Microsoft wrapped up its civil case against the still unnamed controllers of the Rustock botnet and handed off the information gleaned during its investigation to the FBI.
But the move doesn't end the company's six month operation. Last week, a federal judge granted Microsoft and others the right to lock up tens of thousands of Internet protocol addresses for the next two years. The IP addresses were ones that the Rustock controllers could use to issue commands to the malware that still exists on infected PCs.
Richard Boscovich, a senior attorney in the Microsoft Digital Crimes Unit, was confident that authorities would find, arrest and prosecute those involved with Rustock.
"We went as far as we could on the civil side, we were able to develop some very good leads that we think will lead to the identities of some of those responsible," said Boscovich. "We decided to give our findings to law enforcement, so they could use their expertise. It was a natural progression for the case."
Later during the interview, Boscovich said he "felt pretty good" about the chance that authorities will eventually make arrests.
In March, Microsoft lawyers and US Marshals seized Rustock command-and-control (C&C) servers at five web hosting providers in seven US cities, crippling the botnet. At the time, Rustock was hiding on an estimated 1.6 million Windows PCs worldwide, and was being used to send massive quantities of spam, up to 30 billion messages daily, much of it pitches for fake pharmaceuticals.
The takedown and subsequent suppression efforts have prevented Rustock from reviving, according to Microsoft.
Boscovich said that as of September, Microsoft had identified about 422,000 Rustock-infected PCs, a 74% reduction since March. The September numbers were an improvement over June, when Microsoft said that more than 700,000 PCs harboured the Rustock malware.
The takedown didn't remove the Windows PCs from Rustock control. Instead, the server seizures and the blocking of domains Rustock was to use for fallback communications kept the botnet from updating itself.
That, in turn, gave antivirus vendors the time they needed to issue signatures for the existing Rustock malware, and for Internet service providers (ISPs) to notify users that their machines had been compromised.
But for all its work, including offering a $250,000 reward for information that leads to an arrest, Microsoft has not been able to conclusively identify those who controlled the botnet.
In an earlier filing with a Seattle federal court, Microsoft said it had traced payments for the hosting of some of Rustock's C&C servers to a specific Webmoney account, and after asking the Russian online payment service for help, identified the owner of that account as one Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.
However, Microsoft had cautioned the court that Shergin might not be the actual purchaser of Rustock's C&C hosting services.
The $250,000 reward, which Microsoft posted in July, brought in scores of tips, including some high quality leads, said Boscovich.
"Some of the information we received seemed to be coming from other individuals in the 'industry,'" said Boscovich, referring to the botnet cybercrime business. He said Microsoft was able to gauge the legitimacy of the incoming tips by using information it had already collected.
"We were getting some very good discovery," Boscovich said, talking about the civil case's investigative phase. "We wanted to supplement that by offering the reward."
Microsoft has not withdrawn the reward, but has asked that tips now be submitted to an FBI email address. Some of what Microsoft learned during its Rustock digging revealed other cybercrimes, information that the company and others can use.
"It's like when you're walking down an alley looking for one crime, on the way you see several others," Boscovich said. "[The investigation] led to a lot of good leads, not just about Rustock, but about the industry itself."