At its peak, the Rustock botnet could push out over 30 billion spam messages every single day. It consisted of over 1 million hijacked computers around the world, and appears to have been controlled by only a small team of about three individuals.
"It does not look like there were more than a couple of people running it to me," said Alex Lanstein, a senior engineer at security firm FireEye. Computers were hijacked when their users visited crafted malicious websites. Updates were pushed out regularly using custom written encryption. Updates were disguised to look like genuine discussion forum messages to evade detection by security firms scouring the web.
The servers found to be used to control the botnet were located in middle-America, not usually where you would expect to find them. Hosting costs would have ran up to $10,000 per month, but the operators are believed to have made many times that amount pushing out spam for fake pharmaceuticals.
Work done by Microsoft, FireEye and Pfizer culminated in the seizure of 96 command and control servers on March 16. Since the action, global spam levels dropped significant and continue to remain low. The operators of the botnet do not appear to have attempted to regain control over it either.
A forensic firm is now analyzing hard drives used in the command and control servers for clues as to the identities of the operators.
Written by: James Delahunty @ 25 Mar 2011 21:57
