Microsoft finds 427K email addresses on knocked-out Rustock server

Digital forensics exam of servers seized in March point toward Russian hackers

Microsoft investigators uncovered a cache of more than 400,000 email addresses on one hard drive it seized in March when it led an organized takedown of the Rustock botnet, according to court documents.

In a status report submitted Monday to a federal judge, Microsoft spelled out the results of its ongoing investigation into the hardware obtained by the U.S. Marshals Service and other law enforcement agencies.

The takedown of Rustock -- a huge botnet responsible for sending as many as 30 billion spam messages daily -- was orchestrated by Microsoft, and backed by warrants that let authorities in the U.S. and elsewhere seize the hackers' command-and-control (C&C) servers.

"Additional evidence of the system's role in spam-dissemination was also uncovered, including custom-written software relating to assembly of spam emails and text files containing thousands of email addresses and username/password combinations," Microsoft told U.S. District Court Judge James Robart in the May 23 filing. "One text file alone contained over 427,000 email addresses."

Along with the email addresses, Microsoft's forensics experts also uncovered evidence that the cyber criminals used stolen credit cards to purchase hosting and email services.

Microsoft traced payments for the hosting of some of Rustock's C&C servers to a specific Webmoney account, and after asking the Russian online payment service for help, identified the owner of that account as one Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.

The status report cautioned that Shergin might not be the actual purchaser of Rustock's C&C hosting services.

"Microsoft is continuing its investigation to determine whether the name and contact information are authentic, whether this is a stolen identity and/or whether this person is associated with the events in this action," the company said.

Rustock's C&C servers were taken offline in mid-March. Microsoft announced its part in the takedown May 17, just hours after security experts noticed that the botnet had gone dark.

Other tidbits gleaned from the seized computers pointed toward Russian hackers, said Microsoft.

Eighteen of the 20 drives obtained under the court order had been used as Tor nodes to provide the attackers with anonymous access to both the Internet as a whole, and to the hijacked Windows PCs that made up the Rustock botnet.

Tor relies on routing Internet traffic through a network machines maintained by volunteers in numerous countries, and is used not only by activists in nations where governments monitor or filter Web communication, but also by hackers to stymie detection.

The Rustock takedown is not the only one Microsoft has recently led: Last month, the company headed the takedown of Coreflood. As part of that anti-botnet action, the U.S. Department of Justice and the Federal Bureau of Investigation (FBI) were given permission to further disrupt the botnet by throwing a "kill switch" that disabled the Trojan on already-infected PCs.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftsecurityprivacy

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?