Rustock's main business has been to send out offers of cheap pharmaceuticals The sudden drop in activity of a major spam producer looks to be the result of the largest co-ordinated attack on spammers.
At 15:30 GMT on 16 March, a network of spam-producing computers, known as Rustock, suddenly stopped.
It also appears that the infrastructure needed to control the spam network has been disrupted.
Security researchers said that would make it the largest ever take down of a cyber crime network.
In 2010, the Rustock botnet - a collection of infected machines - was the most prolific producer of spam on the internet, at its peak accounting for nearly half of all spam sent globally - some 200 billion messages a day.
The volume of spam coming out of Rustock has fluctuated wildly recently, so sudden drops in activity are not uncommon.
But usually, the spikes in activity last for 12 to 16 hours, Vincent Hanna of anti-spam group Spamhaus told BBC News.
"When Rustock stopped yesterday it was in mid-campaign," he said.
Furthermore, the botnet seems to be unable to communicate with its command and control infrastructure, he said.
Paul Wood Symantec.cloud“The malware used embeds itself deep in the operating system, making it difficult to identify”
Computers within botnets are controlled by other machines which send out instructions of when to instigate spam campaigns or other attacks.
But disrupting the command and control infrastructure is a Herculean task.
It requires the co-ordination of security groups with insight in to how the botnet operates, the participation of law-enforcement agencies, domain name registrars and internet service providers that can potentially be located in different time zones, said Paul Wood, a security researcher at Symantec.cloud.
Other botnets have been taken down before, but none the size of Rustock, which is thought to comprise close to a million infected computers.
But no-one has yet confirmed that silencing Rustock was the result of co-ordinated activity, Mr Wood said.
"One of the problems for law enforcers is deciding when to take action," he said.
Once police know enough about a botnet to be able to take it down, they can collect an awful lot of intelligence about its owners, he added.
Previous attempts to take down botnets have enjoyed mixed success.
When security firm FireEye disabled the Mega-D botnet's command and control infrastructure in early November 2009, its owners were able to resume their activities within a month.
"Many of these botnets are run as businesses, so they have back-up plans in place," said Mr Wood.
Often the infected computers that form a botnet are programmed to seek out websites where they can download new instructions, in the event tha
No comments:
Post a Comment