March 18, 2011, 12:06 PM — Microsoft yesterday claimed credit for taking down its second big botnet, as part of its sometime-role as volunteer anti-spam, anti-malware enforcer.
The raids were based on information supplied to the U.S. Marshals Service by Microsoft and were approved by the Seattle federal-court in which Microsoft is suing the unnamed operators of the Rustock botnet.
Microsoft's description of the operation estimated the Rustock malware had infected as many as a million computers, and that Rustock-infected machines helped send out as many as 30 billion pieces of spam per day, apparently specializing in fake lottery and pharmaceutical offers.
Estimating the size of botnets is notoriously difficult, however, and there's no telling how many in that million-PC army were infected with the particular strain of Rustock being used by operators of this botnet, or how many were actually under the operators' current control.
"With help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it," said Richard Boscovich, senior attorney at Microsoft's Digital Crimes Unit in a blog post on Microsoft's site.
Microsoft's last big success – announced in a blog with the self-congratulatory headline "R.I.P. Waledac: Undoing the damage of a botnet" – was in September, 2010, following an operation code-named Operation b49 that took down a much smaller botnet controlled by the Waledac malware.
Among , and eventually transferred ownership of 276 Internet domains used by Waledac operators to Microsoft for safekeeping.
The two botnet counterstrikes were part of Project MARS (Microsoft Active Response for Security) – "w hich is a joint effort between Microsoft’s Digital Crimes Unit , the Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone. "