March 25, 2011

Rustock Operation May Have Been Run By A Small Team

According to an early analysis, two or three people might have been behind the Rustock botnet.

The analysis, which follows raids to knock out the spam network, suggests that it was the work of a small team.

Rustock was made up of about one million hijacked PCs and employed a series of tricks to hide itself from scrutiny for years.

Global spam levels have dropped and remain relatively low since the raids on the network's hardware.

"It does not look like there were more than a couple of people running it to me," Alex Lanstein, a senior engineer at security firm FireEye, told BBC.

He said the character of the code inside the Rustock malware and the way the giant network was run suggested that a small team operated it.

That work by FireEye, Microsoft, Pfizer and others culminated on March 16 with simultaneous raids on data centers in seven U.S. cities that seized 96 servers which had acted as the command and control (C&C) system for Rustock.

Lanstein told BBC that hard drives from the servers had been handed over to a forensic firm that will use them to find clues as to the identity of the network's controllers.

He said the network operates on a franchise basis and involves different groups of cyber criminals.

Rustock was a tightly controlled network that brought with it many of the administration headaches suffered by any web-based business.

"They ran into a lot of problems with managing their assets and pushing updates out to a million user network," he said.

Lanstein said that Rustock was able to avoid being caught because of the way it was controlled.  Victims were captured when they visited websites that were seeded with booby-trapped adverts and links.

The servers controlling Rustock were located within hosting centers in the U.S. rather than overseas.

"By locating all the C&C servers in middle-America, not in major metropolitan areas, they were able to stay off the radar," Lanstein told BBC.

He said that hosting costs for the C&C systems were about $10,000 a month.

According to Lanstein, technical steps taken by Microsoft could limit any future attempt, adding that he was not sure they would even try.

"When you are a programmer and you realize that you have the full force of the Microsoft legal department pointed directly at you, then you might say to yourself its time to try something else," he told BBC.


On the Net: