|
|
|
|
21.07.11
|
Wanted Alive
|
|
|
By Tai Adelaja
|
Microsoft Corporation on Monday announced a bounty of $250,000 for any information leading to the arrest of the operators behind the notorious Rustock botnet, believed to have originated in Russia. The Rustock botnet – a network of private computers infected with malicious software and controlled as a group without the owners' knowledge – is believed to be one of the world's biggest zombie networks. Before it was taken down in March, Rustock network was supposedly sending more than 30 billion spam mails everyday and pushing illegal advertisements for drugs and software.
Microsoft said it is offering the reward in order to determine the identities of those behind the botnet, but some experts have expressed skepticism, saying that the software behemoth may be embarking on what could turn out to be a wild-goose chase. “Microsoft Corporation is offering a $250,000 reward for any new information that results in the identification, arrest and criminal conviction of whoever is responsible,” Microsoft said in a notice.
Microsoft has taken this road before, but until 2004, when the German police arrested an 18-year-old man suspected of creating the "Sasser" computer worm, many believed that the premium would not be paid and the criminals would not be captured, said Alexander Gostev, a senior virus analyst at the Moscow-based Kaspersky Lab, a world leader in preventing online attacks. “In general, there is a good chance that Microsoft will get a bounty call on the criminals," Gostev said. “However, the offers of a bounty also indicate that neither Microsoft nor the law enforcement agencies have been able to identify the offenders.”
Microsoft said it has decided to zoom in on Russia because evidence collected by the company so far indicates that those who run the Rustock botnet are based in Moscow or St. Petersburg. "Based on evidence gathered in the case, we have reason to believe that the people behind the Rustock botnet either have operated or are operating out of Russia," said Richard Boscovich, a senior attorney in the Microsoft Digital Crimes Unit, in a blog post.
The smoking gun includes details retrieved from 20 hard drives seized in March from servers that ran Rustock. Analysis of the drives show that they had been used to access numerous Web sites based in Russia, including Russian Internet Company Mail.Ru and the free software downloading portal freesoft.ru. Microsoft said it had also identified a specific WebMoney account that was used to pay for some command-and-control servers linked to Rustock. "WebMoney's records indicate that the owner of the WebMoney account is identified as Vladimir Alexandrovich Shergin, associated with an address based in Khimki, a town near Moscow," according to the court documents. Microsoft said it does not know whether this name is authentic, fake, or stolen.
In what experts say amounts to a novel legal strategy, Microsoft filed a civil lawsuit to shut down the botnet in a U.S. court in March. The software giant alleged that "John Does" have taken control of the computer network, causing damages to the company and its customers. Armed with a court order, Microsoft and other software vendors teamed up with federal law enforcement agents in March to seize physical servers and computer equipment that serves as Rustock command-and-control system, located at U.S. hosting sites. However in April, the U.S. District Court for the Western District of Washington instructed Microsoft to submit status updates about its efforts to put names to the "John Doe" faces in its initial anti-Rustock lawsuit.
Last month, Microsoft took the unusual step of publishing notices in two Russian newspapers, the Delovoy Petersburg in St. Petersburg and Moscow's daily paper, Moskovskie Novosti, alerting the owners of the Rustock botnet that they can attempt to reclaim their confiscated property. Boscovich said that the advertisements honor Microsoft’s “legal obligation to make a good faith effort to contact the owners of the IP address and domain names that were shut down when Rustock was taken offline.” The ads also designate a time and place where the botnet owners can argue their side of the case, as well as a related Web site, if they would rather argue their case remotely.
But Microsoft has also been pursuing other leads, including E-mail addresses associated with the botnet masterminds, Mathew J. Schwartz wrote in InformationWeek. The software behemoth is currently awaiting responses to subpoenas it has served to domain registrars and E-mail hosting providers, which may help to positively identify the owners of those E-mail addresses, Schwartz said.
Experts estimate that up until March of this year, the Rustock network was responsible for up to half of all the spam on the Internet. Besides accounting for a sizable portion of the world's spam, Rustock was responsible for a number of other crimes as well, including advertising counterfeit or unapproved versions of pharmaceuticals, such as drugs like Valium, Viagra, and Vicodin. It also allegedly violated the trademarks of the pharmaceutical manufacturer Pfizer and software maker Microsoft. While countries with large numbers of Internet users are generally vulnerable to botnet attacks, spam botnets such as Rustock are aimed primarily at users in the United States and Western Europe, Gostev said. Last year, Rustock was responsible for more than 44 billion spam E-mails per day and had more than one million bots under its control, and accounted for as much as 47.5 percent of all spam, according to Symantec's MessageLabs Intelligence.
So far, physically taking down spam-sending networks appears to be the only effective remedy against malicious botnets like Rustock. "The closures of Pushdo/Cutwail and Bredolab botnets last year led to a significant decline in their activities," Gostev said. "After closing Rustock in March 2011, there was also a marked decrease in spam traffic." But Microsoft believes that a significant effort is still required to undo the serious damage left in its tracks by Rustock. "Although the Rustock botnet infection base has been cut in half in the short time since the takedown, there are still hundreds of thousands of infected computers around the world yet to be cleaned of the botnet malware," Boscovich said. |
The source |
|
|
|
|
|
|