Seized Rustock Servers Reveal Compromised Emails

Court documents have revealed that Microsoft forensic investigators have discovered more than 400,000 email addresses on a single hard drive seized during the Rustock botnet takedown in March.

The Rustock gang also had stolen credit card numbers.

Microsoft outlined its investigation into the hard drives belonging to the botnet’s command and control servers in a status report to the United States District Court for the Western District of Washington on 23 May.

Seized Equipment

Microsoft researchers had been analysing and studying the hardware seized by the US Marshalls Service and other law enforcement agencies during the 17 March raid, Network World reported 24 May.

The investigators uncovered “additional evidence” that the seized servers had been part of the botnet’s “spam-dissemination,” Microsoft told US District Court Judge James Robart in the filing. The hard drives contained custom software that assembled spam messages and text files containing thousands of email addresses and username/password combinations. Microsoft also found evidence that criminals had used stolen credit card numbers to purchase hosting and e-mail services.

“One text file alone contained over 427,000 email addresses,” Microsoft wrote.

Microsoft has found a clue that hinted the Rustock owners were based in Russia. The payments for some of the hosting services were traced to a specific Webmoney account. Webmoney is an electronic money and online payment system very popular among Russian clients. Webmoney helped Microsoft trace the account back to a Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.

Microsoft acknowledged in the status filing that the actual person who bought the C&C servers’ hosting services may be someone else.

“Microsoft is continuing its investigation to determine whether the name and contact information are authentic, whether this is a stolen identity and whether this person is associated with the events in this action,” the company said.

Spam Volumes

Tracking down the botnet’s origins was a challenge because 18 of the 20 drives seized in the raid had been used as Tor nodes to anonymise Internet traffic. Tor routes Internet traffic through volunteer computers and is often used by activists to hide their activities from government censorship as well as by criminals hoping to avoid detection.

The Rustock botnet is estimated to have had about a million compromised machines under its control and was capable of sending up to 30 billion spam messages per day. Microsoft obtained a restraining order from the US District Court for the Western District of Washington giving the US Marshalls and other law enforcement authority to seize the C&C servers hosted in facilities in seven US cities.

However, it doesn’t appear that the March shutdown had any long-term impact on global spam levels. Spam levels declined 2 percent to 3 percent shortly after the takedown, but then returned to normal levels, Kaspersky Lab found in its quarterly spam report.

Spam accounted for a little less than 80 percent of total e-mail volume in the first quarter of 2011, which was 1.4 percent more than the last quarter of 2010, but 6.5 percent less than the first quarter of 2010. In its monthly spam report for April, Kaspersky Lab reported the amount of spam increased by 1.2 percentage points compared to March, and averaged 80.8 percent of total e-mail volume.

“The closure of the Rustock botnet command centres on 16 March 2011 did not impact spam traffic as dramatically as last year’s Pushdo, Cutwail and Bredolab closures,” Kaspersky researchers said in the quarterly report.