Microsoft Corp. and federal law enforcement agents seized computer equipment from Internet hosting facilities in Chicago and other U.S.cities on Wednesday, in a sweeping legal attack designed to cripple the leading source of junk email on the Internet.
Microsoft launched the raids as part of a civil lawsuit filed in federal court in Seattle in early February against unnamed operators of the Rustock “botnet,” a vast network of computers around the globe infected with malicious software that allows its masterminds to distribute enormous volumes of spam, peddling everything from counterfeit software to pharmaceuticals.
That lawsuit was unsealed late Thursday by a federal judge, at Microsoft’s request, after company executives said they dealt a seemingly lethal blow to the botnet in their raids on Wednesday.
As part of that dragnet, U.S. marshals accompanied employees of Microsoft’s digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Penn; Denver; Dallas; Chicago; Seattle and Columbus, Ohio.
The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be “command-and-control” machines, through which the operators of the Rustock botnet broadcast instructions to their army of infected computers, estimated by Microsoft at more than one million machines worldwide.
Microsoft executives likened the action to a “decapitation” of the botnet aimed at severing the command-and-control computers from sending orders to their network of infected computers, which are typically owned by people who have no idea their machines are being harnessed by outsiders for spam. The Rustock botnet is the largest source of spam in the world at the end of last year, accounting for nearly half of all spam, security firm Symantec Corp. (SYMC) said in a blog post on Thursday.
“We think this has been 100 percent effective,” said Richard Boscovich, senior attorney in Microsoft’s digital crimes unit.
The defendants in Microsoft’s lawsuit are referred to simply as “John Does 1-11,” since the identities of the operators of the botnet aren’t yet known.
The move seemed to be largely effective at disabling its target, a prodigious source of spam that at times delivered billions of spam messages a day, many of them offering steep discounts on drugs like Viagra and Cialis, according to Microsoft. Symantec said in a blog post that Rustock ceased sending spam at around 11:30 a.m. eastern time on Wednesday, according to its junk email measurements.
That time is shortly after Microsoft’s action on the botnet commenced, according to Microsoft executives.
Microsoft doesn’t allege in its lawsuit that the Internet hosting companies knew that machines within their facilities were being used as part of Rustock. Microsoft said it confiscated dozens of hard drives and a handful of computers from the hosting providers as part of the raid. Most of the equipment was leased from afar by customers, some of whom listed addresses in Azerbaijan, according to Boscovich.
The move by Microsoft is the second time the company has employed novel legal tactics to target a botnet, the services of which are often rented out by their operators to purveyors of spam and malware. In February 2010, a federal judge okayed a request by Microsoft to seize control of hundreds of Internet addresses that were allegedly being used to transmit commands to a botnet known as Waledac. That move was effective in knocking Waledac out of commission, according to Microsoft.
In its action against Rustock, Microsoft officials said they had to seize actual computer equipment connected to the botnet, rather than simply taking possession of Internet addresses. That’s because the masterminds behind Rustock designed their infected computers to receive instructions from Internet protocol addresses tied to specific command-and-control machines.
As a precaution, Microsoft also worked with the companies that provide Internet access to the hosting facilities where the machines were stored to prevent any communications with the Internet protocol addresses allegedly linked to the botnet.
“This was the most complicated operation we’ve ever done,” said T.J. Campana, a senior program manager in Microsoft’s digital crimes unit.
In its complaint, Microsoft alleged that the operators of Rustock are allegedly violating Microsoft trademarks with spam that fraudulently claims Microsoft sponsorships of lotteries and other come-ons.
Microsoft has stepped up its efforts to combat botnets, in part because they have helped tarnish the company’s reputation among consumers. Botnets are formed by malicious code that often works by exploiting security vulnerabilities on computers running the company’s dominant Windows operating system.
Microsoft has conducted its past two botnet takedowns under seal, arguing to courts that secrecy was necessary to prevent the botnet operators from reprogramming their infected computers and destroying evidence. Boscovich, a former federal prosecutor, compared the secrecy involved in the action to civil cases where a judge allows a maker of fashion accessories to seize allegedly counterfeit merchandise without warning to prevent the destruction of the ite
Even with the secrecy, though, someone was able to remotely erase several hard drives containing data related to the botnet in a hosting facility in Columbus, after Microsoft’s seizure started, according to Boscovich.
Microsoft’s action hardly represents the end of spam, one of the great nuisances on the Web. Many more spam-sending botnets survive and new ones are being created all the time, formed through malware that infects the computers of unsuspecting users through email attachments, Web sites and other methods.
The defendants in the case can show up at a court hearing in less than a month to contest Microsoft’s allegations and to reclaim their computer equipment, which Microsoft executives say is unlikely to occur.
“I would love to have them at the hearing,” said Boscovich. “We have quite a few questions for them.”