Major spam network shut down

By Dow Jones Newswires-Wall Street Journal
Posted March 18 at 5:49 a.m.

Microsoft Corp. and federal law enforcement agents seized computer equipment from Internet hosting facilities in Chicago and other U.S.cities on Wednesday, in a sweeping legal attack designed to cripple the leading source of junk email on the Internet.

Microsoft launched the raids as part of a civil lawsuit filed in federal court in Seattle in early February against unnamed operators of the Rustock “botnet,” a vast network of computers around the globe infected with malicious software that allows its masterminds to distribute enormous volumes of spam, peddling everything from counterfeit software to pharmaceuticals.

That lawsuit was unsealed late Thursday by a federal judge, at Microsoft’s request, after company executives said they dealt a seemingly lethal blow to the botnet in their raids on Wednesday.

As part of that dragnet, U.S. marshals accompanied employees of Microsoft’s digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Penn; Denver; Dallas; Chicago; Seattle and Columbus, Ohio.

The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be “command-and-control” machines, through which the operators of the Rustock botnet broadcast instructions to their army of infected computers, estimated by Microsoft at more than one million machines worldwide.

Microsoft executives likened the action to a “decapitation” of the botnet aimed at severing the command-and-control computers from sending orders to their network of infected computers, which are typically owned by people who have no idea their machines are being harnessed by outsiders for spam. The Rustock botnet is the largest source of spam in the world at the end of last year, accounting for nearly half of all spam, security firm Symantec Corp. (SYMC) said in a blog post on Thursday.

“We think this has been 100 percent effective,” said Richard Boscovich, senior attorney in Microsoft’s digital crimes unit.

The defendants in Microsoft’s lawsuit are referred to simply as “John Does 1-11,” since the identities of the operators of the botnet aren’t yet known.

The move seemed to be largely effective at disabling its target, a prodigious source of spam that at times delivered billions of spam messages a day, many of them offering steep discounts on drugs like Viagra and Cialis, according to Microsoft. Symantec said in a blog post that Rustock ceased sending spam at around 11:30 a.m. eastern time on Wednesday, according to its junk email measurements.

That time is shortly after Microsoft’s action on the botnet commenced, according to Microsoft executives.

Microsoft doesn’t allege in its lawsuit that the Internet hosting companies knew that machines within their facilities were being used as part of Rustock. Microsoft said it confiscated dozens of hard drives and a handful of computers from the hosting providers as part of the raid. Most of the equipment was leased from afar by customers, some of whom listed addresses in Azerbaijan, according to Boscovich.

The move by Microsoft is the second time the company has employed novel legal tactics to target a botnet, the services of which are often rented out by their operators to purveyors of spam and malware. In February 2010, a federal judge okayed a request by Microsoft to seize control of hundreds of Internet addresses that were allegedly being used to transmit commands to a botnet known as Waledac. That move was effective in knocking Waledac out of commission, according to Microsoft.

In its action against Rustock, Microsoft officials said they had to seize actual computer equipment connected to the botnet, rather than simply taking possession of Internet addresses. That’s because the masterminds behind Rustock designed their infected computers to receive instructions from Internet protocol addresses tied to specific command-and-control machines.

As a precaution, Microsoft also worked with the companies that provide Internet access to the hosting facilities where the machines were stored to prevent any communications with the Internet protocol addresses allegedly linked to the botnet.

“This was the most complicated operation we’ve ever done,” said T.J. Campana, a senior program manager in Microsoft’s digital crimes unit.

In its complaint, Microsoft alleged that the operators of Rustock are allegedly violating Microsoft trademarks with spam that fraudulently claims Microsoft sponsorships of lotteries and other come-ons.

Microsoft has stepped up its efforts to combat botnets, in part because they have helped tarnish the company’s reputation among consumers. Botnets are formed by malicious code that often works by exploiting security vulnerabilities on computers running the company’s dominant Windows operating system.

