Microsoft plans to take its next step against the operators of the Rustock botnet in coming weeks, revealing information about cybercriminals' identities.

In March, federal marshals and a third-party forensics firm served legal court orders to hosting providers in seven U.S. cities, allowing them to seize the computers suspected of managing and controlling the Rustock botnet. Since the March takedown, the investigators have analyzed the hard drives for information identifying the operators of the criminal network.

We are close to "filing a certain notice, which is a requirement of U.S. law, for the people that we believe are involved in Rustock, that there will be a hearing and that they should be present," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit. "Obviously, we don't expect anybody to go, but it is a constitutional requirement under U.S. law."

The takedown of the Rustock botnet is the latest attack on cybercriminals under the auspices of Microsoft's Active Response for Security (MARS) program, which tasks the software giant's legal and technical teams to create a framework with which to combat cybercrime.

The takedown caused spam to drop by a third, but also left surviving botnets jockeying to absorb the demand for spam services.

The latest move by Microsoft is part of the requirement of the special court order allowing the company to arrange the takedown of the botnet servers without first notifying the owners. Known as an ex parte temporary restraining order (TRO), the judgement also requires the company to attempt to notify the owners of the botnet. As such, the company will publish legal statements in two newspapers in the country in which the company believes the bot operators reside, Boscovich said.

"Microsoft must now make a good faith effort to contact the domain and server owners notifying them of the severance as well as the date, time and location of the hearing where they will have an opportunity to make their case," Boscovich said.

Microsoft did not discuss to what extent the company's researchers had been able to identify the operators. The hard drives could very likely have recorded the Internet addresses of the operators' computer systems. Yet, attribution is a thorny problem on the Internet, says Mark Rasch, a former cybercrime prosecutor and director of cybersecurity and privacy consulting at CSC.

Also see the interactive graphic "What a Botnet Looks Like"

"You can bet that they have done a lot of formal forensics, so they have a pretty good idea that this is the last step in turning IP addresses into actual identities," Rasch says. "But they could be wrong. They could have traced it back eleven steps out of 15."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.