Microsoft fingers Russians over Rustock spam botnet


Essential Member
The Rustock botnet, taken down earlier this year in a Microsoft-led action, appears to have been operated by Russians according to evidence collected by the company.

Court action by Microsoft saw the Rustock botnet taken offline in March, causing an almost immediate drop in global spam volumes. The Rustock action was unusual in that Microsoft made claims not only of spamming, but also of trademark infringement. Trademark infringement allows the wronged party to seize the property of the infringer, and it is this seized property—specifically, hard disks used in the botnet's command and control servers—that has enabled the company to determine who was responsible for the network.

In a status report Link Removed due to 404 Error, Microsoft described the results of its forensic examination of the disks. Templates for Viagra, Vicodin, and Valium spam, spam-generating software, and hundreds of thousands of e-mail addresses were all found. One system showed evidence of the use of a number of Russian Web sites, including Web mail provider and free software portal Other seized disks showed signs that they had been used as nodes in the TOR anonymous proxying system.

More significantly, Microsoft found e-mail addresses that appear to have been used in the testing and setting up of the botnet—e-mail addresses that the company is now attempting to trace.

The seized disks are not the only thing that Redmond has been analyzing. Subpoenas have been served to the domain registrars used to register the domains used to control the network, and the e-mail providers used by the botnet's owners in correspondance with the registrars. Though most of the payments were found to use stolen credit cards, the company says that further e-mail addresses were identified, and it is following up these leads.

The company is also investigating the hosting arrangements of the command and control servers themselves. The report says that some of the hosting used for the servers was paid for by a specific Webmoney account. Webmoney is an online payment system widely used in Russia. According to Webmoney, the account in question belongs to Vladimir Alexandrovich Shergin, with an address in Khimki, a city near Moscow. The investigators are currently attempting to discover if this person is real, and if so, whether he has had his identity stolen or is genuinely involved in the botnet.

A person with the nickname Cosma2k has also been associated with the command and control servers; Microsoft has associated this nickname to a number of real names, and is following up on this lead too.

The status reports are a condition of the injunction and seizure authorization the courts initially gave the company. In addition to being filed with the court and published online, the company has also sent all the relevant status reports, summonses, and court orders to the various e-mail addresses identified during the coures of the investigation. The company notes, however, that "Since the entry of the preliminary injunction, to date, neither Microsoft nor Microsoft’s counsel have received any communication from any Defendant associated with the Rustock botnet."

Source: Microsoft fingers Russians over Rustock spam botnet


Essential Member
The new Operation Barbarossa

Software empire Microsoft is pushing into Russia in search of the botnet herders who set up Rustock.

The outfit has placed quarter-page notifications in two Russian newspapers, which are required as a a legal formality for its ongoing lawsuit in the US against operators of Rustock.

The advertisements notify the unnamed defendants in the legal suit and give them an opportunity to make their case, in the US court.

It is extremely unlikely that anyone associated with Rustock would suddenly say, "I am being sued in the US, I must immediately go to the Land of the Fee and allow myself to be face some of the sharpest and most expensive lawyers money can buy."

Microsoft filed a lawsuit in the US District Court for the Western District of Washington against 11 unnamed defendants whom they are still trying to identify.

The adverts will run for a month in the Delovoy Petersburg newspaper, St. Petersburg, and in The Moscow News.

Writing in his bog , Richard Boscovich, a senior attorney with Microsoft's Digital Crimes Unit said that history suggests that the people associated with the IP addresses and domain names connected with the Rustock botnet are unlikely to come forward.

However, he is really hoping that the defendants will emerge from the woodwork. If they do not, Microsoft will continue to pursue them, including within the Russian judicial system, if necessary, he added.

No one has been prosecuted yet for running Rustock, but the botnet remains nonfunctional, and the numbers of computers infected with its code continue to fall.

Microsoft has identified a Webmoney account that was used to fund some of Rustock. The owner of the account was identified as Vladimir Alexandrovich Shergin of Khimki, a city near Moscow. Microsoft is trying to find out if that information is true.

There was also bloke who went by the nickname "Cosma2k" who signed up for equipment used for command-and-control servers. Cosma2k also used the names Dmitri A. Sergeev, Artem Sergeev and Sergey Vladomirovich Sergeev, Boscovich said.

Source: Link Removed - Invalid URL

This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.