In a status report filed with a US District Court, Microsoft revealed some of the findings of forensic analysis conducted on the hard drives of defendants suspected to have been behind the Rustock botnet.
The evidence looks pretty damning, with drives found to hold email templates showing Bing, Viagra, Vicodin and Valium trademark names. Custom software for the creation of spam emails was also found, as well as thousands of email addresses and username and password combinations.
The suspicion of Russian involvement comes from evidence that the botnet system accessed Russian-based web sites, while there was also data on a hard drive showing that it was a starting point for cyber attacks aimed at the Russian IP space.
The report added, "The remaining 18 drives all exhibited common characteristics indicating that the systems associated with them were used as TOR nodes to provide anonymised internet access, and were likely used to gain anonymous access to Rustock systems."
More clues that Russians were involved came from a name identified with the Webmoney account used to pay for command and control servers used to host part of the Rustock infrastructure.
The report said, "Webmoney's records indicate that the owner of the Webmoney account is identified as a Vladimir Alexandrovich Shergin, associated with an address in Khimki, a city near Moscow."
"Microsoft is continuing its investigation to determine whether the name and contact information are authentic, whether this is a stolen identity and/or whether this person is associated with the events in this action." µ