Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: Rustock

    A Little Sunshine53 Comments
    16
    Apr 12

    Microsoft Responds to Critics Over Botnet Bruhaha

    Microsoft’s most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations.

    Since Microsoft announced Operation B71, I’ve heard from several researchers who said they were furious at the company for publishing data on a group of hackers thought to be behind a majority of the ZeuS botnet activity — specifically those targeting small to mid-sized organizations that are getting robbed via cyber heists. The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members).

    At the time, nobody I’d heard from with complaints about the action wanted to speak on the record. Then, late last week, Fox IT, a Dutch security firm, published a lengthy blog post blasting Microsoft’s actions as “irresponsible,” and accusing the company of putting its desire for a public relations campaign ahead of its relationship with the security industry.

    “This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with,” wrote Michael Sandee, Principal Security Expert at Fox IT. “It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.”

    Sandee said that a large part of the information that Microsoft published about the miscreants involved was sourced from individuals and organizations without their consent, breaking various non-disclosure agreements (NDAs) and unspoken rules.

    “In light of the whole Responsible Disclosure debate  [link added] from the end of Microsoft this unauthorized and uncoordinated use and publication of information protected under an NDA is obviously troublesome and shows how Microsoft only cares about protecting their own interests,” Sandee wrote.

    Given the strong feelings that Microsoft’s actions have engendered in the Fox IT folks and among the larger security community, I reached out to Richard Boscovich, a former U.S. Justice Department lawyer who was one of the key architects of Microsoft’s legal initiative against ZeuS. One complaint I heard from several researchers who believed that Microsoft used and published data they uncovered was that the company kept the operation from nearly everyone. I asked Boscovich how this operation was different from previous actions against botnets such as Rustock and Waledac.

    Boscovich: It’s essentially the same approach we’ve done in all the other operations. The problem that I think some people have is that due to the type of operation, we can’t have the entire community involved. That’s for several reasons. One is operational security. The bigger the number of people involved, the more likely is that is someone will make a mistake and say something that could jeopardize all of the work that everyone has done. Also, we’re making representations to a federal court that this is an ex-parte motion and very limited people know about it. If you have multiple people knowing, and the entire security community knows, let’s say we submit declarations from 30-40 people. A court may say, ‘Well there’s a lot of people here who know about this, so isn’t this information that’s already publicly available? Don’t these people know you’re looking at them already?’ We’re really asking for an extraordinary remedy: an ex-parte TRO [temporary restraining order] is a very high standard. We have to show an immediate threat and harm, ongoing, so much so that we can’t even give the other side notice that we’re going to sue them and take away their property.

    The other concern is more operational. When I was in the Justice Department — I was there for just shy of 18 years — we even compartmentalized operations there. Information was shared on a need-to-know basis, to make sure the operation would be a success and that there wouldn’t be any inadvertent leaks. It wasn’t because we didn’t trust people, but because people sometimes make mistakes. So in this operation, just like the others, we engaged with industry partners, academic partners, and some of those who wished to be open, and others who preferred to do things behind the scenes.

    Continue reading →

    A Little Sunshine / Pharma Wars26 Comments
    5
    Jan 12

    Pharma Wars: Mr. Srizbi vs. Mr. Cutwail

    The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

    Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

    Reactor Mailer Terms of Service, 2005

    Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

    This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

    That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

    BOTMASTER BATTLE

    SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

    Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

    The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

    Continue reading →

    A Little Sunshine / Pharma Wars / The Coming Storm18 Comments
    22
    Aug 11

    Flashy Cars Got Spam Kingpin Mugged

    A Russian spammer suspected of maintaining the infamous Rustock spam botnet earned millions of dollars blasting junk email for counterfeit Internet pharmacies. Those ill-gotten riches let him buy flashy sports cars, but new information suggests that this attracted the attention of common street thugs who targeted and ultimately mugged the spammer, stealing two of his prized rides.

    BMW 530xi

    In March, I published a story linking the Rustock botnet to a spammer who used the nickname Cosma2k. This individual was consistently one of the top five moneymakers for SpamIt, which, until its closure last fall, paid spammers millions of dollars a year and was the world’s largest distributor of junk mail.

    Earlier this month, someone leaked thousands of online chat logs taken from Dmitry “SaintD” Stupin, a Russian who allegedly ran the day-to-day operations of SpamIt. Those records include numerous chat conversations allegedly between Stupin and a SpamIt affiliate named Cosma.

