Many PCs still infected after Rustock botnet shutdown
According to Microsoft's latest analysis, based on "sinkholes", only just over half of the 1.6 million PCs once infected with the Rustock bot are now clean.
In March, Microsoft's Digital Crimes Unit (DCU) used a legal trick to have the botnet's command & control infrastructure taken down. Hard drives were confiscated from providers and domains were shut down or ownership transferred. Symantec says that the volume of spam collapsed as a result because the botnet was the largest sender of spam at the time.
But according to statistics made public by Microsoft, when the botnet was taken down, the contaminant was left behind on nearly 1.6 million PCs. It simply cannot receive any commands, so it remains inactive. Nonetheless, the contaminants remain dangerous. If a bot herder manages to put up a new, compatible C&C infrastructure, the zombie network could be reactivated. At present, providers are redirecting communication with the bots to sinkhole domains so that the bots are only communicating with a harmless server. In this way, the bots are prevented from receiving new commands and delivering any data collected.
Four months after the shutdown, more than 700,000 PCs are still zombies. India is king of the hill with around 100,000 Rustock infections, though that figure is 70 per cent below the level at the end of March. When asked, a Microsoft spokesperson could not explain why so many computers in India have been infected. In Germany, the number of zombies fell from 44,000 to 25,000, while the UK failed, happily for once, to make the top ten.
These figures clearly show how hard it is for people to clean infected PCs thoroughly. Legal requirements rule out remote disinfection in most countries. Internet providers can only inform affected users and hope that they act on the information. In the only major remote-disinfection campaign to date, the FBI recently went after the Coreflood bot network.
Even Microsoft's own set of tools, such as the Malicious Software Removal Tool (MSRT), is of limited use; while MSRT detects and removes the Rustock files, users have to activate the tool themselves.
(Uli Ries / djwm)