Botnet’s Fall Leaves Malware-Free Zone

Thursday, July 7, 2011 @ 03:07 PM gHale

A coordinated take-down of the Rustock botnet and follow-up efforts eliminated the malware from over half of the PCs once controlled by Russian hackers.

“This shows that disruptive action [against botnets] is viable and possible,” said Richard Boscovich, a senior attorney with Microsoft’s Digital Crime Unit.

RELATED STORIES
Microsoft Updates Rootkit Removal Plan
‘Indestructible’ Botnet Making Rounds
Botnet Detection via a Smart DNS
Mariposa Botnet on Comeback Trail

Since March, when Microsoft lawyers and U.S. Marshals seized Rustock command-and-control (C&C) servers at five Web hosting providers in seven U.S. cities, the number of Windows PCs infected with the malware has dropped worldwide from 1.6 million to just over 700,000 as of June 18, Boscovich reported in a blog post.

Microsoft also released a report on Rustock, the take-down effort it led, and the impact of its anti-botnet campaign.

In the U.S., an estimated 86,000 Rustock-infected PCs in March dropped to 53,000 by June, a drop of 38%. Other countries saw even bigger reductions: In India, March’s 322,000 infected machines dropped to 99,000 in June.

The take-down itself didn’t remove the Windows PCs from Rustock control. Instead, the seizure of the U.S.-based C&C servers and Microsoft’s work to snatch control of the domains Rustock coded to use for fallback communications prevented the botnet from updating itself.

That in turn provided room for antivirus to issue signatures for the existing Rustock malware and users the opportunity to scrub their systems with security software.

Microsoft provided Rustock signatures for its Malicious Software Removal Tool (MSRT), a free utility that detects and deletes malware, since 2008.

The take-down of Rustock’s communications channels effectively silenced the botnet.

Since March, the botnet — which was once one of the largest purveyors of spam, particularly pitches for fake drugs — has been quiet. “Botnet activity dropped abruptly to almost zero in mid-March following the take-down,” Microsoft said in its report.

Prior to the take-down, Rustock was capable of sending as many as 30 million spam messages daily.

Symantec said there was another botnet taking over where the other had left off. This botnet, called “Grum,” stepped in to take over where Rustock left off.