Will Microsoft’s Takedown of Rustock Drive Spammers Outside the United States?
Thu, Mar 24, 2011 by David LaMacchia
Last week Microsoft revealed itself to be the plaintiff in a complaint against the operators of the Rustock Botnet. As part of that complaint, seven colocation facilities were raided almost simultaneously in the United States, where hardware for the botnet’s Command & Control infrastructure was seized. Taking this hardware offline, in conjunction with some measures that prevented infected computers from receiving new operating instructions, effectively has terminated what was once the largest botnet in the world.
If you want an in-depth technical look at the Rustock Botnet takedown, FireEye Inc., who contributed a declaration as part of Microsoft’s complaint, has one here:
FireEye claims “if you examine the top C&Cs used over the past 6 months, you’ll find that not only have they not had to move IPs, all the top hits were based in the US.” Botnet operators and colocation facilities in the United States that host them should be concerned. The Microsoft claim sets a precedent that allows US Marshals to raid and seize hardware in the name of trademark violations, such as infringement, under the Lanham Act (15 U.S.C.). Colocation facilities could be charged with conspiracy for hosting and knowingly allowing botnet C&Cs to operate.
We may soon see a migration of C&C hosts to countries outside of US jurisdiction. While this might at first glance seem like a bad thing, since a takedown on foreign soil could be difficult to organize, Microsoft did manage to receive help from authorities in Netherlands and China in the Rustock takedown; international cooperation is not impossible. Either way, the more restricted botnet operators are in their hosting alternatives, the easier it becomes to isolate their C&C machines.
The takedown seems to have been very positive for Microsoft, whose brand has been tarnished by the fact that botnets like Rustock tend to target their Windows operating system. What happens next, though? Even though the compromised computers in the botnet are no longer connected to Rustock C&C hosts, the operators are still at large. The only way a botnet can be permanently shut down is to not only take its hardware offline, but to also use existing law to punish the people behind the botnet and the entities enabling its criminal activity.