How Microsoft took Down Rustock: A Technical Perspective

As reported by colleague Sue Walsh on Monday, Microsoft successfully brought down the Rustock botnet in a coordinated operation last week.  The achievement is especially significant given the sheer size of Rustock, which was estimated to contain up to a million infected host computers, and believed to be responsible for billions of spam emails on a daily basis.  Due to its unprecedented nature, colleague Ed Fisher did a follow-up about the legal recourse that Microsoft’s Digital Crimes Unit used to take Rustock offline.

Today, I hope to shed more light on the technical aspects of how Microsoft managed to take Rustock offline, and the role spam administrators can play in the fight against unsolicited emails.

Bots and Spam

As we know, bots are computers that have been remotely commandeered using either security exploits or Trojan software.  While an infected workstation appears normal on the surface, the reality is that they could be activated at any time to launch Denial of Service (DoS) attacks against targets on the Internet, or to send out torrents of spam emails using a built-in SMTP engine.  In addition, some bots will also pilfer existing SMTP configurations and passwords so as to utilize legitimate servers for their nefarious tasks.

Moreover, the more advanced bots usually incorporate update engines that allows them to automatically obtain the latest upgrades or capabilities.  Beyond the use of antivirus software – which might not detect new bots, the best way to identify the presence of an infected host is to monitor outgoing network traffic for suspicious activities.

Managing the Botnet

Managing the bots in a botnet requires the use of a command and control node, also known as ‘C&C’ for short.  Controlled by the hackers or spammers who assembled the botnet, a C&C is used to disseminate instructions to individual workstations. The need for a C&C node does however represent an Achilles heel that, with enough expertise and time, could be used to bring down an entire botnet.  As you might expect, hackers have been steadily improving their methods to make this task an increasingly difficult one.

One of the earliest methods includes using IRC (Internet Relay Chat) to relay instructions to client bots, which would log on to a predefined IRC server and channel when they are online.  It was easy to take these botnets down by seeking the help of the server operator however, which led to the use of encrypted or obfuscated command links.  Also, C&C nodes have since expanded to leverage popular social networking sites, hacked servers, or even hosted servers paid using stolen credit card numbers.

It still proved possible to persuade providers to block these fixed accounts or to rectify hacked servers however.  The latest technique is harder to deal with and entails programming the bots to connect to domain names generated using secret algorithms.  This works well with country-specific domains under lax oversight and where domain names can be acquired cheaply.  With the bot malware trying new domains until they succeed, overloaded servers or those seized by the authorities are effectively circumvented.  This is also the reason why a coordinated assault was needed to take down Rustock – lest the bots succeed into connecting with a C&C node where the botnet operator can upgrade them to a new, unknown algorithm.

Taking down the botnet and the lesson for spam administrators

The process of identifying the various C&C nodes and then corroborating the evidence took one year for Rustock.  Part of the effort includes working with multiple commercial and academic parties to convince the U.S. District Court for the Western District of Washington to allow a coordinated seizure of hosted servers from disparate locations. In addition, Microsoft also teamed up with the Dutch High Tech Crime Unit to bring down parts of the botnet operating outside the U.S., and CN-CERT to block future registrations of domains in China.

It is clear that a painstaking amount of work is required to take down large and advanced botnets.  As such, I would urge spam administrators to make a concerted, proactive effort to stem the flow of spam at its source, instead of simply relying on spam filtering appliances and services to do their work.  One measure would be to monitor for suspicious or high volumes of traffic that could indicate the presence of C&C software on compromised machines.  Another suggestion is to keep Internet-facing servers updated with the latest security patches, and implementing egress filtering on LAN clients to identify potential bots on their networks.

In a nutshell: Everyone needs to play a part in the fight against spam.  Do you agree, or disagree?