According to m86 Security, in the last six months, the proportion of Rustock spam picked up in the IT security firm's spam traps peaked to nearly 60% – and has never returned to levels lower than 20% of total spam in the period.
In its analysis, the IT security vendor says that, over time, its research team has observed regular updates to Rustock.
There is, says m86, no consistent name given to it by anti-virus vendors, but recent Rustock binaries are detected by some anti-virus engines as Bubnix.
The newest Rustock variant was first detected in December 2009 says m86, and a month after that its researchers observed a large influx of Rustock spam that spiked to over 50% of the spam they observed over the next few months.
"Though the malware may have different detection names and OS installation behaviour, it employs a similar rootkit-based spamming engine, similar command-and-control architecture, and similar observable patterns in spam traffic", said Rodel Mendrez, in his blog posting on the topic.
"In our lab, we observed the Virut, Bredolab and Harnig downloader trojans as key distributors of Rustock. These malware downloaders use a drive-by download website or spam as an infection vector. These downloaders are capable of installing multiple types of malicious programs on the infected host and one of these is a downloader agent that installs the Rustock spambot driver", he said.
According to Mendrez, new versions of Rustock have an interesting way of infecting the host system by looking for unused .sys files.
If the primary infection attempt fails, the m86 says that the malware enumerates the services of the infected host by calling the 'EnumServicesStatusExA' application programming interface.
In doing this, the m86 researcher says the malware can traverse for all other unused driver services and thus go on with the infection routine.
One interesting quirk of recent Rustock versions, he notes, is how it uses a special Wikipedia request that returns a random article. "It then uses strings from the article in the spam message subject and body, in an attempt to make it more difficult for anti-spam filters", he said.
Despite all of this, Mendrez concludes that Rustock is purely a spambot, as no other malicious activity was observed during its analysis.
"The malware is updated frequently, and new features added regularly. The operation behind it focuses almost purely on Canadian Pharmacy spam campaigns", he said in his security blog.
"However the volume of spam this botnet operation generates is tremendous. With a staggering spam 'market share' percentage, this botnet should not be taken for granted and deserves closer scrutiny", he added.