Late last week, the Rustock botnet was downed by Microsoft and the US Marshals Service after they received permission from the US District Court for the Western District of Washington to execute seizures of servers acting as the botnet’s C&C centers from hosting providers.
But it seems that Microsoft has inadvertently killed two birds with one stone – so to speak. According to FireEye‘s researcher Atif Mushtaq, the Harnig botnet – also known as Piptea – has ceased to function on the very day that Microsoft began raiding Rustock’s servers.
Mushtaq explained that speculates that Hartig’s bot herders are closely tied to Rustock’s, offering also the possibility that they might be the same people. “There has been a long term relationship between the Harnig and Rustock botnets,” he said. “For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.”
FireEye’s researchers, who have testified in court in favor of Microsoft’s action against Rustock, monitor the activity of a number of botnets, and around March 17th, they noticed that Harnig’s C&Cs suddenly stopped responding.
Mushtaq was surprised. “Apparently there was no immediate danger to the Harnig botnet. No one was really going after it but it looks like the Harnig and Rustock operators must have been very close to each other such that a hit on Rustock panicked the Harnig bot herders and they felt that they better go underground for a while,” he mused. “Keeping in view the timing of this sudden shutdown and Harnig’s obvious relationship with Rustock, it can’t be a coincidence.”
In all fairness, Harnig’s C&Cs have not been taken down, and they are likely still under the control of the bot herders. But, the servers have been wiped clean of any trace that could lead law enforcement to them.
Dismantling the Harnig botnet would be a more difficult task that the break up of Rustock. It’s C&Cs are located all over the world and not just in the US. “It’s amazing that, in spite of the fact that most of these C&Cs are located in safe heavens, the bot herders still chose to suspend all of their malicious activities,” commented Mushtaq.