After, successfully taking down the Rustock botnet on March 16th, Microsoft has continued to analyze the threat, investigate leads on the operations and owners of the botnet and work with Community Emergency Response Teams (CERTs) and Internet Service Providers (ISPs) worldwide to help the legitimate owners of Rustock-infected computers to clean their computers of malware.
Now, today, the Microsoft Digital Crimes Unit (DCU), the MMPC and Trustworthy Computing released a new Special Edition Security Intelligence Report (SIR) entitled "Battling the Rustock Threat," announced Richard Boscovich, Senior Attorney, Microsoft Digital Crimes Unit, over at Microsoft blog.
"This report gives an overview of the Win32/Rustock family of rootkit-enabled backdoor trojans, its functionality and how it works. It also shows the direct impact of the takedown operation. The SIR also verifies something we have long believed: that Rustock-infected computers are also very likely to be infected with other malware. For example, DCU and MMPC conducted an experiment in which they infected a computer with Win32/Harnig, which is known to infect a computer with Rustock, in order to see what additional malware was installed. Within five minutes of installation, a wide variety of additional malware and potentially unwanted software had been downloaded and installed onto the infected computer - and many of these threats are themselves designed to eventually download even more malware. The SIR also has details about how we defeated Rustock in the courts, providing lots of previously undisclosed details from the legal and enforcement sides of the operation," Boscovich noted.
Here's the Worldwide Rustock reduction rate (by observed known IP address infections):
The completed report is embedded below for online reading, and for offline version , you can download it using the under this post:
This video embedded below shows what the footprint looks like in real time for both Rustock and Waledac - the two botnets taken down and controlled by Microsoft to date. This video is a demo feed captured from 1:25 PM PDT (7/1/2011 8:25 PM UTC) on Friday, July 1 of real-time monitoring of the Rustock and Waledac botnets," said Boscovich.
"The dots in the video represent attempted check-ins into the Rustock and Waledac botnets now controlled by Microsoft from malware-infected computers across the globe, second by second, for just those few minutes alone. Black and yellow represent Rustock, blue represents Waledac, and red represents multiple infections. Obviously, these check-ins vary every moment as infected computers are turned on, turned off, disconnected, cleaned or replaced all around the world at any given moment in time. However, this gives you a sense of the scope and footprint of these known botnets across the globe, even today," Boscovich added.
You can download Battling the Rustock Threat report here.
[Source: Microsoft Blog]