    In several chats, Cosma muses on what he should do with tens of thousands of compromised but otherwise idle PCs under his control. Throughout the discussions between Stupin and Cosma, it is clear Cosma had access to internal SpamIt resources that other spammers did not, and that he had at least some say in the direction of the business.

    Porsche Cayenne

    In one conversation, dated Oct. 14, 2008, Cosma allegedly tells Stupin that he’s dialed back his public image a few notches, after attracting unwanted attention from other crooks. The conversation below, translated from Russian into English, begins with a request from Cosma to withdraw funds from a SpamIt operating account.

    Cosma: Hey. May I withdraw some money from the account?

    Stupin: Surely you may.

    Stupin: Sorry, I was picking up my car from the service shop.

    Cosma: What got broken?

    Stupin: Someone threw a stone, when the car was parked near home.

    Cosma: Damn. What kind of car?

    Stupin: Volvo.

    Cosma: Fond of safety?

    Stupin: Yes, and I am at ease when I am driving it. It’s a huge difference after Honda :)

    Cosma: I also had enough of expensive rigs. =) They are getting stolen all the time and everyone is looking at you, estimating the score, and then rob you =) I have had such experience =)

    Continue reading →

    The Coming Storm6 Comments
    18
    Jul 11

    Microsoft Offers $250K Bounty for Rustock Author

    Microsoft said today that it is offering a $250,000 reward for new information leading to the arrest and conviction of the individual(s) responsible for the Rustock botnet, a now-defunct crime machine that was once responsible for sending 40 percent of all junk email.

    The bounty is the software giant’s latest salvo in its war on Rustock; Microsoft secured a major victory in March, when it worked with ISPs and security firms to launch a successful sneak attack against the botnet, knocking out its support infrastructure. Richard Boscovich, senior attorney for Microsoft’s digital crimes unit, said that although spam from Rustock-infected PCs has ceased, there are still hundreds of thousands of infected computers around the world to be cleaned of the botnet malware.

    Microsoft's Rustock notice in The Moscow News, June 14

    “This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it,” Boscovich wrote in a post on the official Microsoft blog. “While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock bot-herders should be held accountable for their actions.”

    Microsoft recently ran advertisements in major newspapers in Moscow and St. Petersburg, as part of a deal the company struck with a U.S. court to help dismantle Rustock; the court granted Microsoft dominion over the Rustock control servers and domains as long as the company made a “good faith” effort to notify the unidentified owners.

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.032 Comments
    1
    Jul 11

    Where Have All the Spambots Gone?

    First, the good news: The past year has witnessed the decimation of spam volume, the arrests of several key hackers, and the high-profile takedowns of some of the Web’s most notorious botnets. The bad news? The crooks behind these huge crime machines are fighting back — devising new approaches designed to resist even the most energetic takedown efforts.

    The volume of junk email flooding inboxes each day is way down from a year ago, as much as a 90 percent decrease according to some estimates. Symantec reports that spam volumes hit their high mark in July 2010, when junk email purveyors were blasting in excess of 225 billion spam messages per day. The company says daily spam volumes now hover between 25 and 50 billion missives daily. Anti-spam experts from Cisco Systems are tracking a similarly precipitous decline, from 300 billion per day in June 2010 to just 40 billion in June 2011.

    Spam messages per day, July 2010 - July 2011. Image courtesy Symantec.

    There may be many reasons for the drop in junk email volumes, but it would be a mistake to downplay efforts by law enforcement officials and security experts.  In the past year, authorities have taken down some of the biggest botnets and apprehended several top botmasters. Most recently, the FBI worked with dozens of ISPs to kneecap the Coreflood botnet. In April, Microsoft launched an apparently successful sneak attack against Rustock, a botnet once responsible for sending 40 percent of all junk email.

    Daily spam volume July 2010 - July 2011. Image courtesy Spamcop.net

    In December 2010, the FBI arrested a Russian accused of running the Mega-D botnet. In October 2010, authorities in the Netherlands arrested the alleged creator of the Bredolab botnet and dismantled huge chunks of the botnet. A month earlier, Spamit.com, one of the biggest spammer affiliate programs ever created, was shut down when its creator, Igor Gusev, was named the world’s number one spammer and went into hiding. In August 2010, researchers clobbered the Pushdo botnet, causing spam from that botnet to slow to a trickle.

    But botmasters are not idly standing by while their industry is dismantled. Analysts from Kaspersky Lab this week published research on a new version of the TDSS malware (a.k.a. TDL), a sophisticated malicious code family that includes a powerful rootkit component that compromises PCs below the operating system level, making it extremely challenging to detect and remove. The latest version of TDSS — dubbed TDL-4 has already infected 4.5 million PCs; it uses a custom encryption scheme that makes it difficult for security experts to analyze traffic between hijacked PCs and botnet controllers. TDL-4 control networks also send out instructions to infected PCs using a peer-to-peer network that includes multiple failsafe mechanisms.

