Subsequent articles published after my blog caused me to a revision of the original article. Information provided by Microsoft’s EMEA Director Digital Crimes Unit, Jean-Christophe le Toquin, brought me up to speed.
In a coordinated action Microsoft, armed with a bunch of court orders, took down the command and control servers of the, according to Symantec, number 1 botnet Rustock. This botnet consisted of roughly one million infected computers, of unknowing end users, and could send up to billions of spam messages a day. A major victory for anti-spam fighters I’d say, but what makes this story extra interesting?
A private action
What is fascinating about this story, is that it is a private company that did the investigation, got the court orders she needed, took her digital investigators to the companies hosting the command and control servers of the botnet and seized and copied the servers. Microsoft only needed the assistance of law officers, notably the U.S. Marshall’s Service, for the enforcement of the court order and preserving the safety of all people on site.
Is this, after the private take down of McColo in 2008, a sign that private companies are better equipped to take on major spam rings than government agencies? A fascinating question that I do not have the answer to at this moment, but I would not be surprised if Microsoft has more resources than e.g. the FBI. Coupled to the wish to make a difference in this field, Microsoft puts considerable resources into fighting spam and crime on the Internet. Why? The use of Hotmail for criminal intent and the abuse of and through Microsoft’s software hurt the reputation of the company. Although I would not be surprised that you’d find very motivated people at Microsoft. I have the honour to have met a few and congratulate them with their success!!
Disinfect the end users’ computers
Microsoft says not to stop here. The estimation is that the Rustock virus is on 1 million infected computers world wide. The aim is to get all these computers disinfected, thus taking away the control and the zombie network.
Dutch High Tech Crime Unit participation
In the Netherlands also servers were taken down after a request from the US. Here’s the story on that. Most likely other countries have been involved also.
Any cyber criminals caught?
No. One reason is that Microsoft can not do this as a private company. This is part of a civil court case. The other is that botnets are covert actions by criminals. They hide themselves well. Hopefully the data copied from the command and control servers will provide details on the botnet herder who controls and rents out the network and to the people who rented the botnet from the herder. That way not only the network is down, as the botherder can not command the infected computers any more, the criminals also stand to lose their revenue and freedom.
On the Internet you can actually find the names of the man who is alleged to be the owner of Rustock, but it may be a quite different affair to prove that from the U.S.
If those involved are found, at minimum a court case from Microsoft and Pfizer awaits them. The last company is involved because the spammers used trade marks of Pfizer in their spamvertisements for (I suppose fake) Viagra, Cialis, etc. This part of the news seems to insinuate that Pfizer may have supported Microsoft’s actions actively in the background. (See below.)
Lessons to learn
I see three quick ones.
1. Microsoft’s action taught botnet herders and their customers that they are not invincible.
2. We see another example of how public – private tasks and cooperation blurs in the 21st century.
3. Botnet mitigation works. Governments should facilitate this more pro-actively.
Congratulations to Microsoft for this successful action. Here’s a link to the Wall Street Journal article (with the mistaken reference to FBI involvement).
Wout de Natris, De Natris Consult
Leiderdorp, 21 March 2011
P.S. Here’s a link to an item in which Pfizer’s role is more pronounced. (WdN, 19-3-11)
P.S. 2 Here’s Brian Krebs on the Rustock takedown