Microsoft turns to FBI in hunt for Rustock ringleader
Targets Cosma2k after botnet victory
Microsoft lawyers have sealed their victory over the operators of what was once the world's biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.
The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.
Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.
According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.
“This suggests that 'Cosma2k' is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.
In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.
The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.
In June prosecutors declared victory in the case.
Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft's determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®