We hear all the time about defense when it comes to CyberCrime, and from time to time we do hear about federal cases where crimes are prosecuted. What we rarely hear about is the type of multi-national multi-agency collaborative effort in the last year that Microsoft has put together to bring down what was at one time the biggest source of spam. At its peak, the Rustock email spam network was spamming up to a reported 30 billion spam emails per day. Rustock’s self propagating Trojan-based botnet, was comprised of a base in excess of a reported two million infected Windows machines.

The disarming of the botnet has been an interesting study, starting with a first attempt to take out the command and control servers based in the San Jose web host service provider McColo in 2008.  McColo’s upstream providers Global Crossing and Hurricane Electric terminated the company’s services based on the reports of botnets and malware coming from McColo’s network. The event also affected the Srizbi botnet, one of the largest in the world. Transfer of control of the Rustock botnet is believed to have transferred to Russia, which had reported extensive ties to McColo, having hosted command and control servers, child pornography distribution, scam sites, bogus anti-malware sites and pretty much anything nefarious that can be hosted on the internet.

“Those two carriers were Global Crossing and Hurricane Electric. “We shut them down,” Hurricane tells the Post. “We looked into it a bit, saw the size and scope of the problem [washingtonpost.com was] reporting and said ‘Holy cow!’ Within the hour we had terminated all of our connections to them.” Yeah, holy cow. Apparently we’re to believe neither ISP noticed they were hosting a huge cyber-criminal conglomerate and master servers for five massive criminal botnets (“Mega-D,” “Srizbi,” “Pushdo,””Rustock” and “Warezov,”) until a reporter called.”

Earlier this year as reported here at SiliconAngle, Microsoft was at the center of a multiple entity effort now known as “Operation b107” -consisting of various internet service providers, software vendors, and the U.S. Marshal Service in an international sting effort that resulted in what was at the time a significant blow to the Rustock botnet network. The effort was executed by means of a trademark infringement lawsuit, giving the agencies the authority to seize the core systems at the center of the attacks. Recent reports indicate that Rustock has the potential to be resurgent to some degree, though its reach and effect somewhat diminished based on the number of still-infected endpoint systems. This is not an uncommon expectation as other botnets have risen from the ashes to some degree in the past.

Bounty and newspaper ads

In the meantime, Microsoft continues to engage in the discovery and prosecution against Rustock and its operators. Back in July, Microsoft put up a $250,000 bounty,  in tandem with ads appearing in Russian newspapers.

“Microsoft has already been gathering strong evidence in our ongoing investigation and this reward aims to take that effort a step further. We will continue to follow this case wherever it leads us and remain committed to working with our partners around the world to help people regain control of their Rustock-infected computers.”

The entities Microsoft declared to be seeking are known as “Cosma2k”. A part of the ad reads:

“You must appear in this case or the Plaintiff will win automatically “ (Google translated)

Referenced in the postings, is the PDF version of the federal motion that indicates “Cosma2k” – a person or persons apparently bought the numerous IP addresses that housed the command and control servers.

“the IP addresses associated with a number of the botnet command and control servers, including the most current, concentrated and active aggregation of servers, were all purchased by Defendants through the same hosting reseller in Baku Azerbaijan. Ramsey Decl… The reseller stated that the customer resided in Russia and is known to the reseller and in online forums under the nickname “Cosma2k.” … The reseller stated that Cosma2k speaks English and Russian and communicated only by instant messaging applications, such as ICQ. … The reseller explained that payment from Cosma2k either came from a particular “WebMoney” financial account or was transferred manually through an agent in Moscow. … Further investigation and discovery have uncovered a variety of different email addresses and names that have been used by Cosma2k.”

“This suggests that Cosma2k” is directly responsible for the botnet as a whole”

The latest reports have turned over the evidence in their case over to the FBI. It is believed that this will be the precursor to a criminal case. For now, the Microsoft bounty is reportedly still in effect, but tips are now being referred to the FBI.

Microsoft should definitely be commended for this extraordinary effort.  They could have stopped several stages ago.  They continue to aid in the cleanup of affected systems.  If the outcome should result in a successful prosecution, it could signal the beginning of a new day in the wild wild west. Demonstrating a successful cease of operation of one of the world’s most notorious botnets is a big, big start, demonstrating the prosecution of the people behind it would be a significant win and a message to would-be cybercrime operators.