How Operation b107 decapitated the Rustock botnet

[nsane.forums]

The Rustock botnet, responsible at its height for sending 30 billion spam e-mails a day, went silent last Wednesday. Its command and control servers, responsible for telling the millions of machines recruited into the network which spams to send, were taken offline. With the botnet now headless, the deluge of spam was halted.

Security researchers tracking spam production immediately noticed the drop in spam volume. But what they didn't know was why the botnet went silent. Rustock's spam output had declined before, only to bounce back. Was this latest drop a temporary hiatus as the botnet's operators prepared to unleash a new torrent of spam, or was it something more?

Botnets are large networks of PCs that have been infected with malware so that they can be controlled remotely. The malware gets onto the PCs either by exploitation of flaws—visiting a webpage that attacks a browser vulnerability, say—or simply through tricking people into running a trojan horse program that installs the malicious software. Once installed, most botnet malware then uses a rootkit—software that masks the visibility of malware on a system, making it invisible to the user and anti-malware software—to hide its presence and linger undetected.

The key feature of botnets is not malware or rootkits, however: it's command and control servers. Machines running the botnet software are not autonomous, independent entities. Rather, they are slaves, receiving orders from command and control servers. The instructions given to the slave machines are limited only by the imagination of the operator of the botnet, or "bot-herder." In practice, they tend to be limited to malware distribution—to recruit more systems into the network—spam distribution, and massive denial-of-service attacks. By dint of running on regular PCs, they can also be used to harvest account numbers, passwords, and other such information.

Rustock enters the scene

Beta versions of the Rustock malware first emerged in late 2005 or early 2006. Unlike many pieces of malware, Rustock was subtle. After infecting a machine it would lie dormant for five days, to avoid suspicion and make it harder to track down the infection source. It wasn't until the third version, Rustock.C, was released in summer 2006 that the network really began to grow. Thanks to a range of advanced rootkit techniques—complex encryption, disabling of debuggers, and a tendency to delete itself if it detected attempts to capture it—Rustock.C evaded detection for many months, with definitive detection and analysis not occurring until early 2008. By this time, hundreds of thousands of machines had been infected, with more to follow.

Though botnets are multipurpose, it's spam for which Rustock was best known. With a size conservatively estimated at 850,000 to 1 million machines, and some estimates as high as 2.4 million, Rustock wasn't the biggest botnet on the 'Net. But it was prolific. At its August 2010 peak, it was blamed for about 60 percent of the spam sent daily. Though this had waned since then, down to around five to ten percent of all spam sent, it was still a significant contributor to the global spam epidemic. Since its introduction, the network had experienced a number of quiescent periods—including a substantial drop in activity when ISP McColo was taken offline—but in the past it returned with a vengeance.

But not this time.

Bring on the guillotine

On Friday, the truth about this latest drop in Rustock activity emerged: the silencing of the botnet was the result of Operation b107, a Microsoft-led anti-botnet action. In a coordinated legal and technical attack on the botnet, US Marshals seized command and control servers from seven US cities (Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, and Columbus), with two more servers seized overseas, and network providers cut off access to ranges of IP addresses used to control the network.

The result was that the hundreds of thousands of machines in the network were left with no source of instructions: no spams to send, no distributed denial-of-service attacks to perform, no new malware to distribute. The botnet's activity has dropped to zero.

Microsoft was not acting alone. Pharmaceutical firm Pfizer made a declaration in support of Redmond's legal action, as the spams being distributed advertised counterfeit Pfizer products—including, of course, Viagra—which carry risks such as improper dosing and incorrect active ingredients. The company was also joined by network security firm FireEye, and security experts from the University of Washington. Internationally, the Dutch High Tech Crime Unit within the Netherlands Police Agency also assisted with the dismantling of the command and control system, and Chinese security response organization CNCERT/CC assisted in blocking domain registration in China.

Microsoft's standing in the case stemmed from claimed license infringements—Rustock allows multiuser remote access to Windows clients in contravention of its license agreement—trademark infringement in the spam mail, and violations of the CAN-SPAM act, with much of the spam being sent via Hotmail. The company's suit was brought against 11 John Does described as controlling the botnet, and sought to obtain a temporary restraining order against the botnet owners and a seizure order to allow further evidence of wrong-doing to be acquired.

