In this case the action was led by Microsoft, with help from security vendor FireEye, the University of Washington, drug maker Pfizer, and the Dutch police. Instead of using the criminal justice system, Microsoft filed civil suits against Rustock's anonymous operators and got court orders allowing them to seize the servers used to control the botnet, and the Dutch police helped take down servers outside of the U.S.
Microsoft worked with the civil courts and researchers a year ago to take down another botnet, Waledac, but Rustock was much more complex, involving not only the seizure of many servers, but also some tricky work at the DNS level.
Because infected Rustock machines have a Plan B to connect to their controllers on specific Internet domains when the regular command and control servers are taken offline, Microsoft also had to work with Chinese authorities to prevent Rustock's operators from setting up new domains.
Rustock uses an ingenious algorithm to generate the names of Web sites that it tries to connect with for new instructions whenever its regular command-and-control servers are offline. Infected computers will go to predetermined daily news sites -- Slashdot for example -- and generate a special "seed" number based on what they find on the page. That seed number is then encrypted, giving the bad guys the name of the domain that Rustock will try to connect to. This makes it impossible to guess the domain names in advance. Microsoft seems to be blocking those new domains from registering for the time being, but one slip up, and Rustock's creators will be back in charge.
Rustock is "being suppressed; it's not really being taken down," said Joe Stewart, a researcher with Dell's SecureWorks unit. "If they stop monitoring those domains it could be back up within a few hours."
And that's a real concern, because Rustock's creator -- a hacker known only by his online handle, PE386 -- is still at large. That means he and his associates will probably return, said Thorsten Holz, an assistant professor at Ruhr-University Bochum. "As long as the attackers are running freely around, it's just some kind of Whack-a-Mole," he said. "I hope that in this case some arrests will follow."
Researchers have spent months painstakingly investigating the botnet, and while they may think they know how it works, a full-scale takedown is a trip into uncharted waters. "We're all saying where's the recovery?" Greene said. "Are they going to try and regain control over it? It's like atom-smashing. You do this very primitive thing: you smash the atom. And then you watch for after effects."