Aaron Wendel opened the doors of his business to some unexpected visitors on the morning of Mar. 16, 2011. The chief technology officer of Kansas City based hosting provider Wholesale Internet found that two U.S. marshals, a pair of computer forensics experts and a Microsoft lawyer had come calling, armed with papers allowing them to enter the facility and to commandeer computer hard drives and portions of the hosting firm’s network. Anyone attempting to interfere would be subject to arrest and prosecution.
Weeks earlier, Microsoft had convinced a federal judge (PDF) to let the software giant seize control of server hard drives and reroute Internet addresses as part of a carefully timed takedown of the Rustock botnet, which had long reigned as the world’s most active spam-spewing crime machine.
In tandem with the visit to Wholesale Internet, Microsoft employees and U.S. marshals were serving similar orders at several other hosting providers at locations around country. Microsoft’s plan of attack — which it spent about six months hatching with the help of a tightly knit group of industry and academic partners — was to stun the Rustock botnet, by disconnecting more than 100 control servers that the botnet was using to communicate with hundreds of thousands of infected Windows PCs.
Only two of the control servers were located outside the United States; the rest operated from hosting providers here in the US, many at relatively small ISPs in Middle America.
Microsoft was careful not to make any accusations that hosting providers were complicit in helping the Rustock botmasters; however, some of these control servers existed for more than a year, and most likely would have continued to operate undisturbed had Microsoft and others not intervened. Using data gathered by Milpitas, Calif. based security firm FireEye, which assisted Microsoft in the takedown, I was able to plot the location and lifetime of each control server (the map above is clickable and should let you drill down to the details of each control server; the raw data is here). The average life of each controller was 251 days — a little over eight months.
“To be perfectly honest with you, we never heard of Rustock until Wednesday,” Wendel said in a phone interview last Friday. Wendel also said he hadn’t heard anything about the problematic servers from either Spamhaus or Shadowserver, which allow ISPs and hosting providers to receive reports about apparent botnet control servers and bot infections on their networks. Both Shadowserver and Spamhaus dispute this claim, saying that while they certainly did not alert Wholesale to all of the problem Internet addresses that it may have had on its network, they filed several reports with the company over the past six months that should have given the company cause to take a closer look at its customers and systems.
PUSHING THE LEGAL ENVELOPE
This is not the first time Microsoft has used the courts to kneecap a major spam botnet. In February 2010, Microsoft convinced a court to give it ownership of 276 domain names that were being used to control the massive Waledac botnet.
But Microsoft was forced to go a slightly different legal route in this civil case, said Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit. Boscovich said the company gained authority for last week’s action by using a novel legal interpretation of The Lanham Act, federal statutes that prohibit trademark infringement, trademark dilution and false advertising.
For years, authorities and companies have used The Lanham Act to get permission to seize a range of counterfeit goods, such as knockoff designer handbags and pirated DVDs. In this case, Microsoft worked with pharmaceutical giant Pfizer, whose brand name blockbuster Viagra was among the trademarks most abused in the millions of spam emails being sent out daily by Rustock-infected PCs. According to a supporting document filed by Pfizer (PDF), company investigators followed the links in the junk e-mails, and purchased pills advertised as Viagra from the rogue online pharmacies linked in the messages.
Boscovich said that in addition to promoting rogue pharmacies, Rustock spam also was pimping lottery scams that abused Microsoft’s trademarks. Microsoft wanted to gather evidence of the spam “templates” (HTML content) the Rustock control servers were forwarding to infected machines for junk e-mail delivery.
“To do that we would potentially have to seize servers or hard drives, and my job as the lawyer on the team was to come up with some sort of legal strategy, because the legal remedy we’d used with Waledac didn’t give us the authority to seize” [physical property],” Boscovich told KrebsOnSecurity.com. “But the Lanham Act has a provision that allows you – under certain circumstances — to seize infringing items without notice, and then hold a hearing on the seizure several days later. So what I did was I used the analog in the cyber world, to get seizure warrants in all of the machines across the country that were [managing] the bots. And there we anticipated we would find templates on those drives with our trademarks and Pfizer’s would be present, and we would seize or copy those drives and that would be the evidence.”
But not everyone is comfortable with Microsoft or any other company pushing the envelope on civil statutes to seize digital equipment, particularly server hardware that may contain data that goes far beyond the scope of the alleged infringement used to justify the seizure order.
“When you treat hard drives as nothing more than a piece of equipment as opposed to a repository of information, some of which may be relevant to the case and some of which is not, you could run into a lot of trouble,” said Mark Rasch, a former computer crimes prosecutor for the U.S. Justice Department.
“We need to have a better, more efficient way of shutting down botnets in the US and internationally,” Rasch said. “I’d prefer that there was a separate remedy at our disposal that had privacy protections built-in.”
THE TAKEDOWN TOLL AND COMING CLEANUP EFFORT
According to the court order, Microsoft also won control over more than 1,500 domain names that Rustock-infected PCs could use to self-generate new control networks. Security experts believe Rustock has a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster(s) to regain control over the pool of still-infected PCs.
In addition, the takedown effort involved the purchase of an unspecified number of as-yet-unregistered domains that Rustock may seek in the days and weeks ahead. Boscovich declined to say how many of these resurrection domains the company had registered, or for how long into the future it had registered them. But he said Microsoft and its partners in the takedown were seeking help from domain registrars and registries to avoid purchasing more new domains, which he said can become “very expensive” even for a short duration.
The stun against Rustock appears to have worked according to plan, at least for now. A new report published by the Composite Block List (CBL), the anti-spam group that gathers data used by Spamhaus, shows that Rustock had been pushing spikes of spam that regularly account for 80% of all spam. The CBL said this happened almost every other day, with a gradual decline in spam volume over the rest of each day and sometimes into the next.
From the CBL report:
“At 14:45 GMT on March 16, Rustock appears to have been ‘caught’ just at the beginning of one of these spikes, and abruptly and precipitously fell to essentially zero output. The shape of the event is more dramatic than the Rustock ‘vacation‘ during late Dec 2010 and early Jan 2011, and if prolonged, will represent a more significant event than the McColo shutdown in November 2008.”
Microsoft now is turning its attention to cleaning up the substantial pool of Windows PCs that remain infected with Rustock. The company believes upwards of a million computers may still be compromised by Rustock, which the software giant said often comes steeped in a “devil’s brew” of between 16 and 20 other malicious programs.
“We feel confident working with our industry partners that the fallback mechanisms embedded in the malware won’t succeed” [in resurrecting the botnet],” Boscovich said. “Now, our long term objective is to notify ISPs and get them to help clean the infected systems — not only of Rustock but a host of other bad things on them.”
Microsoft said that at the time of the Waledac takedown in February 2010, it observed approximately 70,000 to 80,000 infected IP addresses. “Thanks to clean-up efforts by the industry and customers, aided by natural decay, we are currently seeing just over 22,000 Waledac infected IP addresses, and we expect that number to continue to decline,” the company said in an e-mailed statement.
That cleanup effort could take a long time, even if Rustock does remain inactive. Unfortunately, even if this effort succeeds, there is no guarantee that other botnets won’t arise to fill the gap. Spamming is so profitable that other malefactors will soon jump in. No one has yet devised a long-term, fail-safe solution to the problem.
Read more about the impact of the Rustock botnet takedown:
FireEye: An Overview of Rustock
Symantec: Has the Rustock Botnet Ceased Spamming?
Trend Micro: The Final Nail on Rustock’s Coffin, or Is It?