Rustock down

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Rustock down

Postby spamislame » Thu Mar 17, 2011 10:34 am

User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Rustock down?

Postby spamislame » Thu Mar 17, 2011 11:10 am

M86 also has a dedicated story:

http://labs.m86security.com/2011/03/rustock-down/

Image

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Rustock down?

Postby AlphaCentauri » Thu Mar 17, 2011 12:18 pm

A lot of people dismiss us for spending time taking action against spamming. But the spammers are at a fundamental disadvantage: In order to spam, they have to let us know which bots they have control of. They have to send the information to us, without even making us go looking for it. All that has been missing is a general consensus among hosts and registrars that they have a responsibility to make sure their companies aren't enabling the criminals who use other people's hijacked computers to commit their crimes.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down?

Postby spamislame » Thu Mar 17, 2011 2:16 pm

I'm wondering if the multi-thousand-message joe-jobs we're seeing are related to this. (And I mentioned that in the joe-job discussion thread as well.)

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Rustock down?

Postby AlphaCentauri » Thu Mar 17, 2011 3:00 pm

We were seeing increased baseline level before the shutdown, so I don't know that it's a reaction to anything they think we did. However, no one has taken credit for the takedown yet. Usually, it's done by an organization that coordinates the response with numerous ISPs, so it takes someone with some credibility. But if another spammer managed to take control of the network and bluescreen all the bots a la ZeuS, we might not hear the details for a while.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down?

Postby meep » Thu Mar 17, 2011 3:35 pm

Interesting finds, I don't know an answer, but something is up for sure. :P
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Rustock down?

Postby Red Dwarf » Thu Mar 17, 2011 11:30 pm

REF: Microsoft's Official Technet Blog
REF: Wall Street Journal
Microsoft Digital Crimes Unit took legal action and seized several computers that were used as control centers for Rustock
"In its action against Rustock, Microsoft officials say they had to seize actual computer equipment connected to the botnet, rather than simply taking possession of Internet addresses. That's because the masterminds behind Rustock designed their infected computers to receive instructions from Internet protocol addresses tied to specific command-and-control machines.

As a precaution, Microsoft also worked with the companies that provide Internet access to the hosting facilities where the machines were stored to prevent any communications with the Internet protocol addresses allegedly linked to the botnet."
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: Rustock down?

Postby roberto7888 » Fri Mar 18, 2011 4:19 am

User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am

RIP RUSTOCK

Postby BlueFrog » Fri Mar 18, 2011 7:25 am

BlueFrog
Spam Observer
 
Posts: 64
Joined: Thu Mar 19, 2009 9:52 pm

Re: RIP RUSTOCK

Postby AlphaCentauri » Fri Mar 18, 2011 8:53 am

And I can't believe Pfizer actually stood up and defended their trademark to help get the court order to seize the servers:
http://blogs.technet.com/b/microsoft_bl ... otnet.aspx

Interesting that the servers were all in the US, apparently. Convenient for avoiding blocklisting by IP range.

It's not just about Rustock and a dip in spam for a week or two. It's about people seeing botnet shutdown as a possibility and a responsibility. Every spam they send is evidence of a trojan infection, delivered to our doors without us even having to go out looking. The people in legitimate internet hosting and domain registration just have to decide it's not something they're going to put up with anymore.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down

Postby AlphaCentauri » Fri Mar 18, 2011 8:55 am

I merged these two threads and removed the question mark in the title :)
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Rustock down

Postby HansTheBlueFrog » Fri Mar 18, 2011 1:00 pm

Will 2011 be another good year, much as 2010 was? It seems to me we're off to a good start. Sorry AC, I just had to rescue that poor little question mark you removed and provide it with some gainful employment.Image

Hans
HansTheBlueFrog
Spam Investigator
 
Posts: 343
Joined: Wed Feb 04, 2009 3:23 pm

Re: Rustock down

Postby spamislame » Fri Mar 18, 2011 7:30 pm

Holy crap! I'm just getting to this now.

This has also been Slashdotted (with 272 comments and counting.) And there are updates to the story posted yesterday by Brian Krebs.

Just fantastic news!

:silthumb:

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Rustock down

Postby Red Dwarf » Sat Mar 19, 2011 10:07 pm

Though a good kill, the action would have been far more significant back in the days when Rustock was in heavy use.

With the demise of Spamit, Rustock's usage dropped off last year as well, and although it is rated as one of the largest botnets in terms of numbers, it has been rather a low volume spam machine lately. In August last year, 60% of bot-spewed spam was Rustock, but it took a steep dive in late September. In the past week it was ranked at #8 in the top 13 by M86 in their graph of "Spambot Activity Over Time" - http://www.m86security.com/labs/spam_statistics.asp (it's the pink line).

Predictions of significant drops in global spamming as a result of this operation are ill founded.
Predictions of an immediate drop in spam from Rustock are totally credible.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: Rustock down

Postby spamislame » Sun Mar 20, 2011 11:25 am

It definitely appears that one of my regular spammers had dropped right off, which is a welcome change. He predominantly spammed diplomas. I'm happy to see him temporarily gone. My other spammer is still pushing Ultimate Replicas and dozens of Nigerian scam messages per day. He's got to be THE stupidest spammer I've ever heard from. One scam message a month, okay maybe I could see somebody falling for it. 40 - 80 "I need your help" messages? In one day?! How stupid can you get?

I know Rustock is only one of numerous botnets. I know the impact overall is not as severe as we'd all like, but Rustock was used for more than just spamming and I for one am extremely glad to see it wiped out.

Also: you can see from how they worded the blog entries about this takedown that this was only one of many planned shutdowns to come. It's subtle but they're sounding the alarm: if you run a botnet which uses Windows operating systems to function, this is bound to happen to your servers also.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Next

Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron