Just over one year ago, Microsoft- with industry and academic partners- utilized a novel combination of legal and technical actions to take control of the Win32/Waledac botnet as the first action in Project MARS (Microsoft Active Response for Security). Today, a similar action has had its legal seal opened allowing us to talk more openly about recent activities against the Win32/Rustock botnet.
Comparatively, Waledac was a much simpler- and smaller- botnet than Rustock. It is, however, because of legal and technical lessons learned in that set of actions that we were able to take on the much larger challenge of Rustock- a botnet with an estimated infection count above one million computers and capable of sending billions of spam messages per day. Some statistics suggest that, at peaks, it represented as much as 80% of spam traffic and in excess of 2000 spam messages per second.
Our efforts here represent a partnership between Microsoft’s Digital Crimes Unit, the Microsoft Malware Protection Center and Trustworthy Computing. This was a multi-month effort which had its denouement yesterday with a coordinated seizure of command and control servers under court order from the U.S. District Court for the Western District of Washington carried out by the U.S. Marshals Service as well as authorities in the Netherlands. Investigators are now inspecting the evidence captured in these seizures from five hosting centers in seven locations in order to, potentially, learn more about those responsible and their activities.
Efforts like this are not possible without collaboration with others. For this effort, we worked with Pfizer—whose brands were infringed by fake-pharma spam coming from Rustock. We also worked with our colleagues at FireEye and the University of Washington. All three provided valuable declarations to the court on the behaviors of Rustock and the specific dangers posed by this threat- dangers to public health in addition to those affecting the Internet.
We are continuing our work with both CERTs and ISPs around the world to reach out to those whose computers are infected and help clean them of viruses. If you believe a computer under your care or that of a family member, friend or colleague may be infected, please make a concerted effort to clean it and get protected with a full antivirus product from a trusted provider. More support information is available at http://support.microsoft.com/botnets. The announcement from Microsoft’s Digital Crimes Unit can be found on the Official Microsoft Blog and the Microsoft on the Issues blog.
–Jeff Williams