Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Rustock take-down proves botnets can be crippled, says Microsoft

Gregg Keizer | July 5, 2011
More than half of the PCs once infected with spamming malware now clean.

"The minute you take down Rustock, what does that do to those who want to send spam?" Boscovich asked. "They have to find other botnets. But if you're a botnet herder, and you just saw Rustock go down -- with years of work coding and planting malware and maintaining the botnet -- you're going to charge more. And that's an impact on spammers' cost analysis, as it becomes more and more expensive to send out spam."

Rustock botnet
Rustock activity fell to nearly nothing after the mid-March take-down, Microsoft says. (Graphic: Microsoft.)

Statistics from Symantec seemed to prove Microsoft was on to something. In its June report on spam and malware trends, Symantec said that spam levels had not recovered from the Rustock take-down, and in June accounted for 72.9% of all email, down from 83.1% in March.

Alex Lanstein, a senior engineer with FireEye who worked with Microsoft on the Rustock take-down, said the numbers spoke for themselves. "The spam drop is a direct result of the take-down," Lanstein said Monday.

But Symantec also said there was evidence that another botnet, dubbed "Grum," had stepped in to partially replace Rustock. The security firm cited such factors as similar subject lines, sending domains, a change in character sets by Grum just hours after the Rustock take-down and similarities in the two botnets' distribution patterns (download PDF).

So are botnet take-downs just a game of "Whack-a-Mole," where bashing one botnet only sees it replaced by another?

"I think that's foolish to say," Boscovich said. "If you don't take action, what do you do, sit and watch it happen? This weeds out the smaller players, who decide that they can't afford the higher costs of sending spam. If everyone started doing more proactive work like [take-downs], we really would be able to take down a lot of players, and disrupt the entire spam ecosystem."

"It's not nitpicking, but there are always a lot of naysayers who play up the negative angle," added Lanstein. "The lasting impact comes from how much you follow through."

And in his eyes, Microsoft is committed to the battle long term. "[Microsoft] is bringing the fight to the bad guys," said Lanstein. "This is definitely not the last botnet we're going to go after."

Microsoft has not yet identified the presumed head of the Rustock botnet gang, but last week a federal judge granted its request to extend its effort to notify unnamed defendants in the lawsuit, a legal formality designed to give potential defendants an opportunity to respond to charges.

 

Previous Page  1  2  3  Next Page