Analysis: Life after Rustock

Many security pros have been speculating about the impact of the Rustock botnet takedown. Microsoft revealed last week how it had worked with various organisations in bringing down the massive botnet and it appears spam levels have taken a big hit.

Symantec data showed spam volume on 17 March had fallen 40.4 percent when compared to a week earlier.

IBM said it saw a decline of between 35 and 40 percent in global spam levels and suggested it was likely the Rustock shut down would have a “sustained impact on the total volume of spam”.

Geographically, the US saw a huge fall in spam, largely because most of the servers Rustock relied on were based in the country.

Before the botnet’s takedown, the US was the second-highest source of spam, but following Microsoft’s successful operation, it fell to 15th as output fell by 74 percent. Britain saw its spam output fall by 54 percent.

Big Blue pointed out the reduction in spam was only around half as significant as the fall that occurred in the latter stages of 2010 when spammers appeared to take a holiday.

So what impact has the apparent death of Rustock had?

A new precedent

No one can be sure about the future of spam levels after this. Security researchers, no matter how adamant they are, can only hypothesise.

But the common belief is spam always rebounds and that is the likelier outcome.

In the short term, there is little doubt spam levels will remain low, and the geographic situation looks likely to be shaken up, given the US has fallen so sharply in the spam output ratings.

We’ll just have to wait and see what happens in the long term globally.

What’s really exciting about the assassination of Rustock though is the collaboration that went into it. You’d hope there would be a knock on effect, inspiring others to come together in the war against botnets.

The Rustock initiative started nine months ago and has taken until March to bring it down.

One company working alongside Microsoft in locating command and control centres was FireEye. The two would check in with each other every couple of weeks to share information, which was eventually used to get hold of the server locations before sending in the troops to seize them.

“When we were pretty satisfied that we had all the command and control servers, I think there were 96 in total, we started filing briefs with the court and started doing the legal angle,” said FireEye senior security researcher Alex Lanstein.

Furthermore, the legal process Microsoft and its partners had to go through could open up some fresh avenues for companies looking to join the botnet fight.

“There was no real precedence for this legal case,” Lanstein said.

“Microsoft was able to show a lot of damages both by brand - the spam messages being sent out were using the Microsoft brand – along with damages done to the Hotmail service. The actual Hotmail service was receiving millions of spam messages from the Rustock bot.”

Microsoft was able to determine what additional processing power it needed to deal with the botnet. This was then used as evidence of damages to the courts.

The court then decided to hand the criminal servers over to Microsoft as punitive damages. The tech giant can now do forensics on the servers, determine who was connecting into them and perhaps even locate the bot master.

“That’s a pretty unique legal perspective,” Lanstein added.

Given the various successes seen last year in making actual arrests, notably in the case of Mariposa, can we expect more here?

“If I were to put odds of 50/50 chance that there is an arrest made, or at least the intel is used to collaborate with other information and shared with a different case,” Lanstein added.

“All that’ll be forthcoming once they get hold of the hard drives and are able to do the forensics on them.”

As for a possible resurrection of the Rustock botnet, Lanstein believes that given the amount of money the bot master/masters would have made, and the pressure they will be under from Microsoft’s legal team, it’s unlikely the botnet will make a comeback.

So whilst the takedown might not make much of a dent to spamming in the long term, the collaborative and legal process that led to Rustock’s demise could set a precedent and spur on others to come together to fight those massive botnets that cause so much bother to web users across the world.

If you can take down the biggest spamming botnet ever, why can't you put an end to others?

This article originally appeared at itpro.co.uk