{
	"id": "b239cc67-da94-43dc-aab2-d5f19e5d238e",
	"created_at": "2026-04-06T00:13:12.55435Z",
	"updated_at": "2026-04-10T03:23:51.82266Z",
	"deleted_at": null,
	"sha1_hash": "86c838be364ed140ee8f0b1c2e0eeaee559a3987",
	"title": "Microsoft Hunting Rustock Controllers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 106422,
	"plain_text": "Microsoft Hunting Rustock Controllers\r\nPublished: 2011-03-29 · Archived: 2026-04-05 18:49:44 UTC\r\nWho controlled the Rustock botnet? The question remains unanswered: Microsoft’s recent takedown of the\r\nworld’s largest spam engine offered tantalizing new clues to the identity and earnings of the Rustock botmasters.\r\nThe data shows that Rustock’s curators made millions by pimping rogue Internet pharmacies, but also highlights\r\nthe challenges that investigators still face in tracking down those responsible for building and profiting from this\r\ncomplex crime machine.\r\nEarlier this month, Microsoft crippled Rustock by convincing a court to let it\r\nseize dozens of Rustock control servers that were scattered among several U.S.-based hosting providers. Shortly\r\nafter that takedown, I began following the money trail to learn who ultimately paid the botnet controllers’ hosts for\r\ntheir services.\r\nAccording to interviews with investigators involved in the Rustock takedown, approximately one-third of the\r\ncontrol servers were rented from U.S. hosting providers by one entity: A small business in Eastern Europe that\r\nspecializes in reselling hosting services to shadowy individuals who frequent underground hacker forums.\r\nKrebsOnSecurity.com spoke to that reseller. In exchange for the agreement that I not name his operation or his\r\nlocation, he provided payment information about the customer who purchased dozens of servers that were used to\r\nmanipulate the day-to-day operations of the massive botnet.\r\nThe reseller was willing to share information about his client because the customer turned out to be a deadbeat:\r\nThe customer walked out on two months worth of rent, an outstanding debt of $1,600. The reseller also seemed\r\nwilling to talk to me because I might be able bend the ear of Spamhaus.org, the anti-spam group that urged ISPs\r\nworldwide to block his Internet addresses (several thousand dollars worth of rented servers) shortly after\r\nMicrosoft announced the Rustock takedown.\r\nhttps://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/\r\nPage 1 of 5\n\nI found the reseller advertising his services on a Russian-language forum that caters exclusively to spammers,\r\nwhere he describes the hardware, software and connection speed capabilities of the very servers that he would\r\nlater rent out to the Rustock botmaster. That solicitation, which was posted on a major spammer forum in January\r\n2010, offered prospective clients flexible terms without setting too many boundaries on what they could do with\r\nthe servers. A translated version of part of his message:\r\n“I am repeating again that the servers are legitimate, funded by us and belong to our company. To the\r\ndatacenters, we are responsible to ensure that you are our client, and that you will not break the terms of\r\nuse. Also, to you we are responsible to make sure that the servers are not going to be closed down\r\nbecause of credit card chargebacks, as it happens with servers funded with stolen credit cards. In\r\nconclusion, they do not have an abuse report center, they are suitable for legitimate projects, VPNs and\r\neverything else that does not lead to problems and complaints to the data center from active Internet\r\nusers. Please, take it in consideration, so that nobody is pissed off and there is no bad impression from\r\nour partnership.”\r\nThe reseller said he had no idea that his customer was using the servers to control the Rustock botnet, but he\r\nhastened to add that this particular client didn’t attract too much attention to himself. According to the reseller, the\r\nservers he resold to the Rustock botmaster generated just two abuse complaints from the Internet service providers\r\n(ISPs) that hosted those servers. Experts say this makes sense because botnet control servers typically generate\r\nfew abuse complaints, because they are almost never used for the sort of activity that usually prompts abuse\r\nreports, such as sending spam or attacking others online. Instead, the servers only were used to coordinate the\r\nactivities of hundreds of thousands of PCs infected with Rustock, periodically sending them program updates and\r\nnew spamming instructions.\r\nThe reseller was paid for the servers from an account at WebMoney, a virtual currency similar to PayPal but more\r\npopular among Russian and Eastern European consumers. The reseller shared the unique numeric ID attached to\r\nthat WebMoney account — WebMoney purse “Z166284889296.” That purse belonged to an “attested”\r\nWebMoney account, meaning that the account holder at some point had to verify his identity by presenting an\r\nofficial Russian passport at a WebMoney office. A former law enforcement officer involved in the Rustock\r\ninvestigation said the name attached to that attested account was “Vladimir Shergin.” According to the reseller, the\r\nclient stated in an online chat that he was from Saint Petersburg, Russia.