Rustock botnet down; global spam volumes slump

The BBC's newswire quotes MessageLabs senior analyst Paul Wood as saying that all of the command-and-control servers that control the Rustock botnet swarm have gone quiet, although no-one has yet claimed responsibility.

Some anonymous security forum postings suggest that the Rustock command-and-control servers may be down for re-architecturing, but no one organisation seems to know what is really happening, Infosecurity notes.

The Rostock botnet was, at its height in 2009/2010, generating as many as 200 million spam messages a day, although most of these have been caught by Tier 1 internet service providers and filtered out before reaching their destination.

According to security researcher Brian Krebs, around 800,000 PCs worldwide were infected by Rustock earlier this month, and quotes an anonymous activist in Canada as saying the drop in Rustock-generated spam is truly dramatic.

"Normally, Rustock is sending between one to two thousands e-mails per second. Today, we saw infected systems take an abrupt dive to sending about one to two emails per second", the activist told Krebs.

The security researcher went on to quote Joe Stewart, director of malware research with SecureWorks, as saying that  none of Rustock's 26 command-and-control servers were responding as of yesterday lunchtime US time.

"This looks like a widespread campaign to have either these [Internet addresses] null-routed or the abuse contacts at various ISPs have shut them down uniformly", he told Krebs, adding: "It looks to me like someone has gone and methodically tracked these [addresses] and had them taken out one way or another."

Krebs also sides with reports that Rustock is down for a re-architecturing of its server clusters, noting that it may be too soon to celebrate the takedown of the world's largest spam botnet.

"For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd", he said in his latest security blog. 

In previous takedowns, says Krebs, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware.

"Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers", he noted.

What’s hot on Infosecurity Magazine?