Microsoft hands Rustock botnet case over to FBI

exclusive Microsoft is hoping that federal agents will bring to justice one of the world's most notorious spammers, known to the company only as Cosma2k.

According to Microsoft, Cosma2k is the handle of the alleged ringleader of the Rustock botnet, which earlier this year was the purveyor of more e-mail spam than any other network in the world, sending as many as 30 billion messages a day at its peak.

In March, Microsoft worked with federal law enforcement agents to shut down the Rustock botnet. Earlier this month, the company won a summary judgment against the unnamed defendants that allegedly ran the network. Now, the company is turning the evidence it has gathered over to the Federal Bureau of Investigation.

The software giant has long worked with law enforcement to track down and eliminate spammers, botnets, and other malicious code creators. But when it's helped take down botnets previously, such as the Waledac botnet in 2010, the company stopped when it won a summary judgment in civil courts.

"We didn't want this to stop," said Richard Boscovich, senior attorney in the Microsoft Digital Crimes Unit. One reason is that Microsoft has gathered enough evidence to zero in on the identity of the Rustock chieftain.

"We have a real good idea of who may be responsible for this," Boscovich said.

In a legal filing, Microsoft disclosed that the IP addresses associated with servers that were the last command-and-control ones used before Rustock was shut down were purchased through a hosting reseller in the Azerbaijani capital of Baku. The reseller said the buyer, who communicated only through instant-messaging applications, was known as Cosma2k. Payments came from a WebMoney online payment account or were "transferred manually through an agent in Moscow," according to the filing.

To serve Cosma2k with the complaint to get its summary judgment, Microsoft took out ads in two Russian newspapers, the Dolovoy Petersburg in St. Petersburg and the Moscow News. And it sent copies of the complaint to every e-mail and instant-messaging address it found in its investigation for Cosma2k.

Microsoft gathered much of the information by issuing a $250,000 bounty in July for new information resulting in the identification, arrest, and criminal conviction of the Rustock leaders. Boscovich said the reward led to 20 to 50 tips a day of varying quality when it was first issued. Some, he noted, came from sources apparently engaged in similar botnet activities from Eastern Europe.

"We've gotten some good leads from some interesting sources," Boscovich said.

Microsoft will continue to offer the bounty. But it's handing that information over to the FBI, which has set up a special tips e-mail account: MS_Referrals@ic.fbi.gov.

Rustock was such a prolific spammer that security experts noticed almost instantly when Microsoft's digital crimes unit, working with U.S. marshals, raided seven hosting facilities across the country and seized the command-and-control machines that ran the network in March. Those are the servers that send instructions to infected computers to mail phony lottery scams and offer sales of fake prescription drugs.

Microsoft believes that Rustock infected about 1.3 million computers worldwide. It's worked with Internet service providers to notify affected computer users and help remove the malware from their machines. While there are still plenty of infected computers running, the company believes the botnet has been reduced by about 75 percent.

To prevent further use of the botnet, U.S. District Judge James L. Robart ruled in his September 13 summary judgment that the roughly 50,000 domain names, as well as Internet protocol addresses, used to host Rustock would be removed from circulation for the next two years. Those addresses were all automatically generated collections of letters and numbers, such as 0exqevwocqcg.net, that Rustock used to perpetuate infections.