RSS Alerts

Share

More services

Related Links

  • Krebs on Security
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Cloudmark says IPv6 may cause rise in spam volumes
    With a number of ISPs and vendors preparing for World IPv6 day, a leading anti-spam systems and software firm says that the advent of IPv6 may cause a rise in the volume of spam reaching everyone's mailboxes.
  • Facebook app pages serving up Javascript and acai berry spam
    It's taken a while for hackers to figure out how, but it seems that Facebook's on-system apps have finally been subverted to generate spam within the social networking platform. The move also signals the potential for outbound spam from Facebook on to the internet.
  • Cybercriminals developing mobile internet pharma spam landing sites
    Research carried out by a US IT security research firm claims to show that cybercriminals are starting to adapt to the constantly changing threat landscape. As a result, the firm says that rogue pharmacy sites – used as landing pages for so-called pharma spam – are being adapted for mobile internet users.
  • Rustock back with a bang: pharma spam surge tracked by Symantec
    The Rustock spam botnet, which some newswires have been reporting as dying off slowly late last year, triggering a major reduction in global spam levels, is now back with a vengeance, according to Mathew Nisbet, a malware analyst with Symantec.
  • Rustock spambot continues to ride high
    Research just published claims to show that, after six months generating vast quantities of spam, the Rustock spambot shows no signs of fading away.

Top 5 Stories

News

Rustock botnet down; global spam volumes slump

17 March 2011

It looks like the resurgence of the infamous Rustock botnet – which returned after a near-outage over Christmas and New Year's – has ended, as unconfirmed reports suggest that it has been taken down.

The BBC's newswire quotes MessageLabs senior analyst Paul Wood as saying that all of the command-and-control servers that control the Rustock botnet swarm have gone quiet, although no-one has yet claimed responsibility.

Some anonymous security forum postings suggest that the Rustock command-and-control servers may be down for re-architecturing, but no one organisation seems to know what is really happening, Infosecurity notes.

The Rostock botnet was, at its height in 2009/2010, generating as many as 200 million spam messages a day, although most of these have been caught by Tier 1 internet service providers and filtered out before reaching their destination.

According to security researcher Brian Krebs, around 800,000 PCs worldwide were infected by Rustock earlier this month, and quotes an anonymous activist in Canada as saying the drop in Rustock-generated spam is truly dramatic.

"Normally, Rustock is sending between one to two thousands e-mails per second. Today, we saw infected systems take an abrupt dive to sending about one to two emails per second", the activist told Krebs.

The security researcher went on to quote Joe Stewart, director of malware research with SecureWorks, as saying that  none of Rustock's 26 command-and-control servers were responding as of yesterday lunchtime US time.

"This looks like a widespread campaign to have either these [Internet addresses] null-routed or the abuse contacts at various ISPs have shut them down uniformly", he told Krebs, adding: "It looks to me like someone has gone and methodically tracked these [addresses] and had them taken out one way or another."

Krebs also sides with reports that Rustock is down for a re-architecturing of its server clusters, noting that it may be too soon to celebrate the takedown of the world's largest spam botnet.

"For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd", he said in his latest security blog. 

In previous takedowns, says Krebs, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware.

"Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers", he noted.

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012