Fighting Botnets

Fire Eye (www.fireeye.com) is one of the world's most effective private cybercrime fighters. The company defends corporations and governments against targeted malicious software. Fire Eye's clients include Fortune 500 companies and members of the U.S. intelligence community. Fire Eye's software examines the entire lifecycle of malicious software, how the malware operates in a network, what the malware is looking for, which servers delivered the malware, and which control servers the malware receives its orders from. Since 2005,

Fire Eye has deflected some of the world's most destructive online attacks, including:

• Aurora, the attack originating in China that targeted Google and other technology firms in 2009;
• core flood, the botnet that had been stealing millions of dollars from global bank accounts since the mid-2000s and possibly earlier;
• Zeus, a program that used personal information to steal hundreds of millions of dollars from financial institutions in 2007. To understand why FireEye is so effective, consider its confrontation with the Rustock botnet.

Rustock was the most advanced botnet ever released onto the Web. It reeled people in by putting out spam that advertised fake drugs, online pharmacies, and Russian stocks. Then, from 2007 to 2011, Rustock quietly and illegally took control of more than a million computers around the world. Symantec, a computer security company, found that Rustock generated as many as 44 billion spam e-mails per day, nearly half of the total number of junk e-mails sent per day worldwide. Profits generated by Rustock were estimated to be in the millions of dollars. For months, FireEye collaborated with Microsoft and Pfizer to plot a counterattack. Microsoft and Pfizer became involved because Rustock was selling fake Viagra, a Pfi zer product, as well as sham lotteries using the Microsoft logo. Working from FireEye's intelligence, in March 2011 U.S.

Marshals stormed seven Internet data centers across the United States where Rustock had hidden its 96 command servers. Microsoft lawyers and technicians and computer forensics experts also participated in the raids. A team deployed to the Netherlands confiscated two additional Rustock command servers. Although the operation was executed flawlessly, Rustock was able to fight back. From an unknown location, the botmaster (the person or persons controlling the bots, or zombie computers) remotely sneaked back into its network, locked out Microsoft's technicians, and began to erase fi les. Clearly, the Rustock masterminds did not want anyone to discover the information contained inside their hard drives. After some difficulty, the Microsoft technicians were able to regain control of the servers. However, the data that were erased in the 30 minutes that the Microsoft technicians required to regain control of their servers may be lost forever. As Fire Eye and its partner companies analyzed Rustock's equipment, they discovered that much of it was leased to customers with addresses in the Asian nation of Azerbaijan, which shares a border with Russia. Forensic analysis of the captured servers pointed Rustock's opponents to Moscow and St. Petersburg.

Rustock had used the name Cosma2k to conduct business on the Internet, and it maintained a WebMoney account (www.webmoney.com) under the name Vladimir Alexandrovich Shergin. No one knows whether Shergin was a real name or an alias. However, Web Money was able to inform investigators that "Shergin" had listed an address in a small city outside Moscow. On April 6, 2011, Microsoft delivered its first status report in its lawsuit against Rustock to the federal court in Seattle (Microsoft headquarters). Then, on June 14, Microsoft published notices in Moscow and St. Petersburg newspapers, detailing its allegations against the botnet spammer. The notices urged the perpetrators of Rustock to respond to the charges or risk being declared guilty. Microsoft also offered (and is still offering) $250,000 for information about the identity of the person or persons operating the botnet. Unfortunately, the Rustock perpetrators have still not been caught, and security experts believe that more than 600,000 computers around the world are still infected with Rustock malware. Sources:

Questions

1.Describe why it was so important for law enforcement officials to capture all 96 Rustock command servers at one time.

2.If the perpetrators of Rustock are ever caught, will it be possible to prove that the perpetrators were responsible for the malware? Why or why not? Support your answer.