Microsoft Pursues Botnet Herders Via Russian Newspapers

Microsoft has placed quarter-page notifications in two Russian newspapers, a legal formality required as part of its ongoing lawsuit in the U.S. against operators of Rustock, a defunct botnet used to send prolific amounts of pharmaceutical spam.

The advertisements serve to notify unnamed defendants in the legal suit and give them an opportunity to make their case, although it is extremely unlikely that anyone associated with Rustock would step forward. Microsoft believes Rustock’s operators are located in Russia.

After being granted a seizure order by a court in March, law enforcement raided hosting providers in the U.S. that had infrastructure supporting Rustock. In tandem, Microsoft filed a lawsuit in U.S. District Court for the Western District of Washington against 11 unnamed defendants whom they are still trying to identify.

The advertisements will run for 30 days in the Delovoy Petersburg newspaper, located in St. Petersburg, and in The Moscow News, a daily newspaper, wrote Richard Boscovich, a senior attorney with Microsoft’s Digital Crimes Unit.

“Although history suggests that the people associated with the IP (Internet protocol) addresses and domain names connected with the Rustock botnet are unlikely to come forward in response to a court summons, we hope the defendants in this case will present themselves,” Boscovich wrote. “If they do not, however, we will continue to pursue this case, including possibly within the Russian judicial system, if necessary.”

Microsoft has continued to post case documents on noticeofpleadings.com. It has also sent documents to the postal addresses and e-mail addresses that the defendants used to sign up for IP addresses and domains, Boscovich wrote.

No one has been prosecuted yet for running Rustock. But Boscovich wrote that Rustock remains nonfunctional, and the numbers of computers infected with its code continue to fall.

“Our technical countermeasures have worked effectively to prevent the bot’s self-defense mechanisms from reanimating it,” he wrote.

According to the latest status report filed in the case on May 23, Microsoft has served subpoenas to domain name registrars and e-mail providers with the intent to uncover real names. Microsoft is still waiting for a response to those subpoenas, the report said.

But the company has identified a Webmoney account that was used to fund some of Rustock’s command-and-control infrastructure. The owner of the account was identified as Vladimir Alexandrovich Shergin of Khimki, a city near Moscow. Microsoft is trying to determine if that information is accurate.

Company investigators are also looking into an individual who went by the nickname “Cosma2k,” according to the status report. The person is also believed to have signed up for equipment used for command-and-control servers. Cosma2k also used the names Dmitri A. Sergeev, Artem Sergeev and Sergey Vladomirovich Sergeev, the report said.

Send news tips and comments to jeremy_kirk@idg.com