Saturday, June 18, 2011

FireEye: Botnet Busters

by Christopher S. Stewart

Alex Lanstein stared at the 65-inch computer monitor in the living room of his Boston apartment. Streaming data lit up the screen, the actions of a cyberlord giving orders to his botnet, a zombie army of hijacked computers controlled from an unknown location . It was early in the morning of Mar.16. The 25-year-old cybersecurity analyst had spent months preparing for the events soon to unfold. His reddish hair still matted down from sleep, Lanstein stood up and poured another cup of coffee. Suddenly, the data stream flickering on the monitor became dark, and a smile curled across Lanstein's stubbly face. Operation Rustock had begun.

Lanstein's employer, FireEye, is a Silicon Valley company that defends corporations and governments against targeted malicious software, or malware. FireEye's clients include Fortune 500 companies—Yahoo! (YHOO), EBay (EBAY), and Adobe Systems (ADBE), among them—and members of the U.S. intelligence community. The company had recently shut down some of the highest-profile spam-blasting organizations, winning recognition for imposing order on a generally disordered and unpoliced world.

Now, Lanstein and FireEye were chasing their mightiest target to date, the Web's most sprawling and advanced spam machine, called Rustock—pusher of fake pills, online pharmacies, and Russian stocks, the inspiration for its name. Over the past five years, Rustock had quietly—and illicitly—taken control of over a million computers around the world, directing them to do its bidding. On some days, Rustock generated as many as 44 billion digital come-ons, about 47.5 percent of all the junk e-mails sent, according to Symantec (SYMC), the computer security giant based in Mountain View, Calif. Although those behind Rustock had yet to be identified, profits from it were thought to be in the millions. "The bad guys," is what Lanstein had taken to calling them.

For months, FireEye plotted a counterattack, along with Microsoft (MSFT) and Pfizer (PFE)—Rustock was peddling fake Viagra, as well as sham lotteries stamped with the Microsoft logo. Working from FireEye's intelligence, U.S. Marshals stormed seven Internet data centers across the country, where Rustock had hidden its 96 command servers. Microsoft lawyers and technicians were there, too, along with forensics experts. Another team had been deployed in the Netherlands to destroy two other servers.

The sting was executed flawlessly, with everyone pouncing at once. And yet Rustock somehow fought back. From an unknown location, perhaps in Eastern Europe, the botmaster remotely sneaked back into its spam network, locked out Microsoft's technicians, and began to erase files. Clearly, those behind Rustock didn't want anyone seeing what was inside those hard drives.

After a struggle lasting about half an hour, the technicians finally wrested back control of the server. Lanstein's cell rang. T.J. Campana, senior manager for investigations for Microsoft's Digital Crimes Unit, told him it was over. "The bad guys lost."

Global spam levels plummeted as Rustock was taken off line. At the same time, the cybergeek community saw that something significant had happened. Who killed Rustock? And how? For two more days, Lanstein was under order from a federal court in Seattle to keep silent as a way to defend against any leaks to the enemy. Even later, when he could talk, some of the biggest questions remained unanswered, such as who was behind Rustock, and what would he, she, or they, try next?

Read more: