Vulnerabilities / Threats
3/18/2011
01:06 PM
50%
50%

Microsoft, Feds Knock Rustock Botnet Offline

Authorities confiscated equipment from seven Internet hosting facilities used by the botnet, which was responsible for much of the Viagra email spam on the Internet.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
Microsoft and federal law enforcement authorities confiscated equipment from seven Internet hosting facilities across the United States on Wednesday, resulting in a takedown of the Rustock botnet.

Microsoft had filed a lawsuit in civil court against "John Does … controlling a computer botnet and thereby injuring Microsoft and its customers." The lawsuit was unsealed on Thursday by a federal judge, at Microsoft's request.

Richard Boscovich, senior attorney in the Microsoft Digital Crimes Unit (DCU), said in a blog post on Thursday that "the Rustock botnet was officially taken offline yesterday, after a months-long investigation by DCU and our partners, successful pleading before the U.S. District Court for the Western District of Washington, and a coordinated seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service."

The operation to bust Rustock, which infected an estimated one million computers, built on knowledge Microsoft gained when it took down Waledac last year. "Like the Waledac takedown, this action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control," said Boscovich.

Security firm FireEye and the University of Washington filed declarations of support for Microsoft's suit, as did drug-maker Pfizer, since the bulk of Rustock's spam purported to sell drugs such as the company's Viagra.

In Pfizer's declaration, Patrick Ford, senior director in the Americas region for Pfizer Global Security, said that investigations conducted by Pfizer in the U.S. and France procured drugs advertised as Viagra via spam emails. In both cases, the spam emails resolved to the same Web site: doctorroe.com. The procured samples, which were tested at Pfizer labs, turned out to be either counterfeit versions from China and Hong Kong, or unapproved, generic versions from India.

Rustock first went dark on Wednesday, a development first reported by security writer Brian Krebs .

While many botnets serve as conduits for enormous quantities of email spam, of late Rustock was the most prolific, at times generating 2,000 messages per second. "For the last year or so, Rustock has been the dominant source of spam in the world, by the end of 2010, accounting for as much as 47.5% of all spam," said Paul Wood, MessageLabs Intelligence senior analyst at Symantec, in a blog post. "At its peak it was responsible for more than half of all global spam."

But unfortunately, according to multiple security firms, Rustock's takedown didn't appear to impact global spam levels, which have remained steady, despite the takedown.

"The takedown of Rustock hasn't had much noticeable effect on the overall amount of spam tracked by MessageLabs Intelligence," said Wood on Thursday. "So far in fact, traffic looks normal."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?