Rustock hiatus ends with huge surge of pharma spam
Posted on behalf of Mathew Nisbet, Malware Analyst, Symantec Hosted Services and Matt Sergeant, Senior Anti-Spam Technologist, Symantec Hosted Services
On December 25, 2010, Rustock, the largest of the spam botnets, went quiet. Why this happened, we don't know but what we do know is that global spam levels dropped massively as a result. MessageLabs Intelligence analysts did not expect this respite to last, and sadly we were right.
Since around 00:00 (UTC) on January 10, Rustock has resumed activity, and appears set to continue where it left off on December 25 as the biggest source of global spam.
As Rustock has now returned, this means the overall level of spam has increased. MessageLabs Intelligence honeypot servers have seen an increase of roughly 98 percent in spam traffic between 00:00 and 10:00 today compared to the same period on January 9. While levels of Rustock output appears marginally lower than before Christmas, we see no reason they won't reach those previous levels again, bringing global spam levels back up to the approximately 90% levels we had become so used to.
During the spam lull Rustock continued to exercise click fraud, a profitable activity of using the botnet to simulate a "click" on a web page advertisement, bringing automatic revenue from the advertisers (who charge on a "pay per click" model) to the operators of the botnet.
True to form, Rustock is spewing mostly pharma spam with subjects like, "Dear [username] -80% now" The username is taken as whatever is before the @ symbol in the to address. This appears to be the "Pharmacy express" branding.
The Xarvester botnet has also returned, though as before it shutdown, is sending significantly less spam than Rustock.
It is too early to say what effect this will have on global spam levels, or if this return is permanent, but at the moment it certainly seems as if the holiday is over and it's now back to business as usual.