Microsoft spelled out the results of its ongoing investigation into the Rustock botnet server hardware obtained by law enforcement in a status report submitted Monday to a federal judge. Operation b107 was the codename for the takedown of the huge Rustock botnet, responsible for sending as many as 30 billion spam messages a day. The takedown was backed by international warrants to seize command-and-control (C&C) servers.
Custom-written software for assembly of spam emails and text files containing thousands of email addresses and username/password combinations for spam-dissemination were found. One text file alone contained over 427,000 email addresses.
Along with the email addresses, forensics experts also uncovered evidence that the criminals used stolen credit cards to purchase hosting and email services. Payments for the hosting of some of Rustock’s C&C servers were traced to a specific Webmoney account, and after asking the Russian online payment service for help, the owner of that account was identified in a city 14 miles northwest of Moscow. The status report cautioned that this person might not be the actual purchaser of the C&C hosting services, and is continuing to investigate.
18 of the 20 drives obtained had been used as “Tor nodes” to provide the attackers with anonymous access to the Internet, and to the hijacked Windows PCs that made up the Rustock botnet. Tor relies on routing and encrypting traffic through a network of machines maintained by volunteers in numerous countries to hide the actual connections. Tor is used by activists in nations where governments monitor or restrict web communication, and by hackers to thwart identification efforts.
If you believe your computer may be infected by Rustock or other type of malware, Microsoft encourages you to visit support.microsoft.com/botnets for free information and resources to clean your computer.