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.022 Comments
    28
    Mar 11

    Microsoft Hunting Rustock Controllers

    Who controlled the Rustock botnet? The question remains unanswered: Microsoft’s recent takedown of the world’s largest spam engine offered tantalizing new clues to the identity and earnings of the Rustock botmasters. The data shows that Rustock’s curators made millions by pimping rogue Internet pharmacies, but also highlights the challenges that investigators still face in tracking down those responsible for building and profiting from this complex crime machine.

    Earlier this month, Microsoft crippled Rustock by convincing a court to let it seize dozens of Rustock control servers that were scattered among several U.S.-based hosting providers. Shortly after that takedown, I began following the money trail to learn who ultimately paid the botnet controllers’ hosts for their services.

    According to interviews with investigators involved in the Rustock takedown, approximately one-third of the control servers were rented from U.S. hosting providers by one entity: A small business in Eastern Europe that specializes in reselling hosting services to shadowy individuals who frequent underground hacker forums.

    KrebsOnSecurity.com spoke to that reseller. In exchange for the agreement that I not name his operation or his location, he provided payment information about the customer who purchased dozens of servers that were used to manipulate the day-to-day operations of the massive botnet.

    The reseller was willing to share information about his client because the customer turned out to be a deadbeat: The customer walked out on two months worth of rent, an outstanding debt of $1,600. The reseller also seemed willing to talk to me because I might be able bend the ear of Spamhaus.org, the anti-spam group that urged ISPs worldwide to block his Internet addresses (several thousand dollars worth of rented servers) shortly after Microsoft announced the Rustock takedown.

    I found the reseller advertising his services on a Russian-language forum that caters exclusively to spammers, where he describes the hardware, software and connection speed capabilities of the very servers that he would later rent out to the Rustock botmaster. That solicitation, which was posted on a major spammer forum in January 2010, offered prospective clients flexible terms without setting too many boundaries on what they could do with the servers. A translated version of part of his message:

    “I am repeating again that the servers are legitimate, funded by us and belong to our company. To the datacenters, we are responsible to ensure that you are our client, and that you will not break the terms of use. Also, to you we are responsible to make sure that the servers are not going to be closed down because of credit card chargebacks, as it happens with servers funded with stolen credit cards. In conclusion, they do not have an abuse report center, they are suitable for legitimate projects, VPNs and everything else that does not lead to problems and complaints to the data center from active Internet users. Please, take it in consideration, so that nobody is pissed off and there is no bad impression from our partnership.”

    The reseller said he had no idea that his customer was using the servers to control the Rustock botnet, but he hastened to add that this particular client didn’t attract too much attention to himself. According to the reseller, the servers he resold to the Rustock botmaster generated just two abuse complaints from the Internet service providers (ISPs) that hosted those servers. Experts say this makes sense because botnet control servers typically generate few abuse complaints, because they are almost never used for the sort of activity that usually prompts abuse reports, such as sending spam or attacking others online. Instead, the servers only were used to coordinate the activities of hundreds of thousands of PCs infected with Rustock, periodically sending them program updates and new spamming instructions.

    The reseller was paid for the servers from an account at WebMoney, a virtual currency similar to PayPal but more popular among Russian and Eastern European consumers. The reseller shared the unique numeric ID attached to that WebMoney account — WebMoney purse “Z166284889296.” That purse belonged to an “attested” WebMoney account, meaning that the account holder at some point had to verify his identity by presenting an official Russian passport at a WebMoney office. A former law enforcement officer involved in the Rustock investigation said the name attached to that attested account was “Vladimir Shergin.” According to the reseller, the client stated in an online chat that he was from Saint Petersburg, Russia.

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.048 Comments
    21
    Mar 11

    Homegrown: Rustock Botnet Fed by U.S. Firms

    Aaron Wendel opened the doors of his business to some unexpected visitors on the morning of Mar. 16, 2011. The chief technology officer of Kansas City based hosting provider Wholesale Internet found that two U.S. marshals, a pair of computer forensics experts and a Microsoft lawyer had come calling, armed with papers allowing them to enter the facility and to commandeer computer hard drives and portions of the hosting firm’s network. Anyone attempting to interfere would be subject to arrest and prosecution.

