Rustock botnet
Encyclopedia
The Rustock botnet was a botnet
that operated from around 2006 until March 2011.
It consisted of computers running Microsoft Windows, and was capable of sending up to 25,000 spam
messages per hour from an infected PC. At the height of its activities, it sent an average of 192 spam messages per compromised machine per minute. Reported estimates on its size vary greatly across different sources, with claims that the botnet may have comprised anywhere between 150,000 to 2,400,000 machines. The size of the botnet was increased and maintained mostly through self-propagation, where the botnet sent many malicious e-mails intended to infect machines opening them with a trojan
which would incorporate the machine into the botnet.
The botnet took a hit after the 2008 takedown of McColo
, an ISP which was responsible for hosting most of the botnet's command and control servers. McColo regained internet connectivity for several hours and in those hours up to 15 Mbit a second of traffic was observed, likely indicating a transfer of command and control to Russia
. While these actions temporarily reduced global spam levels by around 75%, the effect did not last long: spam levels increased by 60% between January and June 2009, 40% of which was attributed to the Rustock botnet.
On March 16, 2011, the botnet was taken down through what was initially reported as a coordinated effort by Internet service providers and software vendors. It was revealed the next day that the take-down, called Operation b107, was the action of Microsoft
, U.S. federal law enforcement agents, FireEye, and the University of Washington
.
To capture the individuals involved with the Rustock botnet, on July 18, 2011, Microsoft is offering "a monetary reward in the amount of US$250,000 for new information that results in the identification, arrest and criminal conviction of such individual(s)."
technology. Once a computer was infected, it would seek contact with command-and-control servers at a number of IP addresses and any of 2,500 domains and backup domains that may direct the zombies
in the botnet to perform various tasks such as sending spam or executing distributed denial of service (DDoS) attacks. Ninety-six servers were in operation at the time of the takedown. When sending spam the botnet uses TLS encryption
in around 35% of the cases as an extra layer of protection to hide its presence. Whether detected or not, this creates additional overhead for the mail servers handling the spam. Some experts pointed out that this extra load could negatively impact the mail infrastructure of the Internet, as most of the e-mails sent these days are spam.
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
that operated from around 2006 until March 2011.
It consisted of computers running Microsoft Windows, and was capable of sending up to 25,000 spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
messages per hour from an infected PC. At the height of its activities, it sent an average of 192 spam messages per compromised machine per minute. Reported estimates on its size vary greatly across different sources, with claims that the botnet may have comprised anywhere between 150,000 to 2,400,000 machines. The size of the botnet was increased and maintained mostly through self-propagation, where the botnet sent many malicious e-mails intended to infect machines opening them with a trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
which would incorporate the machine into the botnet.
The botnet took a hit after the 2008 takedown of McColo
McColo
McColo was a San Jose-based web hosting service provider. In late 2008, the company was shut down by the two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.-History:McColo was formed by a...
, an ISP which was responsible for hosting most of the botnet's command and control servers. McColo regained internet connectivity for several hours and in those hours up to 15 Mbit a second of traffic was observed, likely indicating a transfer of command and control to Russia
Russia
Russia or , officially known as both Russia and the Russian Federation , is a country in northern Eurasia. It is a federal semi-presidential republic, comprising 83 federal subjects...
. While these actions temporarily reduced global spam levels by around 75%, the effect did not last long: spam levels increased by 60% between January and June 2009, 40% of which was attributed to the Rustock botnet.
On March 16, 2011, the botnet was taken down through what was initially reported as a coordinated effort by Internet service providers and software vendors. It was revealed the next day that the take-down, called Operation b107, was the action of Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, U.S. federal law enforcement agents, FireEye, and the University of Washington
University of Washington
University of Washington is a public research university, founded in 1861 in Seattle, Washington, United States. The UW is the largest university in the Northwest and the oldest public university on the West Coast. The university has three campuses, with its largest campus in the University...
.
To capture the individuals involved with the Rustock botnet, on July 18, 2011, Microsoft is offering "a monetary reward in the amount of US$250,000 for new information that results in the identification, arrest and criminal conviction of such individual(s)."
Operations
Botnets are composed of infected computers used by unwitting Internet users. In order to hide its presence from the user and anti-virus software the Rustock botnet employed rootkitRootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
technology. Once a computer was infected, it would seek contact with command-and-control servers at a number of IP addresses and any of 2,500 domains and backup domains that may direct the zombies
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
in the botnet to perform various tasks such as sending spam or executing distributed denial of service (DDoS) attacks. Ninety-six servers were in operation at the time of the takedown. When sending spam the botnet uses TLS encryption
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
in around 35% of the cases as an extra layer of protection to hide its presence. Whether detected or not, this creates additional overhead for the mail servers handling the spam. Some experts pointed out that this extra load could negatively impact the mail infrastructure of the Internet, as most of the e-mails sent these days are spam.