Rustock take-down proves botnets can be crippled, says Microsoft
More than half of the PCs once infected with spamming malware now clean (see graphic, below)
Computerworld - Microsoft Tuesday said the coordinated take-down of the Rustock botnet and follow-up efforts had purged the malware from over half of the PCs once controlled by Russian hackers.
"This shows that disruptive action [against botnets] is viable and possible," said Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit.
"Once you start taking apart the infrastructure of botnets, you drive up the cost of [botnet gangs] doing business," Boscovich added in an interview Monday. "Disruptive action is just as good as trying to arrest someone."
Since March, when Microsoft lawyers and U.S. Marshals seized Rustock command-and-control (C&C) servers at five Web hosting providers in seven U.S. cities, the number of Windows PCs infected with the malware has dropped worldwide from 1.6 million to just over 700,000 as of June 18, Boscovich reported in a blog post today.
Microsoft also released a detailed report on Rustock, the take-down effort it led, and the impact of its anti-botnet campaign (download PDF).
In the U.S., an estimated 86,000 Rustock-infected PCs in March had been reduced to some 53,000 by June, a drop of 38%. Other countries saw even bigger reductions: In India, the March tally of 322,000 infected machines plummeted by 69% to approximately 99,000 in June.
The take-down itself didn't remove the Windows PCs from Rustock control. Instead, the seizure of the U.S.-based C&C servers and Microsoft's work to snatch control of the domains that Rustock was coded to use for fallback communications, prevented the botnet from updating itself.
That in turn provided the breathing room antivirus vendors needed to issue signatures for the existing Rustock malware and users the opportunity to scrub their systems with security software.
Microsoft, for instance, has provided Rustock signatures for its Malicious Software Removal Tool (MSRT), a free utility that detects and deletes malware, since 2008.
The take-down of Rustock's communications channels effectively silenced the botnet.
Since March, the botnet -- which was once one of the largest purveyors of spam, particularly pitches for fake drugs -- has been quiet. "Botnet activity dropped abruptly to almost zero in mid-March following the take-down," Microsoft said in its report.
Prior to the take-down, Rustock was capable of sending as many as 30 million spam messages daily.
"Cleaning the users' PCs is an important part, but really this shows that a technical countermeasure along with a legal countermeasure works," said Boscovich, talking about the two-pronged approach of seizing servers and shutting down Rustock's backup communications.
And the impact goes beyond Rustock.
"The minute you take down Rustock, what does that do to those who want to send spam?" Boscovich asked. "They have to find other botnets. But if you're a botnet herder, and you just saw Rustock go down -- with years of work coding and planting malware and maintaining the botnet -- you're going to charge more. And that's an impact on spammers' cost analysis, as it becomes more and more expensive to send out spam."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts