Rustock down

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Re: Rustock down

Postby AlphaCentauri » Sun Mar 20, 2011 11:56 am

Here's the court order:
http://blogs.technet.com/cfs-file.ashx/ ... plaint.pdf

One of the arguments used was that the Rustock botherders are harming Microsoft's reputation by selectively infecting Windows OS and making people consider it an inferior product. That's an interesting way to look at Windows' intrinsic vulnerabilities, but it's an argument that they can apply to most other botnets in future court filings.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down

Postby spamislame » Sun Mar 20, 2011 12:47 pm

I was hoping someone at FireEye would speak up about the inner workings of this, and they did not disappoint:

http://blog.fireeye.com/research/2011/0 ... stock.html

Very technical reading but some great writing about how this complex botnet operates.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Rustock down

Postby Red Dwarf » Sun Mar 20, 2011 8:01 pm

The FireEye report is indeed fairly technical, but the best part is in the summary:
The biggest takeaway from this is that Microsoft, with the assistance of Pfizer, UW, and FireEye, put immense resources into this effort to create a legal precedence (sic) for other companies to pursue similar actions. It is now radically easier for other legal teams to take action against abusers of the Internet.

Lastly, let us not forget that as part of the operation, Microsoft, along with a forensic company trained in chain-of-custody and evidence preservation, seized the physical hard drives from the servers. I hope that we have not heard the end of the criminal perspective of this story. If I were the operator, I would not be sleeping well knowing that the full resources of the Microsoft Corporation were available to the investigators trying to track me down.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Rustock down

Postby AlphaCentauri » Sun Mar 20, 2011 8:17 pm

Folks posting comments on Brian Krebs' blog are questioning the legality of Microsoft not only getting the servers seized, but also being handed the servers rather than having the FBI take them.

Then there is the question of whether data on shared servers belonging to innocent third parties should be made available to Microsoft or law enforcement without them being notified or allowed to challenge it.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down

Postby spamislame » Mon Mar 21, 2011 2:31 pm

AlphaCentauri wrote:Folks posting comments on Brian Krebs' blog are questioning the legality of Microsoft not only getting the servers seized, but also being handed the servers rather than having the FBI take them.

Those people are not fully absorbing what Microsoft and their legal team did, and what they said they did.

http://blogs.technet.com/b/microsoft_bl ... otnet.aspx

That's the Official Microsoft Blog.

As you may have read, the Rustock botnet was officially taken offline yesterday, after a months-long investigation by DCU and our partners, successful pleading before the U.S. District Court for the Western District of Washington and a coordinated seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service.

Emphasis mine

The DCU is Microsoft's "Digital Crimes Unit", who also went after Waledac last year.

Having the US Marshals Service present is crucial, as they ensure that the appropriate warrants are in hand, and that the requested hardware is seized in accordance with the letter of the law. Microsoft didn't just get their lawyers to show up, they involved US federal law enforcement and the US federal courts.

That whole entry is worth reading if anyone has any doubts of the legality of what they did here.

AlphaCentauri wrote:Then there is the question of whether data on shared servers belonging to innocent third parties should be made available to Microsoft or law enforcement without them being notified or allowed to challenge it.

I present to you the technical blog of FireEye who greatly assisted Microsoft and law enforcement in ensuring that each of the servers whose harddrives were seized were created 100% with the intention of solely engaging in this illicit activity:

http://blog.fireeye.com/research/2011/0 ... stock.html

Another interesting note is that to aggravate attribution, many were also running TOR nodes and other services (sorry Abuse Desk, that wasn't me, it was just someone on TOR!). Another possibly is that they did this to bolster the TOR network for their own criminal interests --- we saw this happen in the McColo case as well. It should be of no surprise to anyone that these servers were dedicated purely to the criminal actors, which is shown by our own metrics (including traffic monitoring at large access points and passive DNS research) as well as the fact that no one has come forward to complain that their legit sites were taken down. Additionally, there was a substantial pile of money put up as a bond in case we were in err.

Emphasis mine

They ran TOR nodes to cover their tracks and obfuscate the true origin of the malicious activity, and evidently both FireEye and others (apparently Shadowserver, though that is not documented fully) repeatedly brought this to the attention of each of the operators of the servers with no response.

Not all of the legal documentation is in the public domain yet but I believe this shows that everybody really made sure that the action they took was appropriate and that it was done with the utmost care with regards to the legality of the seizures.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Rustock down

Postby spamislame » Mon Mar 21, 2011 2:46 pm

Ohhhh and look at that:

http://krebsonsecurity.com/2011/03/home ... u-s-firms/

Ironic timing. Krebs describes one of these server hard drive seizures in quite a bit of detail.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Rustock down

Postby AlphaCentauri » Tue Mar 29, 2011 12:51 am

It just keeps getting better.

Note to botherders: If you're making hundreds of thousands of dollars spamming, pay your hosting bills:
http://krebsonsecurity.com/2011/03/micr ... #more-8707

Your creditor might just take advantage of an offer to help find your sorry deadbeat a$$ when Microsoft, Brian Krebs, and the FSB all call asking about you.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down

Postby meep » Tue Mar 29, 2011 9:22 am

Wow, the latest from Krebs is something else. :)
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Rustock down

Postby AlphaCentauri » Tue Mar 29, 2011 5:16 pm

It's like someone mentioned in the comments -- if you see him miss a day posting, you know he's working on something that will make a criminal unhappy.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down

Postby Red Dwarf » Tue Apr 12, 2011 5:04 am

What do you know? All those John Doe's failed to show.

Now Microsoft has the legal right to perform discovery on the seized machines - looking for evidence.

Already, millions of Rustock bots are trying to call home, and their IPs are being logged - making them wonderful trgets for a clean-up campaign. And once Microsoft's whizz-kid geeks start delving into the dozens of seized controllers, all sorts of toads may get exposed to the light.

See Microsoft to crack open Rustock's servers 1.7 million IP addresses still calling home
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Rustock down

Postby spamislame » Tue Apr 12, 2011 10:48 am

Red Dwarf wrote:What do you know? All those John Doe's failed to show.

[Shocking!!1!]

Red Dwarf wrote:Now Microsoft has the legal right to perform discovery on the seized machines - looking for evidence.

Very exciting. :)

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Rustock down

Postby Red Dwarf » Tue Apr 12, 2011 5:37 pm

Red Dwarf wrote:What do you know?
All those
John Doe's
failed to show.

I hope all poets enjoyed the palindromic rhyming structure of that :-)
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Rustock down

Postby NotBuyingIt » Tue Apr 12, 2011 10:27 pm

Red Dwarf wrote:
Red Dwarf wrote:What do you know?
All those
John Doe's
failed to show.

I hope all poets enjoyed the palindromic rhyming structure of that :-)


http://famouspoetsandpoems.com/country/New%20Zealand/New%20Zealand_poets.html

http://www.topfamousbiography.com/country/category/new_zealand/924/1/
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Rustock down

Postby AlphaCentauri » Tue Apr 12, 2011 10:40 pm

NotBuyingIt wrote:
Red Dwarf wrote:What do you know?
All those
John Doe's
failed to show.

I hope all poets enjoyed the palindromic rhyming structure of that :-)


http://famouspoetsandpoems.com/country/New%20Zealand/New%20Zealand_poets.html

http://www.topfamousbiography.com/country/category/new_zealand/924/1/


When the critics read "The Ballad of the Missing John Does," they'll be sure to add Red to that list of famous poets ;)
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down

Postby MyCanadian Spammerdeath » Thu Apr 14, 2011 6:33 am

spamislame wrote:My other spammer is still pushing Ultimate Replicas and dozens of Nigerian scam messages per day. He's got to be THE stupidest spammer I've ever heard from. One scam message a month, okay maybe I could see somebody falling for it. 40 - 80 "I need your help" messages? In one day?!


Just got a bump in multiple spams, reports of spam, from the (new?) 419 bot. And we absolutely have a mailer in common. (This is the same spammer responsible from the recently-rapid-morphing-brand once known as Pharmacy Express.)

Defiant post-Coreflood-takedown blowback. Most of Coreflood is still up: I don't know whether it's responsible for the latest observed spam delivery attempts, but if I understand, ISC has only gotten permission to permanently kill bad IPs administered at networks under US jurisdiction, a small segment of that total botnet.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

PreviousNext

Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 2 guests