Harnig Botnet Scuttled after Rustock Botnet Takedown
Friday, March 25, 2011
The Harnig botnet appears to have been abandoned by its operators in the wake of the Rustock botnet raids.
Harnig command and control servers were wiped clean by the botnet's operators soon after the news of the Rustock takedown was released.
Harnig was a key component of the Rustock botnet distribution network for about the last two years, and may have been scuttled in order to prevent investigators from tracking down its creators after federal officials raided internet hosting companies who provided services for the Rustock botnet command and control operations.
The Rustock botnet, which was estimated to have controlled between 250,000 and 1,000,000 computers, was responsible for sending millions of product-related spam emails per day.
"I must say that this was quite surprising for me. Apparently there was no immediate danger to the Harnig botnet. No one was really going after it but it looks like the Harnig and Rustock operators must have been very close to each other such that a hit on Rustock panicked the Harnig bot herders and they felt that they better go underground for a while," said Atif Mushtaq, a security research engineer at FireEye.
Microsoft Corp. was instrumental in the Rustock botnet takedown. In February Microsoft provided documentation that detailed the botnet's extensive structure in a federal court filing that was part of a lawsuit against a number of John Doe defendants.
Acting on the information Microsoft provided, federal marshals this month raided several internet hosting providers across the U.S. and seized servers suspected of being used as Rustock command and control units.
Microsoft was also instrumental in efforts to shut down the Waledac botnet last year, though the operation is still functioning at a diminished capacity.
The raids seem to have had an immediate impact in the reduction of spam distribution, but it is likely that the Rustock botnet will re-emerge at some point given the number of companies willing to provide hosting services for botnet command and control operations.
For now, the Harnig botnet operators seem content to abandon the newtwork.
Comments
Post a Comment