Microsoft Details Rustock Botnet Findings

In short, since the time of the initial takedown, we estimate the Rustock botnet is now less than half the size it was when we took it down in March. That’s great news and the infection reduction has happened much more quickly than it did for Waledac over a similar period of time last year, but we still have a long way to go.

The good news is that we are making progress. The tech industry, policy makers and consumer advocacy groups have helped curb cyber threats through the development of safer products and by increasing public awareness of cybercrime. As we continue our efforts to fight cybercrime, one thing is clear: these threats cannot be tackled alone. It was through the combined effort of Microsoft, the judicial system and the industry that Rustock was successfully taken down. Cooperation is the key to success and we will continue to develop and leverage partnerships, while sharing our knowledge and expertise, so we as an industry can advance in the war against cybercrime with the ultimate goal of creating a safer, more trusted Internet for everyone.

On March 16, 2011, Microsoft Digital Crimes Unit (DCU) in cooperation with industry and academic experts had successfully taken down the Win32/Rustock botnet.  At the time of the takedown, Rustock was estimated to have had approximately a million infected computers operating under its control and known to be capable of sending billions of spam email messages every day, including fake Microsoft lottery scams and offers for fake – and potentially dangerous – prescription drugs.

Read an overview of the Win32/Rustock family of rootkit-enabled backdoor Trojans background, functionality, how it works, and threat telemetry data with analysis for 2010 to May 2011. This document provides legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.