…if there’s actual evidence, I have no doubt that law enforcement will act. However, I think this is highly unlikely.
—Konstantin Poltev (spokesman of Esthost/Rove Digital), October 13, 2008
In the past, some cybercriminals have been so brazen that they publicly declared chances they will ever be caught are slim. Today, however, it is time for them to think again. In 2011, historic steps were taken in the battle against cybercrime. Collaboration between law enforcement and the security industry led to important takedowns and arrests. Here are some of the highlights of 2011.
On March 16, 2011, Microsoft took down the Rustock spam botnet. The simultaneous takedown of all of its command-and-control (C&C) servers led to the true death of the Rustock botnet. The Rustock zombies could not be resurrected because Microsoft made sure that all of the hard-coded domains Rustock used were no longer made available to bad actors. The gang behind the botnet was not arrested but Microsoft published advertisements in Russian newspapers offering a US$250,000 reward for anyone who gave information that led to the identification, arrest, and conviction of the minds behind Rustock. Microsoft’s lawyers used novel legal arguments to convince a federal court in Seattle that it had the right to seize the Rustock servers. This set an important legal precedent for future cases.
Taking down a large spam botnet has a huge impact on the spam volume and makes the Internet a safer place for everyone. However, some bad actors won’t stop committing crimes even if their botnet is taken down and even if bounty hunters are looking for them. Consider the case of the Kelihos spam botnet, believed to have been written by the same people responsible for Waledac, another botnet taken down in 2010.
In September 2011, Microsoft once again convinced a federal judge to allow it to block all of the IP addresses and domains Kelihos’s C&C servers used without first informing the defendants. One of the defendants was explicitly named in the complaint—the owner of the cz.cc domain, one of the domains taken offline. This was a remarkable step as cz.cc was a so-called rogue second-level domain (SLD) name. The takedown of cz.cc meant that hundreds of thousands of subdomains, which were either illegitimately used or were used for Kelihos’s C&C servers, were taken offline. This sets an example for all other rogue SLDs to be more accountable for abuse incidents.
CoreFlood was a botnet made up of hundreds of thousands of computers infected with a data-stealing Trojan. This particularly dangerous botnet was dismantled by the FBI in April 2011. The FBI took over its C&C servers and operated these until mid-June 2011. The FBI sent a stop command to the bots in the United States, causing the malware to exit. This was the first time the U.S. government took over the C&C infrastructure of a botnet and pushed a command to the bots so these became unreachable to the botmasters.
On November 8, the FBI, the NASA, and the Estonian Police took down Rove Digital’s DNS changer infrastructure. This was accomplished in collaboration with Trend Micro, the Internet Systems Consortium (ISC), and other industry partners. At the same time, six suspects were arrested in Estonia. Among those arrested were Rove Digital’s CEO Vladimir Tsastsin and its spokesman Konstantin Poltev. More than 200 servers were seized from different data centers in the United States and Estonia. Banking accounts with millions of cash were frozen and other assets were confiscated. This was one of the biggest cybercrime takedowns ever executed. It was the result of a very successful collaboration between law-enforcement authorities and the security industry. (An infographic about the Esthost botnet, and where it stood relative to other botnets previously taken down, may be found here.)
Trend Micro played an important role by identifying the components of and monitoring Rove Digital’s vast network. The ISC replaced the rogue DNS servers that redirected victims to foreign sites. This was necessary so as not to disrupt the Internet access of millions of DNS-changer victims after the takedown.
Réseaux IP Européens (RIPE), the regional Internet registry that allocates IP addresses in Europe, also froze Rove Digital’s European IP address ranges. This ensured that Rove Digital’s accomplices who were not arrested on November 8 could not move their rogue DNS infrastructure to another location in the world and could not continue to exploit their large pool of victims. RIPE decided to follow an order from the Dutch Police to freeze the IP address ranges, a truly historic and brave step. The RIPE NCC, an independent nonprofit membership organization, decided to fight RIPE’s decision in court. This is not a bad move per se, as it can result in a legal precedent, making the persistent abuse of RIPE’s IP space a lot more difficult. Today, it seems to be rather easy for criminal entities to obtain and keep IP address ranges from RIPE even if the IP space becomes scarce. This is a RIPE-specific problem, as we don’t see these types of problems taking place in Asia or the United States.
In June 2011, the co-founder and CEO of credit card clearing house Chronopay, Pavel Vrublevsky, was arrested in Russia for an alleged cyber attack against a competitor. Another major shareholder of Chronopay was also arrested as part of the Ghost Click operation—Rove Digital’s CEO Vladimir Tsastsin. These two arrests may have significant consequences for the rogue antivirus business, as Chronopay was the preferred credit card clearing house of cybercrime gangs that sell FAKEAV.
2011 proved that collaboration between law-enforcement authorities and the security industry can have a major impact. For major cybercriminals, it is no longer a question of ever getting arrested but when. We are looking forward to what 2012 will bring. One thing is certain though: Trend Micro will continue to support the fight against cybercrime.