[ISN] FireEye: Botnet Busters

From: InfoSec News <alerts_at_private>
Date: Wed, 29 Jun 2011 00:04:31 -0700 (MST)
Forwarded from: Simon Taplin <simon (at) simontaplin.net>

http://www.businessweek.com/magazine/content/11_26/b4234072712001.htm

By Christopher S. Stewart
Businessweek
June 16, 2011

Alex Lanstein stared at the 65-inch computer monitor in the living room of his 
Boston apartment. Streaming data lit up the screen, the actions of a cyberlord 
giving orders to his botnet, a zombie army of hijacked computers controlled 
from an unknown location . It was early in the morning of Mar.16. The 
25-year-old cybersecurity analyst had spent months preparing for the events 
soon to unfold. His reddish hair still matted down from sleep, Lanstein stood 
up and poured another cup of coffee. Suddenly, the data stream flickering on 
the monitor became dark, and a smile curled across Lanstein's stubbly face. 
Operation Rustock had begun.

Lanstein's employer, FireEye, is a Silicon Valley company that defends 
corporations and governments against targeted malicious software, or malware. 
FireEye's clients include Fortune 500 companies—Yahoo! (YHOO), EBay (EBAY), and 
Adobe Systems (ADBE), among them—and members of the U.S. intelligence 
community. The company had recently shut down some of the highest-profile 
spam-blasting organizations, winning recognition for imposing order on a 
generally disordered and unpoliced world.

Now, Lanstein and FireEye were chasing their mightiest target to date, the 
Web's most sprawling and advanced spam machine, called Rustock—pusher of fake 
pills, online pharmacies, and Russian stocks, the inspiration for its name. 
Over the past five years, Rustock had quietly—and illicitly—taken control of 
over a million computers around the world, directing them to do its bidding. On 
some days, Rustock generated as many as 44 billion digital come-ons, about 47.5 
percent of all the junk e-mails sent, according to Symantec (SYMC), the 
computer security giant based in Mountain View, Calif. Although those behind 
Rustock had yet to be identified, profits from it were thought to be in the 
millions. "The bad guys," is what Lanstein had taken to calling them.

For months, FireEye plotted a counterattack, along with Microsoft (MSFT) and 
Pfizer (PFE)—Rustock was peddling fake Viagra, as well as sham lotteries 
stamped with the Microsoft logo. Working from FireEye's intelligence, U.S. 
Marshals stormed seven Internet data centers across the country, where Rustock 
had hidden its 96 command servers. Microsoft lawyers and technicians were 
there, too, along with forensics experts. Another team had been deployed in the 
Netherlands to destroy two other servers.

The sting was executed flawlessly, with everyone pouncing at once. And yet 
Rustock somehow fought back. From an unknown location, perhaps in Eastern 
Europe, the botmaster remotely sneaked back into its spam network, locked out 
Microsoft's technicians, and began to erase files. Clearly, those behind 
Rustock didn't want anyone seeing what was inside those hard drives.

After a struggle lasting about half an hour, the technicians finally wrested 
back control of the server. Lanstein's cell rang. T.J. Campana, senior manager 
for investigations for Microsoft's Digital Crimes Unit, told him it was over. 
"The bad guys lost."

[...]


___________________________________________________________
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
Received on Wed Jun 29 2011 - 00:04:31 PDT

This archive was generated by hypermail 2.2.0 : Wed Jun 29 2011 - 00:08:35 PDT