Microsoft Digital Crimes Unit had earlier taken down the botnet “Waledac” in an operation known as “Operation b49”. Now, today, the DCU in cooperation with Pfizer, FireEye, and the University of Washington, have successfully taken down another larger, more notorious and complex botnet known as “Rustock.”
Rustock has been reported to be among the world’s largest spambots, at times capable of sending 30 billion spam e-mails per day. DCU researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes — a rate of 240,000 spam mails per day. Moreover, much of the spam observed coming from Rustock posed a danger to public health, advertising counterfeit or unapproved knock-off versions of pharmaceuticals.
Rustock propagated a market for these fake drugs, drug-maker Pfizer served as a declarant in this case. Pfizer’s declaration provides evidence that the kind of drugs advertised through this kind of spam can often contain wrong active ingredients, incorrect dosages or worse, due to the unsafe conditions fake pharmaceuticals are often produced in. Fake drugs are often contaminated with substances including pesticides, lead-based highway paint and floor wax, just to name a few examples.
Rustock’s infrastructure was much more complicated than Waledac’s, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet.
Rustock was taken down, piece by piece, in a similar way to the Mega-D botnet. First the master controllers, the machines that send out commands to enslaved zombies, were identified. Microsoft quickly seized some of these machines located in the U.S. for further analysis, and worked with police in the Netherlands to disable some of the command structure outside of the U.S.
With the immediate threat disabled, Microsoft then worked with upstream providers to black hole the IP addresses of whoever was controlling the botnet. To prevent further master controllers popping up, Microsoft worked with Chinese CN-CERT to block registration of domains that could be used by new command and control servers.
Finally, Microsoft’s now working with ISPs and CERTs around the world to help clean the Rustock malware from around 1 million infected machines.