23 March 2011
Inside Operation b107: the Rustock Botnet Shutdown
FireEye gives the inside story of Operation b107, the Rustock botnet takedown...
LONDON, UK--(Mar 23, 2011)-- The Rustock botnet was responsible at one stage for more than half of the world's spam; its demise last week has cut global junk email levels significantly. It is made up of more than one million PCs which were infected over a period of years and remain so, with the possibility it could still be reactivated if any backup systems remain.Microsoft's Digital Crimes Unit (DCU) has been taking increasing action against botnets over the last few years. As the Waledac botnet shutdown was being completed, the team moved onto the next botnet on their wish list, recruiting staff from malware specialist FireEye and researchers at the University of Washington.
"Rustock is a much higher class of malware development that Waledac," TJ Campana, senior program manager at the DCU told V3.co.uk.
"It was very well put together and definitely well written, in that it was difficult to reverse engineer. The original programmers had put in a lot of software tricks to fool static analysis."
Static analysis looks for malware on an infected machine's hard drive but the team also used dynamic analysis, which involves allowing the system to run in a virtualised environment and monitoring its behaviour and data traffic.
FireEye was tasked with collecting all of the samples for the analysis and monitoring of encrypted connections between command and control servers. It found the spam engine used by Rustock was being sent out disguised as a driver for Windows, and installed like a legitimate piece of code.
The malware used hard-coded IP addresses and communicated to command and control servers via peer-to-peer. These communications made it essential to finding all of the botnet command servers, since just removing one would alert the owners of a problem and not harm its operation.
"Any move on the connection had to be co-ordinated," Alex Lanstein, a security analyst at FireEye told V3.co.uk.
"There were a number of backup systems, with domain generation algorithms to re-establish control if the principle signal was blocked. We had to make sure all those domains were blocked."
Unusually, almost all of the command and control servers found by the team were being leased from service providers in the US, with two more operating out of the Netherlands. Usually these servers would be in countries with more lax data protection laws.
This gave Microsoft a chance to use US law against the spammers and the company sued the unnamed owners of the botnet in the local District Court for the Western District of Washington. The court awarded Microsoft control of the servers for, among other things, using its trademark fraudulently.
"The real gain is the legal precedent they set," Lanstein explained. "Never before has the court taken action against a third party in this way."
Once the team were confident they had all the information they needed, simultaneous raids took place with assistance from the US Marshall's Service and the Dutch High Tech Crime Unit. However, far from kicking the doors in, Campana said the raids were designed to cause minimal disruption to the hosting company's datacentres.
"This was not an action against hosting providers; we wanted minimal impact and took the bare minimum," he said.
"We were able to seize the hard drives of the servers we were after and replaced them with fresh hardware for the operator to reconfigure and reuse."
The hard drives are now being analysed further by the team to see what other information can be gleaned from them. Such knowledge will be used in further operations against other botnets.
It seems at this point that all the backup control systems in the Rustock botnet have been shut down, although both companies are monitoring traffic carefully. Nevertheless, there is still the problem of the sheer volume of systems still infected with the deactivated malware.
Campana said that while monitoring Rustock, the team detected 27 individual pieces of malware that were downloaded onto infected PCs and some of those could have the ability to add the computer to other botnets.
"Those people still have a lot of things wrong with their computers," he said.
© Incisive Media Investments Limited 2011
