Since successfully taking down the Rustock botnet on March 16th, Microsoft has continued to analyze the threat, investigate leads on the operations and owners of the botnet and work with Community Emergency Response Teams (CERTs) and Internet Service Providers (ISPs) worldwide to help the legitimate owners of Rustock-infected computers to clean their computers of malware. Today, the Microsoft Digital Crimes Unit (DCU), the Microsoft Malware Protection Center (MMPC) and Trustworthy Computing released a new Special Edition Security Intelligence Report (SIR) entitled “Battling the Rustock Threat.”

This report provides new data on the Rustock botnet and the impact of the malware on computers around the world. In addition to the report, we have released updated data on computer infection reductions we’ve seen since the takedown and a video which captures infected Internet Protocols (IPs) from all around the world attempting to check into the Waledac and Rustock botnets as recently as two weeks ago.

The SIR report gives an overview of the Win32/Rustock family of rootkit-enabled backdoor Trojans, its functionality and how it works. It also shows the direct impact of the takedown operation. The SIR also verifies something we have long believed: that Rustock-infected computers are also very likely to be infected with other malware. For example, DCU and MMPC conducted an experiment in which they infected a computer with Win32/Harnig, which is known to infect a computer with Rustock, in order to see what additional malware was installed. Within five minutes of installation, a wide variety of additional malware and potentially unwanted software had been downloaded and installed onto the infected computer – and many of these threats are themselves designed to eventually download even more malware.

These findings speak to the need for all computer users to exercise safe practices to protect their computers from becoming infected with malware. Safe practices include things like running up-to-date and legitimate software (for Microsoft customers, this also means ensuring Microsoft Update is turned on to automatically update all your Microsoft software, but it also means keeping your other software up to date as well), firewall protection and anti-virus and anti-malware protection. Please visit support.microsoft.com/botnets for free information and tools to clean your computer from malicious software and visit http://www.microsoft.com/security for more information on online safety and security.

In addition to the report, I also want to take this opportunity to give you up-to-the-minute information on the malware cleanup data for Rustock. The SIR data is based on cumulative data through May, but today we also released additional information from as recently as June 18th about the infected IP data from around the world. In short, since the time of the initial takedown, we estimate the Rustock botnet is now less than half the size it was when we took it down in March. That’s great news and the infection reduction has happened much more quickly than it did for Waledac over a similar period of time last year, but we still have a long way to go. Here are the specifics:

Worldwide Rustock reduction rate (by observed known IP address infections)

Observed
Mar 20-26, 2011

Observed
June 12-18, 2011

Reduction
Mar – June 2011

1,601,619

702,860

56.12%

Top 10 infected countries at start of Rustock takedown

Country

Observed Mar 20-26, 2011

Reduction
Mar – June 2011

India

322,566

69.30%

Russia

93,703

70.61%

Turkey

89,122

43.38%

USA

86,375

35.48%

Italy

53,656

40.28%

Brazil

46,978

53.24%

Ukraine

45,828

71.56%

Germany

43,946

42.39%

Malaysia

42,541

69.82%

Mexico

39,648

51.92%

Top 10 infected countries as of today

Country

Observed
June 12-18, 2011

Reduction
Mar – June 2011

India

99,032

69.30%

USA

55,731

35.48%

Turkey

50,465

43.38%

Italy

32,041

40.28%

Russia

27,535

70.61%

Germany

25,318

42.39%

Brazil

21,967

53.24%

France

21,625

30.48%

Mexico

19,064

51.92%

Poland

18,015

44.80%

Last, this video shows what the footprint looks like in real time for both Rustock and Waledac – the two botnets taken down and controlled by Microsoft to date. This video is a demo feed captured from 1:25 PM PDT (7/1/2011 8:25 PM UTC) on Friday, July 1 of real-time monitoring of the Rustock and Waledac botnets. The dots in the video represent attempted check-ins into the Rustock and Waledac botnets now controlled by Microsoft from malware-infected computers across the globe, second by second, for just those few minutes alone. Black and yellow represent Rustock, blue represents Waledac, and red represents multiple infections. Obviously, these check-ins vary every moment as infected computers are turned on, turned off, disconnected, cleaned or replaced all around the world at any given moment in time. However, this gives you a sense of the scope and footprint of these known botnets across the globe, even today.

The good news is that we are making progress. The tech industry, policy makers and consumer advocacy groups have helped curb cyber threats through the development of safer products and by increasing public awareness of cybercrime. As we continue our efforts to fight cybercrime, one thing is clear: these threats cannot be tackled alone. It was through the combined effort of Microsoft, the judicial system and the industry that Rustock was successfully taken down. Cooperation is the key to success and we will continue to develop and leverage partnerships, while sharing our knowledge and expertise, so we as an industry can advance in the war against cybercrime with the ultimate goal of creating a safer, more trusted Internet for everyone.

Microsoft will continue to provide updates as the Rustock investigation and cleanup effort continues. For more information about today’s news, I encourage you to read the Microsoft Security blog or the Microsoft Malware Protection Center blog. For more information on Microsoft’s Security Intelligence Reports, visit http://www.microsoft.com/security/sir. To follow the Microsoft Digital Crimes Unit for news and information on proactive work to combat botnets and other digital threats, visit www.facebook.com/MicrosoftDCU or twitter.com/MicrosoftDCU.

Posted by Richard Boscovich
Senior Attorney, Microsoft Digital Crimes Unit