Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Symantec Intelligence

Rustock hiatus ends with huge surge of pharma spam

Created: 10 Jan 2011 • 5 comments
MarissaVicario's picture
+1 1 Vote
Login to vote

Posted on behalf of Mathew Nisbet, Malware Analyst, Symantec Hosted Services and Matt Sergeant, Senior Anti-Spam Technologist, Symantec Hosted Services

On December 25, 2010, Rustock, the largest of the spam botnets, went quiet. Why this happened, we don't know but what we do know is that global spam levels dropped massively as a result. MessageLabs Intelligence analysts did not expect this respite to last, and sadly we were right.
 
Since around 00:00 (UTC) on January 10, Rustock has resumed activity, and appears set to continue where it left off on December 25 as the biggest source of global spam.

As Rustock has now returned, this means the overall level of spam has increased. MessageLabs Intelligence honeypot servers have seen an increase of roughly 98 percent in spam traffic between 00:00 and 10:00 today compared to the same period on January 9. While levels of Rustock output appears marginally lower than before Christmas, we see no reason they won't reach those previous levels again, bringing global spam levels back up to the approximately 90% levels we had become so used to.

During the spam lull Rustock continued to exercise click fraud, a profitable activity of using the botnet to simulate a "click" on a web page advertisement, bringing automatic revenue from the advertisers (who charge on a "pay per click" model) to the operators of the botnet.

True to form, Rustock is spewing mostly pharma spam with subjects like, "Dear [username] -80% now" The username is taken as whatever is before the @ symbol in the to address. This appears to be the "Pharmacy express" branding.

The Xarvester botnet has also returned, though as before it shutdown, is sending significantly less spam than Rustock.

It is too early to say what effect this will have on global spam levels, or if this return is permanent, but at the moment it certainly seems as if the holiday is over and it's now back to business as usual.

 

Comments 5 CommentsJump to latest comment

Stephen Heider's picture

Hi.

From the timing of the lull, it would almost support the theory that it's not home PCs which are the source of these sends - but some kind of business PC system, one that was shut for the holidays, for 2 weeks from Dec 25.

Either that, or the bot-daddies took themselves a holiday, and either forgot to schedule distribution or else didn't pay for their own UPS systems before they went!

Cheers,

Stephen

-1
Login to vote
linusv's picture

Whatever it is this is proof that it can be shutdown.  More in-depth knowledge will certainly lead to better counter-strike measures.

Considering that 2012 is just around the corner, such knowledge could prove invaluable.

Interesting.

Evil never sleeps hence this  certainly points to a major weakness to be used.

 

 

+1
Login to vote
xlloyd's picture

I don't think it's points to some major weakness. How can you possibly exploit the fact that they went on a break in order to come up with a method to crack down on it?

If you ask me, the break was probably because of Winter break at schools as well as the companies shutting down. The college and high-school computer labs across the US would have been shut down for the break which for organisations, only mission critical servers would be running.

As for a this showing a weakness, all it means is that Rustock is dependent on people. If we can educate the majority of organisations about not only the people illegally making profit and wreaking havoc on their computers, but in what we tech savvy people consider basic Internet security, it would put a damper on their activities.

Here's my take:

https://www-secure.symantec.com/connect/blogs/my-take-rustock-real-face-internet-security

If this post has helped you, please vote up or mark as solution
+1
Login to vote
The Mikester101's picture

When I receive repeat spam e-mails (even after "unsubscribing"), who can I report this to who can try to shut these spammers down?

Mikester101

-1
Login to vote
Izabella5's picture

 Considerably, the article is in reality the greatest on this noteworthy topic. I agree with your conclusions and to your next updwill eagerly look forward ates. Saying thanks will not just be sufficient, for the wonderful clarity in your writing. I will immediately grab your rss feed to stay privy of any updates. Pleasant work and much success in your business dealings!

-1
Login to vote