Spam levels take a nose dive as Rustock apparently taken down - update

Posted by   Virus Bulletin on   Mar 17, 2011

Eerie silence from Rustock botnet. Microsoft reported to have co-ordinated take down.

Spam levels have taken a nose dive over the last 24 hours - apparently as a result of a take down operation by unknown anti-spam activists.

The Rustock botnet has been responsible for enormous amounts of spam over the last few years - in 2010, the botnet sent out an average of 44 billion spam messages each day, with the average rising to around 80 billion per day more recently. But yesterday the botnet's output dropped suddenly from a peak of over 250,000 emails per second to nothing.

Graphs produced by the CBL (Composite Blocking List) give a dramatic visual illustration of the drop off here.

Before getting too excited about the apparent shut down, however, experts warn that Rustock was silenced for several days once before - in December 2010 - before returning to full flow in mid-January 2011, and that there could be any number of reasons for a halt to the spamming which may yet prove only temporary.

The Rustock botnet is estimated to consist of 815,000 compromised Windows PCs, controlled via a network of around 26 servers and typically it has been responsible for 50-70% of the total spam on the Internet.

More commentary is available from Brian Krebs here and from The Register here.

Update: According to an article in the Wall Street Journal the take down of the botnet has been the result of a joint effort between Microsoft's digital crimes unit and US law enforcement agents who together seized equipment from hosting facilities across the US. According to the report, equipment was confiscated from ISPs located in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. Microsoft officials had obtained a federal court order granting them permission to take computers believed to be Rustock command-and-control machines. The full story can be read here.

Posted on 17 March 2011 by Virus Bulletin



Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.