This is not the first botnet that Microsoft has brought down; last year, the company made a similar attack on the Waledac botnet. The primary tool in dismantling Waledac was the seizure of some 277 domain names that Waledac clients used to locate control servers.

With Rustock, Microsoft's legal approach differed somewhat. With Waledac, the company had no ability to seize control servers, giving it no ability to analyze their contents. The allegations of trademark infringement, however, change that situation: the Lanham (Trademark) Act includes specific provisions to seize infringing material, provisions capitalized on by Microsoft in this case.

Rustock's Achilles' Heel

The control servers are the weak point of any botnet. Early botnets used IRC servers to coordinate activity; each computer in the network would connect to an IRC network and join a particular channel, waiting for instructions. Due to scalability and firewall concerns—many organizations block access to IRC—this gave way to HTTP-based control systems. Botnet machines would connect to specially configured Web servers and download a new set of orders. To secure these control systems from attack, some networks have switched to encrypted HTTPS connections.

Though some networks use peer-to-peer communication to disseminate instructions (meaning that only a few machines within the network need to be able to reach the command and control systems), there must still be a way for the botnet's operators to inject their commands into the network in the first place. Disrupt these systems and the botnet can be brought down.

Though Waledac was defeated by seizure of domain names, a different course of action was needed for Rustock. Rustock didn't just use DNS to locate control servers; it also included a list of hard-coded IP addresses that it could fall back on. To kill off the botnet, all of these mechanisms had to be taken down simultaneously. Any delay in doing so would leave open the possibility that new domain names or IP addresses could be distributed, nullifying the efforts of Microsoft and law enforcement. To prevent the botnet's operators from getting wind of the operation, Microsoft's complaint and the supporting declarations were all filed under seal; since the seizures, Microsoft asked the court to unseal them, which on Friday it duly did.

Rustock's control infrastructure was a multi-tier system. The bot-herder communicated with a small main command tier. This tier in turn communicates with a larger set of command and control servers, and these servers then disseminate information to the infected machines at the lowest tier. Due to Rustock's use as a spam generator, the main thing that the command and control servers disseminated was spam templates. Outline e-mails for Viagra or 419 scams, typically, which the infected tier then used to generate billions upon billions of e-mails.

Though the middle tier is readily identifiable simply by monitoring infected machines, the highest tier is hidden from view. For this reason, it's this visible middle tier that Microsoft has gone after. The complaint lists about 100 IP addresses registered to US-based hosting companies that have been identified as command and control servers. The machines that have been seized will be analyzed for information about the highest tier—and perhaps even the identity of the bot-herders themselves. Many hundreds of DNS names have also been seized. Many more were purchased pre-emptively, to prevent their use by the bot-herders. This dual approach should leave the infected tier unable to receive any new orders and, perhaps most importantly, unable to download and install new versions of the malware with different server lists.

The botnet is, at least for now, headless.

It's not over yet

Though this action has interrupted the botnet for the time being, Rustock isn't quite dead and buried yet. The million or so infected machines remain in that state, with their owners most likely oblivious. Should the command and control servers be recommissioned, the now-dormant network will be able to spring back into life. The success of Microsoft's action depends on keeping the domain names and IP addresses down until the victim machines can be cleaned up. With Waledac the company obtained a permanent injunction, giving it permanent ownership of the domain names that botnet used to find command and control servers. A similar result with Rustock will result in long-term disruption of the network.

Disinfection is the bigger problem, however. By its very nature, botnet malware strives to be hard to detect. Users who don't know that they've been infected won't attempt to disinfect their machines, with only natural attrition and replacement likely to see them disconnected from the Internet—by way of comparison, the number of Waledac machines has dropped from around 80,000 to around 20,000 in the year since that network was taken down. This inability to resolve the infections makes it all the more important that the command and control systems remain inoperable.

The victories against the botnets are certainly welcome. Spam wastes the time, disk space, bandwidth, and money of everyone affected, and killing the botnets responsible for such a large proportion of spam undoubtedly benefits the Internet. But it remains an up-hill struggled for the good guys, with plenty of other botnets out there to fill our inboxes with what is at best drivel, and at worst outright dangerous.

View: Original Article