from

The Microsoft Blog

U.S. Marshals seized hard drives and servers at Internet service providers in seven U.S. cities including Seattle, disconnecting most of the IP addresses that controlled the botnet, according to court documents.

The servers were removed as evidence and will be analyzed by Microsoft. Simultaneously, police carried out similar action in the Netherlands, where one Rustock server was located, Richard Boscovich, senior attorney in Microsoft’s Digital Crimes Unit, said in a phone interview.

“It’s is one of the largest,” Boscovich said of the Rustock botnet. “At any time, it’s one of the top two sending spam.”

On a good day, Rustock was capable of sending 30 billion spam e-mails per day.

A botnet is a network of everyday computers – like yours and mine – that are infected with malware, hijacking the system and sending out thousands of spam e-mails per day without the user’s knowledge. In the case of Rustock, Microsoft researchers found that just one infected computer was able to send out 7,500 spam messages in 45 minutes – or as many as 240,000 e-mails a day.

Boscovich estimated there are more than 1 million computers worldwide infected by Rustock malware.

These infected PCs are controlled by a botnet control computer, or “bot herder.” Through the courts, Microsoft was able to shut down the bot herder’s connections to the majority of Rustock-infected computers. That means the command computer was no longer able to tell infected computers what to do, though it’s nearly impossible to sever all communication.

Your computer could be infected without your even knowing it. Computers compromised by Rustock malware are still infected and need cleaning.

Microsoft made this graphic of how a botnet functions after taking down Waledac in February. Click to enlarge. 

The legal tactic Microsoft used this week is different from the one Microsoft used to take down Waledac last year. For Waledac, Microsoft convinced a judge to issue restraining orders on more than 250 Web domains that controlled Waledac; the courts affirmed that strategy in September.

Rustock, on the contrary, was controlled via IP addresses on dozens of hard drives and servers, Boscovich said. On Wednesday, as part of a Microsoft trademark-infringement lawsuit, a U.S. District Court judge in Seattle ordered the seizure of equipment located in Seattle, Kansas City, Denver, Chicago, Dallas, Scranton, Pa., and Columbus, Ohio. An additional server was located in Holland.

The raids were conducted under the Lanham Act, which prohibits trademark infringement and counterfeiting. It’s the same law used for seizures of counterfeit handbags, for example – in a recent case, Seattle police seized 40,000 counterfeit products such as sunglasses, basketball shoes and designer handbags.

“We used that same concept except applied it to cyberspace,” Boscovich said.

Microsoft said it also worked with security experts at the University of Washington, network-security company FireEye, and pharmaceuticals company Pfizer.

Much botnet spam includes advertisements for bogus pharmaceuticals. As part of the legal process, Pfizer purchased some of the counterfeit drugs and found that many contained incorrect dosages or harmful ingredients such as pesticides, floor wax and lead-based paint.

“There’s a huge public safety angle to this,” Boscovich said.

This sample spam e-mail sent by the Rustock network advertises counterfeit pharmaceuticals as the real thing – for cheap. Click to enlarge. 

Many e-mails also include financial scams and counterfeit products. Microsoft also had interest in the case because many Rustock spam e-mails abused its “Microsoft” and “Hotmail” trademarks, he said.

Such take-down operations require high coordination and secrecy, John Bambeneck, a member of the SANS global Internet monitoring service, told The Wall Street Journal. “They all had to have been taken down simultaneously or they would have noticed and been able to react,” he told the WSJ’s Digits blog.

“This is essentially the beginning of the case,” Boscovich said. Now, attorneys will attempt to notify defendants – heretofore known as John Does – and a hearing will be held in about 20 days, he said.