in the law enforcement action, sending attorneys in the company of cyber forensics experts and U.S. and international law enforcement agencies to take down the Rustock botnet command and control servers last week.
Microsoft employees and U.S. Marshals were serving the same court orders to other hosting servers in Denver, Seattle, Scranton, Pa., and Dallas on the same day.
It is the second major botnet takedown orchestrated by the Redmond, Washington software giant, which took down the Waledec botnet in a similar operation last year.
Microsoft is being careful not to implicate the raided hosting firms in Rustock’s spamming operation, according to Krebs’s report. Wholesale internet’s CTO, Aaron Wendel claimed that before the raid, he had never even heard of Rustock or been made aware of the problematic servers.
However, both anti botnet organizations dispute those claims. Spamhaus, who was among the first to report the takedown, and Shadowserver say they filed several reports with Wholesale Internet that should have, at the very least, prompted them to take a closer look at their network.
Joint public-private partnerships have proven to be a powerful tool in shutting down botnets and other cross-border cyber criminal operations. However, such actions also raise uncomfortable questions about the legal precedents that are being established.
Mark Rasch, a former computer crimes prosecutor with the U.S. department of Justice, addressed these concerns, telling Krebs the following: “We need to have a better, more efficient way of shutting down botnets in the US and internationally, I’d prefer that there was a separate remedy at our disposal that had privacy protections built-in.”
Threatpost contributor Gunter Ollmann has also noted that the coordinated take downs of command and control servers might staunch the flow of spam, but they leave the problem of infected machines unaddressed. Microsoft says that it isn’t worried that Rustock won’t be resurrected after the takedown.
“We feel confident working with our industry partners that the fallback mechanisms embedded in the malware won’t succeed” [in resurrecting the botnet], Richard Boscovich, a senior Microsoft lawyer told Krebs. “Now, our long term objective is to notify ISPs and get them to help clean the infected systems — not only of Rustock but a host of other bad things on them.”