\r\nA LUCRATIVE PILL-PUSHING MACHINE\r\nhttps://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/\r\nPage 2 of 5\n\nAs it happens, that same WebMoney account is connected to\r\nthree of the top promoters of “SpamIt,” a rogue pharmacy program that paid spammers millions of dollars to\r\npromote fly-by-night sites that sold counterfeit prescription drugs. SpamIt closed its doors in September 2010\r\nwhen its alleged leader came under scrutiny from Russian authorities. The SpamIt financial books sent to me by\r\nan anonymous source last year include the ICQ numbers, phone numbers and financial account information for\r\nhundreds of established criminal hackers and spammers. The SpamIt accounts show that a promoter using the\r\nnickname “Cosma2k” who used that WebMoney account was consistently among the top 10 moneymakers for\r\nSpamIt, and that he earned more than a half-million dollars in commissions over the course of three years with the\r\npharmacy program.\r\nYet this appears to be only a fraction of Cosma2k’s total earnings through SpamIt. The pharmacy program’s\r\nrecords show that a Cosma2k affiliate also used at least one other WebMoney account that was shared with two\r\nother top SpamIt members, accounts tied to the user names “Bird” and “Adv1.” A review of the account details\r\nfor all three affiliates show they also all provided the same ICQ number at time of registration. The total\r\ncommissions from all three user accounts at SpamIt was nearly $2.14 million over three-and-a-half years.\r\nBut that’s not all: Those same three affiliate names — Cosma2k, Bird and Adv1 — also were registered using the\r\nsame ICQ account at Rx-Promotion, a competing rogue Internet pharmacy program. Rx-Promotion suffered a\r\nsecurity breach last year in which its affiliate records were taken. A copy of those records was shared with\r\nKrebsOnSecurity.com, and they show that these three accounts collectively earned approximately $200,000 in\r\ncommissions by promoting pharmacy Web sites for Rx-Promotion in 2010.\r\nIf Cosma2k really is responsible for Rustock, the payment data suggests either that he was sharing control over the\r\nbotnet with others, or that he split his promotion activities across multiple accounts, perhaps to keep legions of\r\nother affiliates from feeling resentful of his earnings and to avoid calling undue attention to any one account. In\r\nfact, the SpamIt account belonging to Bird was by far the highest earning affiliate account in the entire history of\r\nprogram, and Bird routinely earned twice as much in commissions as the next most successful affiliate (which\r\noften enough was either Cosma2k or Adv1). In January 2010, for example, the SpamIt records show Bird’s spam\r\ngenerated more than $130,000 in pharmacy sales, while the next most successful affiliate for that month realized\r\nabout $86,000 in sales.\r\nhttps://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/\r\nPage 3 of 5\n\nAlex Lanstein, a network architect at FireEye, a Milpitas, Calif. based security\r\nfirm that worked closely with Microsoft on the Rustock takedown, said he doubts there were multiple people\r\nresponsible for running Rustock.\r\nIn fact, Lanstein said, bots such as ZeuS and Mega-D have shown that it doesn’t take more than one coder to be\r\nwildly successful. “Most people probably assume that to be wildly successful in the world of botnets, you need to\r\nhave a huge team of programmers. Most malware these days is specialized with only one or two real functions\r\nbuilt-in,” Lanstein said. “Why incur of the overhead of splitting profits when a bot operator can pay one-time fees\r\nto a 3rd party service and keep the real profit for yourself?”\r\n“Unfortunately the barrier for entry into the malware game is extremely low, and when extradition is difficult, and\r\nthe criminals avoid affecting computers in their own country, the burden on law enforcement is extreme.”\r\nSOFTWARE GIANT SEEKS BOTMASTER FOR COURTROOM DRAMA\r\nMicrosoft also was in communication with my informant reseller, and obtained much of the same data as I did.\r\nAnd the company plans to soon publish at least some of the information, albeit in a rather unusual way. According\r\nto Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, the software giant seized the Rustock\r\ncontrol servers by securing what’s known as an “ex parte temporary restraining order,” which allowed Microsoft\r\nto take down the botnet without giving the defendants advance notice.\r\nBut Microsoft is required by law to now make a “good faith effort” to contact the owner(s) of Rustock control\r\ndomains and other infrastructure the company has since seized, and to notify the individual(s) of the date, time\r\nand location of an upcoming court hearing in Seattle, Washington, where the defendants will have an opportunity\r\nto be heard.\r\nMicrosoft will publish the information on a Web site set up for this purpose – noticeofpleadings.com. The\r\ncompany may also seek to publish the information in one or more major Russian newspapers, Boscovich said.\r\n“We will have to send out a notice to the individual or [group of] individuals we believe is behind the bot,”\r\nBoscovich said. “We will probably also serve notice of process in Russian newspapers or in a Saint Petersburg\r\nnewspaper, saying ‘Hey, Mr. Such-and-Such, there is a court hearing in Seattle on this case and we expect you to\r\nbe there.'”\r\nIt will be interesting to see who, if anyone, responds to the Microsoft notices, and whether the veil of anonymity\r\nwill be lifted from the pseudonyms of botmasters, spammers, and account holders. Stay tuned!\r\nhttps://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/\r\nPage 4 of 5\n\nSource: https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/\r\nhttps://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/"
	],
	"report_names": [
		"microsoft-hunting-rustock-controllers"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434392,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86c838be364ed140ee8f0b1c2e0eeaee559a3987.pdf",
		"text": "https://archive.orkl.eu/86c838be364ed140ee8f0b1c2e0eeaee559a3987.txt",
		"img": "https://archive.orkl.eu/86c838be364ed140ee8f0b1c2e0eeaee559a3987.jpg"
	}
}