…if there’s actual evidence, I have no doubt that law enforcement will act. However, I think this is highly unlikely.
—Konstantin Poltev (spokesman of Esthost/Rove Digital), October 13, 2008
In the past, some cybercriminals have been so brazen that they publicly declared chances they will ever be caught are slim. Today, however, it is time for them to think again. In 2011, historic steps were taken in the battle against cybercrime. Collaboration between law enforcement and the security industry led to important takedowns and arrests. Here are some of the highlights of 2011.
On March 16, 2011, Microsoft took down the Rustock spam botnet. The simultaneous takedown of all of its command-and-control (C&C) servers led to the true death of the Rustock botnet. The Rustock zombies could not be resurrected because Microsoft made sure that all of the hard-coded domains Rustock used were no longer made available to bad actors. The gang behind the botnet was not arrested but Microsoft published advertisements in Russian newspapers offering a US$250,000 reward for anyone who gave information that led to the identification, arrest, and conviction of the minds behind Rustock. Microsoft’s lawyers used novel legal arguments to convince a federal court in Seattle that it had the right to seize the Rustock servers. This set an important legal precedent for future cases.
Taking down a large spam botnet has a huge impact on the spam volume and makes the Internet a safer place for everyone. However, some bad actors won’t stop committing crimes even if their botnet is taken down and even if bounty hunters are looking for them. Consider the case of the Kelihos spam botnet, believed to have been written by the same people responsible for Waledac, another botnet taken down in 2010.
In September 2011, Microsoft once again convinced a federal judge to allow it to block all of the IP addresses and domains Kelihos’s C&C servers used without first informing the defendants. One of the defendants was explicitly named in the complaint—the owner of the cz.cc domain, one of the domains taken offline. This was a remarkable step as cz.cc was a so-called rogue second-level domain (SLD) name. The takedown of cz.cc meant that hundreds of thousands of subdomains, which were either illegitimately used or were used for Kelihos’s C&C servers, were taken offline. This sets an example for all other rogue SLDs to be more accountable for abuse incidents.
CoreFlood was a botnet made up of hundreds of thousands of computers infected with a data-stealing Trojan. This particularly dangerous botnet was dismantled by the FBI in April 2011. The FBI took over its C&C servers and operated these until mid-June 2011. The FBI sent a stop command to the bots in the United States, causing the malware to exit. This was the first time the U.S. government took over the C&C infrastructure of a botnet and pushed a command to the bots so these became unreachable to the botmasters.