On Monday, July 18th, Microsoft, in typical Western fashion, offered a $250,000 bounty on information leading to the arrest and conviction of the person or group behind the Rustock botnet, advertised in two Russian newspapers as evidence suggests that the criminals are Russian or Ukrainian. Microsoft only puts out rewards when it believes that it’s likely to turn up evidence leading to an arrest, and wants to use the information to confirm their leads. The information and arrest would also help in efforts to clean the malware off the thousands of infected computers that comprised Rustock and were used to send up to 30 billion spam emails a day.
While Microsoft had previously taken down the botnet Waledac , Rustock was more complex as it relied on hard-coded IP addresses instead of domain names and peer-to-peer command and control servers. To take Rustock offline, Microsoft gathered evidence with the help of the U.S. Marshalls, helping police the web as they did in the West, to to make sure that the bot could not quickly shift to new infrastructire. Then, on March 16th, after rounding up a posse of security researchers from FireEye, computer scientists from the University of Washington, U.S. federal law enforcement, and international law enforcement such as the Dutch High Tech Crime Unit, Microsoft seized Rustock’s command and control servers and successfully severed the IP addresses that controlled it.
Still, some of the threat remains. The thousands of computers controlled by Rustock remain riddled with malware, and Microsoft is now working with Computer Emergency Readiness Teams and Internet Service Providers worldwide to help clean infected computers. There was also evidence that the originators of Rustock are working to rebuild their networks by sending out more malware, which is part of the reason Microsoft put out the reward for information that can stop them. Most importantly, however, through the criminal case against the anonymous originators of the botnet, the security research that exposed Rustock’s command and control servers, and the model of cooperation in the take down, Microsoft hopes to build a framework against cybercrime to help make the web less wild.