Microsoft has conducted its past two botnet takedowns under seal, arguing to courts that secrecy was necessary to prevent the botnet operators from reprogramming their infected computers and destroying evidence. Boscovich, a former federal prosecutor, compared the secrecy involved in the action to civil cases where a judge allows a maker of fashion accessories to seize allegedly counterfeit merchandise without warning to prevent the destruction of the ite

Even with the secrecy, though, someone was able to remotely erase several hard drives containing data related to the botnet in a hosting facility in Columbus, after Microsoft’s seizure started, according to Boscovich.

Microsoft’s action hardly represents the end of spam, one of the great nuisances on the Web. Many more spam-sending botnets survive and new ones are being created all the time, formed through malware that infects the computers of unsuspecting users through email attachments, Web sites and other methods.

The defendants in the case can show up at a court hearing in less than a month to contest Microsoft’s allegations and to reclaim their computer equipment, which Microsoft executives say is unlikely to occur.

“I would love to have them at the hearing,” said Boscovich. “We have quite a few questions for them.”

Read more about the topics in this post: , ,

Companies in this article


  1. CC Rider March 18 at 7:56 a.m.

    Way to go Microsoft! Thank you! Thank you! Thank you!
    Keep up the good work.
    It would also be good if there is a way to sop the spam from getting into blogs and comment forums…

  2. Hari March 18 at 10:10 a.m.

    When did Microsoft become a law enforcement agency? The way this article reads it sounds like they are currently on par with the FBI, NCIS, ATF, CGIS, etc.

  3. JerryH March 18 at 10:29 a.m.

    I’m glad Microsoft realizes this is a big problem and has lent its expertise to the FBI in tracking down these spammers. I hope they find the people responsible for the network and toss them in jail.

  4. JERRY March 18 at 10:38 a.m.

    Hey someone has to do this. Our government sure isn’t doing anything. Go microsoft. keep using bill’s money!

  5. Lee Farmington farmington NM March 18 at 10:44 a.m.

    Hope they got “Your computer has been infected”

  6. Lee Farmington farmington NM March 18 at 10:46 a.m.

    Hari when did MS become police? Just may have to

  7. mike March 18 at 10:56 a.m.

    The article presented this in a misleading way.

    The police performed a raid, not Microsoft.

  8. dorlorian March 18 at 1:07 pm

    us marshals performed the RAID which they had with them microsoft folks to instruct them what servers need to be taken off.

  9. JRPTOO March 18 at 3:41 pm

    MS initiated the legal proceedings as a civil suit, so actually did do the heavy lifting. They had the assistance from the US Marshalls during the actual raid as ordered by the court.

  10. phisheye March 18 at 4:29 pm

    Thank you Microsoft, maybe I will stop getting Viagra adds

  11. prook March 18 at 4:31 pm

    Hari, read the article again. “Microsoft alleged that the operators of Rustock are allegedly violating Microsoft trademarks with spam that fraudulently claims Microsoft sponsorships of lotteries and other come-ons.”

  12. Kimrod March 18 at 7:54 pm

    Microsoft has over and over and now over yet again given the public real service that makes our lives easier and leaves more money in our pockets, all in a clear eyed and honest persute of their own best interest. Period.

  13. Reality March 18 at 8:02 pm

    well it didn’t stop my PC from getting a virus TODAY!

  14. cityguy March 19 at 3:19 a.m.

    They will just fire up a new CnC machine elsewhere. Spamming is $$$ for these clowns and its big business for the virus fighters. Neither would exist if they just patched the holes..

  15. Watcher March 19 at 11:32 a.m.

    Thanks MSFT! My SPAM is non-existent as of this shutdown. Nice work boys!

  16. Robert from Des Plaines March 19 at 1:35 pm

    Now hopefully the FBI with MSNs help can go after the spammers from all over the world who keep sending emails telling me that they want to give me gazillions of money but need my help.