    Weeks earlier, Microsoft had convinced a federal judge (PDF)  to let the software giant seize control of server hard drives and reroute Internet addresses as part of a carefully timed takedown of the Rustock botnet, which had long reigned as the world’s most active spam-spewing crime machine.

    In tandem with the visit to Wholesale Internet, Microsoft employees and U.S. marshals were serving similar orders at several other hosting providers at locations around country.  Microsoft’s plan of attack — which it spent about six months hatching with the help of a tightly knit group of industry and academic partners — was to stun the Rustock botnet, by disconnecting more than 100 control servers that the botnet was using to communicate with hundreds of thousands of infected Windows PCs.

    Only two of the control servers were located outside the United States; the rest operated from hosting providers here in the US, many at relatively small ISPs in Middle America.

    Concentrations of Rustock control networks.

    Microsoft was careful not to make any accusations that hosting providers were complicit in helping the Rustock botmasters; however, some of these control servers existed for more than a year, and most likely would have continued to operate undisturbed had Microsoft and others not intervened. Using data gathered by Milpitas, Calif. based security firm FireEye, which assisted Microsoft in the takedown, I was able to plot the location and lifetime of each control server (the map above is clickable and should let you drill down to the details of each control server; the raw data is here). The average life of each controller was 251 days — a little over eight months.

    Wholesale Internet’s Wendel said his organization takes action against any customers that appear to be violating the company’s terms of use or its policies. But he insisted that the visit by Microsoft and the marshals was the first time he’d heard that any of the 16 Rustock command and control servers were located on his network.

    “To be perfectly honest with you, we never heard of Rustock until Wednesday,” Wendel said in a phone interview last Friday. Wendel also said he  hadn’t heard anything about the problematic servers from either Spamhaus or Shadowserver, which allow ISPs and hosting providers to receive reports about apparent botnet control servers and bot infections on their networks. Both Shadowserver and Spamhaus dispute this claim, saying that while they certainly did not alert Wholesale to all of the problem Internet addresses that it may have had on its network, they filed several reports with the company over the past six months that should have given the company cause to take a closer look at its customers and systems.

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.020 Comments
    5
    Jan 11

    Taking Stock of Rustock

    Global spam volumes have fallen precipitously in the past two months, thanks largely to the cessation of junk e-mail from Rustock – until recently the world’s most active spam botnet. But experts say the hackers behind Rustock have since shifted the botnet’s resources toward other money-making activities, such as installing spyware and adware.

    The decline in spam began in early October, shortly after the closure of Spamit, a Russian affiliate program that paid junk e-mail purveyors to promote Canadian Pharmacy brand pill sites. The graphic below, from M86 Security Labs, shows a sharp drop in overall spam levels from October through the end of 2010.

    Another graphic from M86 shows that spam from Rustock positively tanked after Spamit’s closure. Rustock is indicated by the pale blue line near the top of the graphic.

    Prior to the Spamit closure, Rustock was responsible for sending a huge percentage of all spam worldwide, M86 reported. But since Christmas Day, the Rustock botnet has basically disappeared, as the amount of junk messages from it has fallen below 0.5 percent of all spam, according to researchers at Symantec‘s anti-spam unit MessageLabs.

    Continue reading →

    A Little Sunshine / Pharma Wars / The Coming Storm11 Comments
    4
    Oct 10

    Spam Volumes Dip After Spamit.com Closure

    Spam trackers are seeing a fairly dramatic drop in junk e-mail sent over the past few days, specifically spam relayed by one of the world’s largest spam botnets – although security experts disagree on exactly which botnet may be throttling back or experiencing problems.

    According to M86 Security Labs, the volume of spam has dipped quite a bit, approximately 40 percent since the beginning of the month by the looks of the graphic the company publishes on its site (pictured at right).

    M86 says the decrease in spam is due to a rapid drop in activity from the Rustock botnet (see graphic below left), a collection of spam-spewing zombie PCs that experts say is responsible for relaying about 40 percent of all junk e-mail on any given day.

    The decline in spam volume comes at about the same time that the world’s largest spam affiliate program — spamit.com — said it would stop paying affiliates to promote its online pharmacy Web sites — on Oct. 1.

    Bradley Anstis, vice president of technical strategy for M86, said the most likely explanation is that the person(s) operating Rustock rented the botnet to a number of spamit.com affiliates, and many of those affiliates have not yet switched over to another pharmacy affiliate program.

    “To me, that’s the most logical explanation,” Anstis said. “The timing certainly hooks up well, because we started seeing this decline right around the first of October.”

    Continue reading →