Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Russian Masterminds Ran Rustock Botnet, Microsoft Says

Forensic analysis of server hard drives points to Russian controllers and turns up email templates mentioning that old favorite, Viagra.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Has your botnet gone missing? Microsoft has taken the unusual step of running advertisements in two Russian newspapers, alerting the owners of the Rustock botnet that they can attempt to reclaim their confiscated property. The move is part of Microsoft's efforts to identify and serve court summonses to the Rustock botnet masterminds.

"Based on evidence gathered in the case, we have reason to believe that the people behind the Rustock botnet either have operated or are operating out of Russia," said Richard Boscovich, a senior attorney in the Microsoft Digital Crimes Unit, in a blog post. "Consequently, we have placed advertisements in two mainstream Russian newspapers, the Delovoy Petersburg in St. Petersburg and Moscow's daily paper, The Moscow News."

In April, the U.S. District Court for the Western District of Washington instructed Microsoft to submit status updates about its efforts to put names to the "John Does" in its initial anti-Rustock lawsuit. That civil lawsuit, unsealed by the court in March, had alleged that John Does were "controlling a computer botnet and thereby injuring Microsoft and its customers."

Accordingly, Boscovich said that the advertisements "honor our legal obligation to make a good faith effort to contact the owners of the IP address and domain names that were shut down when Rustock was taken offline." The ads also designate a time and place where the botnet owners can argue their side of the case, as well as a related website, if they would rather argue their case remotely.

"Although history suggests that the people associated with the IP addresses and domain names connected with the Rustock botnet are unlikely to come forward in response to a court summons, we hope the defendants in this case will present themselves," he said.

What evidence does Microsoft have that the botnets were being run by people in Russia? According to court documents, Microsoft analyzed 20 seized hard drives from servers that ran Rustock, and found that they'd been used to access numerous websites based in Russia, including the Web-based email service mail.ru, as well as the free software downloading portal freesoft.ru. Another one of the drives had also been used to launch "cyber-attacks into Russian IP (Internet Protocol) space," according to the documents.

Microsoft said that it also had identified a specific WebMoney account that was used to pay for some command-and-control servers. According to the court documents, "WebMoney's records indicate that the owner of the WebMoney account is identified as a Vladimir Alexandrovich Shergin, associated with an address in Khimki, a city near Moscow." To date, however, Microsoft doesn't know whether this name is authentic, fake, or stolen.

The court documents also provide an interesting glimpse into how criminals create and manage botnets. For example, 18 of the seized hard drives used The Onion Router (better known as TOR) to give attackers anonymous access to the servers, as well as to give the servers anonymous access to the Internet. Microsoft also found "custom written software relating to assembly of spam emails and text files"--with one text file alone containing 427,000 harvested email addresses--as well as email templates relating to numerous pharmaceuticals, including Valium, Viagra, and Vicodin.

Microsoft is continuing to pursue botnet leads. For example, it's identified email addresses associated with the botnet masterminds, and is currently awaiting responses to subpoenas it's served to domain registrars and email hosting providers, which may help positively identify the owners of those email addresses.

Microsoft said it's also continuing to investigate "Cosma2k," which was the username associated with someone who signed up for multiple command-and-control servers. According to Microsoft, "this nickname has been associated with the several names: Dmitri A. Sergeev, Artem Sergeev, and Sergey Vladomirovich Sergeev."

Microsoft's use of a civil lawsuit to shut down a botnet was a novel legal strategy that earned it both praise and condemnation from various security, privacy, and legal experts, chiefly because Microsoft didn't just sue the botnet's unknown operators, but physically confiscated their equipment.

But Microsoft was also taking advantage of a rare opportunity. All of the physical servers that served as the Rustock command-and-control system were located--somewhat brazenly, on the part of the masterminds--at U.S. hosting sites. Accordingly, Microsoft gained a court order that enabled it, in conjunction with the U.S. Marshals Service, to physically seize those servers, knocking Rustock offline.

Industry watchers say that Microsoft's Rustock-busting strategy appears to have worked. A recent report from McAfee confirmed that the volume of Rustock traffic has decreased significantly.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...