Rustock botnet

Last updated

The Rustock botnet was a botnet that operated from around 2006 [1] until March 2011.

Contents

It consisted of computers running Microsoft Windows, and was capable of sending up to 25,000 spam messages per hour from an infected PC. [2] [3] At the height of its activities, it sent an average of 192 spam messages per compromised machine per minute. [4] Reported estimates on its size vary greatly across different sources, with claims that the botnet may have comprised anywhere between 150,000 and 2,400,000 machines. [5] [6] [7] The size of the botnet was increased and maintained mostly through self-propagation, where the botnet sent many malicious e-mails intended to infect machines opening them with a trojan which would incorporate the machine into the botnet. [8]

The botnet took a hit after the 2008 takedown of McColo, an ISP which was responsible for hosting most of the botnet's command and control servers. McColo regained Internet connectivity for several hours, and in those hours up to 15 Mbit a second of traffic was observed, likely indicating a transfer of command and control to Russia. [9] While these actions temporarily reduced global spam levels by around 75%, the effect did not last long: spam levels increased by 60% between January and June 2009, 40% of which was attributed to the Rustock botnet. [10] [11]

On March 16, 2011, the botnet was taken down through what was initially reported as a coordinated effort by Internet service providers and software vendors. [12] It was revealed the next day that the take-down, called Operation b107, [13] [14] was the action of Microsoft, U.S. federal law enforcement agents, FireEye, and the University of Washington. [15] [16]

To capture the individuals involved with the Rustock botnet, on July 18, 2011, Microsoft is offering "a monetary reward in the amount of US$250,000 for new information that results in the identification, arrest and criminal conviction of such individual(s)." [17]

Operations

Botnets are composed of infected computers used by unwitting Internet users. In order to hide its presence from the user and anti-virus software, the Rustock botnet employed rootkit technology. Once a computer was infected, it would seek contact with command-and-control servers at a number of IP addresses and any of 2,500 domains and backup domains [18] that may direct the zombies in the botnet to perform various tasks such as sending spam or executing distributed denial of service (DDoS) attacks. [19] Ninety-six servers were in operation at the time of the takedown. [20] When sending spam the botnet uses TLS encryption in around 35 percent of the cases as an extra layer of protection to hide its presence. Whether detected or not, this creates additional overhead for the mail servers handling the spam. Some experts pointed out that this extra load could negatively impact the mail infrastructure of the Internet, as most of the e-mails sent these days[ when? ] are spam. [21]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by email

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

<span class="mw-page-title-main">McColo</span> Defunct web hosting provider used for cybercrime

McColo was a US-based web hosting service provider that was, for a long time, the source of the majority of spam-sending activities for the entire world. In late 2008, the company was shut down by two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The Lethic Botnet is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam.

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

References

  1. Chuck Miller (2008-07-25). "The Rustock botnet spams again". SC Magazine US. Archived from the original on 2012-07-30. Retrieved 2010-04-21.
  2. "Real Viagra sales power global spam flood - Techworld.com". News.techworld.com. Archived from the original on 2012-04-07. Retrieved 2010-04-21.
  3. "Marshal8e6 Releases New Insight and Analysis into Botnets". trustwave.com. Chicago, IL, USA: Trustwave Holdings. 2009-04-22. Archived from the original on 2016-04-20. Retrieved 2014-01-09.
  4. "Symantec Announces August 2010 MessageLabs Intelligence Report". Symantec . Sunnyvale, CA, USA: Symantec. 2010-08-24. Archived from the original on August 28, 2010. Retrieved 2014-01-09.
  5. "MessageLabs intelligence" (PDF). MessageLabs. April 2010. Retrieved 20 November 2010.
  6. "Biggest spammer? The Rustock botnet |". Securityinfowatch.com. 2009-02-06. Archived from the original on 2020-06-18. Retrieved 2010-04-21.
  7. "Rustock botnet responsible for 40 percent of spam". Good Gear Guide. Retrieved August 25, 2010.
  8. "New Rustock Botnet Trying to Expand Itself". SPAMfighter. 2008-07-25. Retrieved 2010-04-21.
  9. "Dead network provider arms Rustock botnet from the hereafter - McColo dials Russia as world sleeps". The Register. 18 November 2008. Retrieved 20 November 2010.
  10. "Rustock botnet leads spam surge up 60 percent in 2009". MX Logic. 2009-07-14. Retrieved 2010-04-21.
  11. "Grum and Rustock botnets drive spam to new levels > Botnet > Vulnerabilities & Exploits > News > SC Magazine Australia/NZ". securecomputing.net.au. 2010-03-02. Retrieved 2010-04-21.
  12. Hickins, Michael (2011-03-17). "Prolific Spam Network Is Unplugged". Wall Street Journal. Retrieved 2011-03-17.
  13. Williams, Jeff. "Operation b107 - Rustock Botnet Takedown" . Retrieved 2011-03-27.
  14. Bright, Peter (22 March 2011). "How Operation b107 decapitated the Rustock botnet". Ars Technica. Retrieved 2011-03-27.
  15. Wingfield, Nick (2011-03-18). "Spam Network Shut Down". Wall Street Journal. Retrieved 2011-03-18.
  16. Williams, Jeff. "Operation b107 - Rustock Botnet Takedown" . Retrieved 2011-04-06.
  17. "Microsoft Offers Reward for Information on Rustock" . Retrieved 2011-07-18.
  18. Microsoft Amended Application for Temporary Restraining Order. Case 11CV00222, US Fed. Ct. W.D. Wash., Feb 28 2011
  19. Prince, Brian (2009-07-28). "Security: A Day in the Life of the Rustock Botnet". EWeek . Retrieved 20 November 2010.
  20. "Spammers sought after botnet takedown". BBC News. 2011-03-25.
  21. "Beware Botnet's Return, Security Firms Warn". PCWorld. 2010-03-28. Retrieved 2010-04-21.