Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence

Has The Rustock Botnet Ceased Spamming?

Created: 17 Mar 2011 • Updated: 18 Mar 2011
Paul Wood's picture
+1 1 Vote
Login to vote

Posted on behalf of Mat Nisbet, Malware Data Analyst, Symantec.cloud

Brian Krebs posted on KrebsonSecurity a report about the Rustock botnet apparently going quiet yesterday, and spam from the botnet ceasing. I can confirm that at around 15:30 UTC, on 16 March, spam identified as coming from the botnet known as Rustock ceased sending spam, as shown below:

In the chart above, the spike on this chart is actually normal behaviour for Rustock, as can be seen from this next chart, covering a longer time period:

For the last year or so, Rustock has been the dominant source of spam in the world, by the end of 2010, accounting for as much as 47.5% of all spam. At it’s peak it was responsible for more than half of all global spam. However, in the last few months, other botnets have been steadily increasing their output to match, or even exceed, that of Rustock. One such example is Bagle, as can be seen in the following chart:

While Bagle may not have spikes of traffic as great as Rustock, its output is more consistent, and so overall is a match for Rustock, and lately its output has even been higher.

This increase from other botnets means that so far, the takedown of Rustock hasn’t had much noticeable effect on the overall amount of spam tracked by MessageLabs Intelligence. So far in fact, traffic looks normal, as shown in the following chart for overall spam:

The traffic from Rustock has a significant influence on the overall spam trend, its output stopped just after the final spike on the chart above, so it may be too early to tell if there will be much effect on total levels of spam. What I would expect is that the normal daily spike in activity is likely to be less today without Rustock to drive it, and for spam traffic to be more consistent throughout the day.

Will this takedown or closure be permanent? At the moment, it’s far too early to tell. Rustock has gone quiet before, over the last holiday season it stopped spamming for several days but came back as strong as ever. Only time will tell if this will happen again.

UPDATE (18 March 2011):

Reviewing data a day later, we can see that there was a noticeable drop in mail volume since Rustock has dropped offline. This decrease is very similar to the drop in volume observed in December after the Rustock botnet went offline. We saw a 12% decrease in overall spam volume between March 16th and 17th.

A projection of global spam volumes may also be seen here: http://www.symantec.com/business/security_response/landing/spam/index.jsp

According to a recent Wall Street Journal article (http://online.wsj.com/article/SB10001424052748703328404576207173861008758.html?mod=WSJ_Tech_LEFTTopNews), Microsoft have taken a direct action against command and control hosts used by the Rustock botnet. It remains to be seen if the actions taken against Rustock will remain in place or if the botnet would be able to recover.