Rustock May Be Down, But It's Not Quite Out

Sue Marquette Poremba

Rustock is like a zombie: You think it gets killed off and it comes back to life. But maybe this time it is gone for good. I first saw this report from Troy Gill at AppRiver:

Beginning around 12pm CT March 16 we observed a decrease in spam from Rustock botnet due to the disruption of its command and control servers. Interestingly, we have seen general, overall spam levels creep back to their previous levels in the past few hours. Although it is too early to tell for sure, this disruption appears to be temporary, similar to the 10-day disruption of Rustock back in November of 2010.

Then I got an e-mail from FireEye, reporting that Microsoft was able to take Rustock down. According to a blog post:

This operation, known as Operation b107, is the second high-profile takedown in Microsoft's joint effort between DCU, Microsoft Malware Protection Center and Trustworthy Computing-known as Project MARS (Microsoft Active Response for Security)-to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers. Like the Waledac takedown, this action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control to stop the ongoing harm caused by the Rustock botnet. As you may have read, the Rustock botnet was officially taken offline yesterday, after a months-long investigation by DCU and our partners, successful pleading before the U.S. District Court for the Western District of Washington and a coordinated seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service.

But even though it's been taken down, Rustock's damage is still likely to be felt, according to Gunter Ollman from Damballa. He points out three ways that Rustock's effects will continue to linger:

  1. The botnet victims are still out there. They remain infected-beaconing away, trying to locate their lost CnC servers for all to see.
  2. The criminals behind Rustock are only temporarily out of business. Sure, they lost some CnC servers and their existing botnet victims-but all the other components are still available to them to build and replace the botnet they lost. The malware they are using is still very successful at infecting their victims' computers and the vectors they use for causing the installation of malware upon those victims hasn't been touched.
  3. [T]he servers (and drives) hosting the CnC services were removed and are now being investigated. This could cause a problem from some organizations totally unaffiliated with the Rustock botnet. As with any Internet server hosting facility, most servers (or racks of servers) have many different companies being served from the same physical device. For those other companies unfortunately collocated on the same infrastructure-well, I guess they're also temporarily out of business.


It will be interesting to see how this all shakes out in the end. Will Rustock return from the dead? What does a botnet afterlife look like? I guess only time can answer these questions.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.