By Woody Leonhard
For years, Rustock stood as the largest generator of spam on the Internet: Symantec’s MessageLabs estimates the Rustock botnet pumped out 14 billion pieces of spam per day in March.
On March 16, a coordinated legal attack on Rustock, driven by Microsoft, cut the bot off at the knees. The total amount of spam worldwide dropped by one-third. But the pressure on the botnet isn’t off yet.
Remember the story of Eliot Ness and his dogged pursuit of Al Capone? In the end, J. Edgar Hoover and the Feds didn’t take Capone out in a stormy midnight raid or in a hail of Tommy-gun bullets. Capone got nailed by lawyers. A conviction on tax evasion put Big Al in jail for almost a decade and brought down his empire.
Although the person who masterminded Rustock isn’t in jail — hasn’t even been positively identified — the lawyers stopped him. They brought down his operation with a lasso made of motions, depositions, and court orders. And therein lies a tale.
Rustock, another special-purpose botnet
In my Woody’s Windows column March 10, ZeuS Trojan reinvents itself as bots rock on, I talked about the ZeuS botnet, a hack-it-yourself kit sold with multilevel marketing techniques, aimed at pilfering financial information and delivering it into the hands of a franchisee. Rustock is almost as big as the ZeuS Trojan by some estimates, but it takes a mass-market approach.
As best as anyone can tell, Rustock was created and controlled by one individual or possibly by a very small group of individuals. Brian Krebs, in a phenomenal piece of investigative reporting, draws links to someone named “Vladimir Shergin.” For our purposes, let’s just call the creator and controller (or the group) “Vlad.”
Vlad reportedly started Rustock (also known as Spambot) five years ago as a fledgling botnet that installed rootkits on Windows XP PCs, primarily through infected e-mail attachments. Rustock was first identified in November 2005. It spread fairly quickly, but then the second major version (variously called, confusingly, Rustock.A or Rustock.B) hit in July 2006, and it took off.