In medical terms, Rustock's output displays asystole. No spam activity. The analog of a patient devolving from a healthy heart rate into cardiac arrest seems appropriate because Rustock's behavior of late has emulated a sinus rhythm: a pattern characterized by a peak output accounting for around 80% of spam is followed by a decline of output, then no output at all. The good folks at CBL published some awesome graphs in their initial synopsis. These, accompanied by the always quality reporting from Brian Krebs offered a good early picture of perhaps the biggest spam takedown ever. But who coordinated and conducted the takedown remained a mystery until late St. Patty's Day when Microsoft's disclosed its role in the takedown.
|
Read more at CBL |
According to a blog post at technet.com, Microsoft's Digital Crimes Unit, Microsoft Malware Protection Center and Trustworthy Computing (a.k.a., Project MARS) collaborated with law enforcement and private sector partners to sever communications between Rustock's command and control and its estimated 1M infected computers.
Following the recipe that led to the succesful takedown of Waledac in 2010, Microsoft collaborated with Pfizer in filing suit against Rustock, using abuse of trademarks in spam messages as one of the complaints. According to the technet.com article, the court order allowed Microsoft "to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis". Microsoft also acknowledges assistance from FireEye, Pfizer, University of Washington, Dutch High Tech Crimes Unit and CN-CERT.
This is a great coup for Microsoft and a huge win for white hats. Congratulations to all involved.
Note: since my original post Brian Krebs posted a detailed article that is
well worth reading, see Homegrown: Rustock Botnet Fed by US Firms.
Comments
You can follow this conversation by subscribing to the comment feed for this post.