Further analysis of Rustock reveals some interesting insights regarding how it seems to have settled into a remarkably predictable pattern of spamming in the last few months - so regular that it may be possible to set your watch by it! Every day at 8 a.m. GMT (3 a.m. ET) it begins to send out spam emails, continuing throughout the day, peaking at about midday GMT (7 a.m. ET), and then ceasing spamming at midnight GMT (7 p.m. ET). It then rests for about eight hours, before the cycle begins again the following day.
Figure 1 - Rustock's New, Regular Spamming Pattern
Figure 2 - Typical Spam Output from Cutwail
This pattern of spamming for Rustock (Figure 1) began around July 6-12, 2009. Prior to that, Rustock was spamming in much bigger bursts, but less frequently, roughly two weeks on followed by two weeks off. Analysis of the other major botnets sending spam reveals that there is no other botnet with such a regular cycle; they often tend to send spam continually at varying levels, such as in Figure 2 above, which shows a similar profile for activity from the Cutwail botnet.
Although it is not possible to know for sure, perhaps the organization responsible for Rustock has set up a regular and very highly automated cycle like this to balance spamming activity with some other botnet activity. This would suggest that spammers are allowed to rent the botnet between the hours of 8 a.m. - midnight GMT (3 a.m. – 7 p.m. ET) The time between midnight GMT (7 p.m. ET) to 8 a.m. GMT (3 a.m. ET) may then perhaps be used for a number of activities such as performing botnet maintenance, searching websites looking for opportunities to compromise legitimate websites with malware, registering new domains, performing DDoS attacks, harvesting personal information from infected machines or simply spending the night updating bots with instructions for the following day’s spam.
Because Rustock is one of the dominant botnets, responsible for as much as 10% of all spam, the same pattern can now be observed in total daily spam patterns for all spam. Total spam accelerates from 8 a.m. GMT (3 a.m. ET), peaks around midday GMT (7 a.m. ET), and dies down at midnight GMT (7 p.m. ET).
This is an excerpt of the September 2009 MessageLabs Intelligence Report. Read the entire report here or listen to the podcast.