On March 16, 2011, the Microsoft Digital Crimes Unit, in cooperation with computer security experts and the U.S. Marshals Service, successfully took down the Win32/Rustock botnet, considered to be the largest botnet in the world. At the time of the takedown, Rustock was estimated to have upwards of 2 million infected computers under its control capable of sending 30 billion spam email messages daily.
The takedown was the culmination of months of investigation by antimalware firm FireEye, with help from Microsoft and Pfizer. Rustock was known for sending bogus Microsoft lottery scams and offers for fake Viagra and other prescription drugs, and the companies went after the botnet under the auspices of copyright law rather than antispam laws. Based upon FireEye’s intelligence, U.S. Marshals stormed seven data centers across the U.S. where 96 Rustock command servers were hidden. Computer forensics experts and Microsoft lawyers and technicians were also on the scene.
It was not as simple as pulling the plug. Somehow, while Microsoft’s technicians were securing the evidence, Rustock’s botmaster regained control of the network and began erasing files. For a tense half-hour, the operation played out like a TV crime drama, with the good guys battling the bad guys for control of the servers. Ultimately, the bad guys lost, and global spam volumes fell dramatically.
Rustock may have been the largest botnet, but it was just one of many operating around the world. Botnets have become the source of much of today’s cybercrime, including spam and phishing attacks, identity theft, online scams and click fraud. Botnets are representative of the shift in online crime from creating mischief to making money.
Botnets are, in many ways, an ideal vehicle for cybercriminals. They function by gaining control of thousands of computers through malware and user deception. The master of the botnet — the so-called “bot herder” — controls these machines through a central command center, often having as much or more control over the computer than the legitimate user. The infiltrated computers operate quietly in the background, with the botnet malware often undetected for years, enabling the bot herder to keep a low profile.
Millions of zombie computers worldwide are under the control of these cybercriminals, and thousands more are being “recruited” into botnets every day. As a result, botnets are able to accumulate immense collective processing power — certainly many times greater than most corporate systems. Yet their distributed nature makes them difficult to find and shut down.
The bot herders who put together these rogue networks invest large amounts of time, money and effort in them, and protect them like any valuable asset. After all, bot herders make a lot of money by hiring out their botnets to other cybercriminals.
Security experts say many spammers book time on Russian-owned botnets to send out their junk email and massive phishing scams. Bots are so lucrative that they have spawned online turf wars with web mobs releasing viruses designed to overwrite malware in an attempt to win control of rival gangs’ botnets.
Botnets have also enabled computer criminals to put a high-tech spin on an age-old extortion scheme — the protection racket. In the old days, mobsters would strong-arm individuals or businesses for “protection money” to prevent trench-coated goons from smashing up the joint and busting a few heads. Web mobs have used botnets and the threat of DoS attacks to extort money from businesses that rely heavily on the Internet, such as online-payment processors, gambling websites and financial-services sites.
Microsoft and other software vendors have helped to disrupt botnets by reducing the number of security vulnerabilities in their products, and users have become more diligent about applying Microsoft updates in recent years. These efforts reduce the number of potential zombies that can be recruited into the botnet, increasing the bot herder’s costs and making the botnet less lucrative.
At the same time, security experts and law enforcement agencies are continuing their aggressive efforts to take down botnets. Microsoft coordinated the takedown of the Waledac botnet in February 2010, and FireEye led the successful attack on the Mega-D botnet’s servers at the end of 2009.
The Rustock takedown was by far the most dramatic. In addition to its sheer size, Rustock had a complex infrastructure that relied on hard-coded IP addresses; Waledac, in contrast, used domain names and peer-to-peer command and control servers. The takedown team was worried the bot herder would simply move to a new infrastructure. Microsoft was granted a court order that allowed the Microsoft team, escorted by U.S. Marshals, to raid the data centers and physically seize evidence. Microsoft also severed the botnet’s command control structure by working with ISPs and a Chinese domain name registrar to blacklist the addresses of the command servers.
According to a report by Symantec, global spam volumes dropped by as much as 90 percent over the past year, from 225 billion emails per day to as few as 25 billion; the Rustock takedown accounted for a third of this decrease. Still, many more botnets remain in operation. Organizations must continue to take steps to prevent their computers from joining the botnet armies. Firewalls, intrusion-detection systems, email filtering, antimalware solutions and other security techniques will make it more difficult for bot herders to operate until the next takedown.
