Spam kings sought after takedown

25 March 2011 Last updated at 08:41 ET

The Rustock botnet, which sent up to 30 billion spam messages per day, might have been run by two or three people.

Early analysis, following raids to knock out the spam network, suggest that it was the work of a small team.

Rustock was made up of about one million hijacked PCs and employed a series of tricks to hide itself from scrutiny for years.

Since the raids on the network's hardware, global spam levels have dropped and remain relatively low.

Net gains

"It does not look like there were more than a couple of people running it to me," said Alex Lanstein, a senior engineer at security firm FireEye, which helped with the investigation into Rustock.

Mr Lanstein based his appraisal on familiarity with Rustock gained while working to shut it down over the past few years.

He said that the character of the code inside the Rustock malware and the way the giant network was run suggested that it was operated by a small team.

That work by FireEye, Microsoft, Pfizer and others culminated on 16 February with simultaneous raids on data centres in seven US cities that seized 96 servers which had acted as the command and control (C&C) system for Rustock.

Mr Lanstein said hard drives from the servers had been handed over to a forensic firm that will scour them for clues as to the identity of the network's controllers.

His hunch that a small team was behind Rustock is partly based on how different it was to other spam networks such as Zeus.

That network, said Mr Lanstein, operates on a franchise basis and involves many different groups and cyber criminals.

By contrast, Rustock was a tightly controlled, if huge, network that brought with it many of the administration headaches suffered by any web-based business.

"They ran into a lot of problems with managing their assets and pushing updates out to a million user network," he said.

Rustock evaded capture for years because of the clever way it was controlled, he said. Victims were snared when they visited websites seeded with booby-trapped adverts and links.

Once PCs were compromised, updates were regularly pushed out to them using custom written encryption. Those downloads contained the spam engine that despatched billions of ads for fake pharmaceuticals.

Updates to PCs in Rustock were also disguised to look like comments in discussion boards, making them hard to spot by security software which typically looks for well-known signs of malware.

The servers controlling Rustock were also located within hosting centres in the US rather than overseas.

"By locating all the C&C servers in middle-America, not in major metropolitan areas, they were able to stay off the radar," said Mr Lanstein.

Hosting costs for the C&C systems ran to about $10,000 (�6,211) per month, he said.

It was hard to estimate how much money the operators of Rustock had made, said Mr Lanstein, but it was likely to be a huge figure.

Since the raids, Rustock's controllers do not seem to have tried to re-assert control of their creation. Legal steps taken by Microsoft could limit any future attempt, said Mr Lanstein, adding that he was not sure they would even try.

"When you are a programmer and you realise that you have the full force of the Microsoft legal department pointed directly at you, then you might say to yourself its time to try something else," he said.

Powered By WizardRSS.com | Full Text Feeds | Amazon Plugins

Microsoft buys old net addresses

25 March 2011 Last updated at 06:59 ET

Microsoft has offered to pay $7.5m (�4.7m) for net addresses from bankrupt telecoms firm Nortel.

The 666,624 IP version 4 (IPv4) net addresses were put up for auction as part of the sell-off of Nortel's assets.

Blocks of IPv4 are valuable because the pool of this generation of address is close to running dry.

It was predicted that a market in IPv4 would appear among companies facing a costly migration to the newer IPv6.

Details of the sale were contained in papers filed to a Delaware bankruptcy court and show that Microsoft's bid was the highest of the 80 firms asked if they wanted to make an offer for the IP addresses.

The deal is yet to be approved by that court and anyone who objects to it can file their comments before 4 April.

If it goes through, Microsoft will get hold of 470,016 of the IP addresses instantly and the remaining 196,608 will be released as former customers of Nortel are moved to other telecoms firms.

IP addresses are used to identify individual computing devices on the internet and private networks.

IPv4 allows for a maximum of approximately 4.3 billion devices.

That number seemed enough in the early 1980s when the standard was first proposed, however the rapid growth in personal computers, smartphones and other internet connected devices means that addresses have been rapidly running out.

The last big blocks of IPv4 addresses were handed out in February and all of them are expected to be used up by late 2011.

Net firms are in the process of moving to version 6 of the IP addressing scheme, which offers more than 3 undecillion individual numbers (3 with 38 noughts)

However, the migration is happening very slowly.

In the interim, it is expected that IPv4 addresses will become increasingly valuable.

It is not clear why Microsoft wants to buy Nortel's supply, however many companies are keen to avoid the cost of changing their networking systems over to IPv6 compatible equipment.

The Microsoft-Nortel deal values the IPv4 address blocks at $11.25 (�7) each, higher than the price many firms charge for a .com domain. This was indicative, said experts, that the market for IPv4 addresses was heating up.

Registries that oversee the allocation of net addresses are also working on plans for a re-circulation system that takes IPv4 addresses from firms that are using IPv6 and releases them for use by others.

Powered By WizardRSS.com | Full Text Feeds | Amazon Plugins