Spam Hits Pre-Rustock Takedown Levels

A spam outbreak is hitting levels not seen since Rustock was disabled in March, according to Commtouch

Global spam volumes have been declining since the Rustock infrastructure was damaged in March, but Commtouch researchers reported a massive spam outbreak that flooded users’ in-boxes this week.

The latest spam outbreak is the largest operation seen by researchers since the end of March, Avi Turiel, director of product marketing at Commtouch, wrote on the Commtouch Café blog. The “extraordinary increase” in email messages with malware attachments began August 8 and peaked August 12, according to Commtouch data.

Fake UPS Messages Proliferating

Even though the numbers are falling again, the average number of malicious emails being sent at this time is still 5.5 times greater than the average number of messages sent from the end of July to the beginning of the outbreak, Turiel said.

“The UPS name is once again being used to spread vast amounts of email-attached malware,” Turiel said. The emails appear to be delivery-confirmation messages, claiming a package was not sent for whatever reason.

Spammers used the same scam during the March outbreak before it switched the spoofed address to look like they were coming from DHL, a different package carrier service.

Sophos researchers are also seeing spam messages warning that the recipient’s credit card has been blocked. Purporting to be from “customer services” at a credit card issuer or company, such as Visa and Mastercard, the emails claim someone tried to withdraw a large amount on the card.

The messages helpfully state that it could be a “possibly illegal” operation, and that the user should contact the bank. The malicious payload is attached to the messages, and the user is told to find “more details” about the supposed transaction in the file.

The outbreak may just be an aberration, as there are signs it has already slowed down. While there are frequent spikes in spam traffic, the magnitude of this operation was larger than anything seen since March, Turiel said.

Spam Levels Were Dropping

A number of security vendors have been consistently reporting declines in global volume. The latest numbers from SpamCop shows overall volume stayed more or less unchanged between March and May. After a bit of a jump in June, volumes have dropped again, bringing July levels to even lower than what was seen in March, or last December, when Rustock temporarily went offline.

“The amount of spam has plummeted from 23,000 in mid 2010 to 5,000 now [August 2011], a drop of over 75 percent,” Terry Zink, a programme manager for Microsoft Forefront Online Security, wrote on his Cyber-Security blog. “The contrast couldn’t be starker – spammers are not spamming as much anymore,” Zink said.

Ever since the Justice Department, with the assistance of Microsoft, FireEye, and other security vendors and academics, seized several command-and-control servers controlling the Rustock botnet in March, global spam volumes have been dropping markedly. Even though the operation affected only servers located in the United States , Microsoft recently said the rate of systems in India and Russia being infected and becoming Rustock zombies has plunged significantly. The number of known Rustock systems also dropped 56 percent from more than 1.6 million at the end of March to just over 700,000 in June.

The Rustock botnet is “less than half the size it was” in March, Richard Boscovich, a senior attorney with Microsoft’s Digital Crime Unit, wrote July 5 on the official Microsoft blog.

At its height, Rustock may have been responsible for more than half the world’s spam, but it was in decline by March. The botnet accounted for a mere 47.5 percent of worldwide spam by the end of 2010. At the recent Black Hat security conference, FireEye researchers Julia Wolf and Alex Lanstein discussed how the gang behind Rustock used a number of spoofing techniques to trick administrators into thinking the spam was legitimate.