Rustock Botnet Ceases Activity But May Be Sleeping

Rustock botnet, one of the most active spam-distribution botnets in 2010, appears to have stopped sending out any of its Canadian pharmaceutical spam, again.

The Rustock botnet ceased sending out spam midmorning of March 16, said Mat Nisbet, malware data analyst at Symantec.cloud. According to graphs posted March 17 on MessageLabs Intelligence Blog, Rustock regularly alternates between high and low volumes, so the spike before it stopped activity was not unusual, according to Nisbet.

It is not clear whether the lack of any activity coming from the botnet is the result of law enforcement or some kind of a hardware issue, according to Nisbet.

Not Dead, Just Resting?

It is also too early to tell whether Rustock has been taken down or voluntarily closed, because Rustock has gone quiet before. It was quiet over the holiday season when spam activity stopped on December 15. It resumed operations on January 10, according to Symantec’s Marissa Vicario.

The botnet had some kind of disruption of its command-and-control servers and its spam silence appears to be temporary, Fred Touchette, senior security analyst at AppRiver, told eWEEK.

Rustock accounted for as much as 47.5 percent of all spam worldwide by the end of 2010. At its peak, it may have been responsible for more than half of all spam, Nisbet said. However, Rustock’s output has been declining over the past few months and other botnets have been increasing their spam volumes. The Bagle botnet, while it does not have the regular spikes and dips that marked Rustock’s performance, has a fairly consistent rate of output and has lately increased its total volume, Nisbet said.

Before Christmas, Rustock was accountable for as much as 44 billion spam emails per day, according to Paul Wood, MessageLabs senior intelligence analyst for Symantec Hosted Services. Within 24 hours of resuming operations in January, it was pumping out 19 percent of global spam, Wood said.

Even while it was not sending spam, Rustock was still active in other ways, particularly in click-fraud, where the bots simulate a “click” on a Web page advertisement, according to Vicario. Click fraud brings automatic revenue from the advertisers who charge on a “pay-per-click” model to the botmasters, so it stands to reason that the botnet may be engaged in other behaviours during this current downtime.

Estimates of Rustock’s size vary. Wood said the botnet has between 1.1 million and 1.7 million computers globally. Spamhaus’ Composite Spam Blocklist estimates at least 815,000 Windows computers are currently infected with Rustock but said the number is a conservative estimate. On the other hand, Gunter Ollmann, vice president of research at Damballa, considers those estimates too high. Rustock did not even make it into Damballa’s most recent report listing the top 50 largest botnets infecting computers in North America, Ollmann told eWEEK.

No Change In Traffic

The bad news is that even with this takedown of Rustock, there appears to be no real impact on total spam volumes. MessageLabs Intelligence tracks spam and said traffic looks normal for this time of the year.

The computers that are already infected with Rustock remain infected, as well. These bots are essentially waiting for new instructions and will continue to wait. The botmaster just needs to register a site name that the individual bot will recognise. Once found, the bot will know where to go to get the latest instructions and software updates and be back in operation almost immediately.

The computers are still vulnerable to the same tactics and exploits that caused them to join the botnet in the first place, Ollmann said.

It is still good news that one of the most prolific botnets that clogged inboxes for almost all of 2010 will be offline at least for a little while.