Court documents have revealed that Microsoft forensic investigators have discovered more than 400,000 email addresses on a single hard drive seized during the Rustock botnet takedown in March.
The Rustock gang also had stolen credit card numbers.
Microsoft outlined its investigation into the hard drives belonging to the botnet’s command and control servers in a status report to the United States District Court for the Western District of Washington on 23 May.
Microsoft researchers had been analysing and studying the hardware seized by the US Marshalls Service and other law enforcement agencies during the 17 March raid, Network World reported 24 May.
“One text file alone contained over 427,000 email addresses,” Microsoft wrote.
Microsoft has found a clue that hinted the Rustock owners were based in Russia. The payments for some of the hosting services were traced to a specific Webmoney account. Webmoney is an electronic money and online payment system very popular among Russian clients. Webmoney helped Microsoft trace the account back to a Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.
Microsoft acknowledged in the status filing that the actual person who bought the C&C servers’ hosting services may be someone else.
“Microsoft is continuing its investigation to determine whether the name and contact information are authentic, whether this is a stolen identity and whether this person is associated with the events in this action,” the company said.
Tracking down the botnet’s origins was a challenge because 18 of the 20 drives seized in the raid had been used as Tor nodes to anonymise Internet traffic. Tor routes Internet traffic through volunteer computers and is often used by activists to hide their activities from government censorship as well as by criminals hoping to avoid detection.
The Rustock botnet is estimated to have had about a million compromised machines under its control and was capable of sending up to 30 billion spam messages per day. Microsoft obtained a restraining order from the US District Court for the Western District of Washington giving the US Marshalls and other law enforcement authority to seize the C&C servers hosted in facilities in seven US cities.
However, it doesn’t appear that the March shutdown had any long-term impact on global spam levels. Spam levels declined 2 percent to 3 percent shortly after the takedown, but then returned to normal levels, Kaspersky Lab found in its quarterly spam report.
Spam accounted for a little less than 80 percent of total e-mail volume in the first quarter of 2011, which was 1.4 percent more than the last quarter of 2010, but 6.5 percent less than the first quarter of 2010. In its monthly spam report for April, Kaspersky Lab reported the amount of spam increased by 1.2 percentage points compared to March, and averaged 80.8 percent of total e-mail volume.
“The closure of the Rustock botnet command centres on 16 March 2011 did not impact spam traffic as dramatically as last year’s Pushdo, Cutwail and Bredolab closures,” Kaspersky researchers said in the quarterly report.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…