Microsoft aids shutdown of Rustock spam net Published duration 17 March 2011

image caption Rustock's main business has been to send out offers of cheap pharmaceuticals

The sudden drop in activity of a major spam producer was the result of a large co-ordinated attack on spammers, it has emerged.

At 15:30 GMT on 16 March, a network of spam-producing computers, known as Rustock, suddenly stopped.

Raids on the network's infrastructure were triggered by a long-running investigation by Microsoft.

During raids, servers that acted as Rustock's command and control systems were seized.

In 2010, the Rustock botnet - a collection of infected machines - was the most prolific producer of spam on the internet, at its peak accounting for nearly half of all spam sent globally - some 200 billion messages a day.

Prolific spammer

Initially it was not clear that the network had been tackled by law enforcement because the volume of spam coming out of Rustock has fluctuated wildly recently.

Usually the spikes in activity last for 12 to 16 hours, Vincent Hanna of anti-spam group Spamhaus told BBC News.

"When Rustock stopped yesterday it was in mid-campaign," he said.

Writing on Microsoft's public policy blog Richard Boscovich , a senior attorney in the company's Digital Crimes Unit, said the raids effectively severed the link between the million or so drone computers in Rustock and the servers that control them.

Mr Boscovich said Rustock was a tough nut to crack because of the way it was organised. The swift seizure of servers should have denied Rustock's controllers any chance of simply shifting it to fresh machines, he said.

The hard drives gathered in the raid would be be analysed so investigators can learn more about the way it ran and who was behind it.

It said it would also work with ISPs to identify and clean up PCs that were unwitting participants in the Rustock botnet.

Take down

Disrupting the command and control infrastructure of a botnet is a Herculean task.

It requires the co-ordination of security groups with insight in to how the botnet operates, the participation of law-enforcement agencies, domain name registrars and internet service providers that can potentially be located in different time zones, said Paul Wood, a security researcher at Symantec.cloud.

"One of the problems for law enforcers is deciding when to take action," he said.

Once police know enough about a botnet to be able to take it down, they can collect an awful lot of intelligence about its owners, he added.

Previous attempts to take down botnets have enjoyed mixed success.

When security firm FireEye disabled the Mega-D botnet's command and control infrastructure in early November 2009, its owners were able to resume their activities within a month.

"Many of these botnets are run as businesses, so they have back-up plans in place," said Mr Wood.

Persistent menace

Often the infected computers that form a botnet are programmed to seek out websites where they can download new instructions, in the event that the command and control systems are breached.

"The botnet controllers can use legitimate websites - such as headlines from news sites - to identify where the new instructions can be found," said Mr Wood.

Despite the success, the spread of botnets looks set to continue, as cyber crooks grow increasingly sophisticated in their ability to infect machines.