Spam levels take a nose dive as Rustock apparently taken down - update

Posted by   Virus Bulletin on   Mar 17, 2011

Eerie silence from Rustock botnet. Microsoft reported to have co-ordinated take down.

Spam levels have taken a nose dive over the last 24 hours - apparently as a result of a take down operation by unknown anti-spam activists.

The Rustock botnet has been responsible for enormous amounts of spam over the last few years - in 2010, the botnet sent out an average of 44 billion spam messages each day, with the average rising to around 80 billion per day more recently. But yesterday the botnet's output dropped suddenly from a peak of over 250,000 emails per second to nothing.

Graphs produced by the CBL (Composite Blocking List) give a dramatic visual illustration of the drop off here.

Before getting too excited about the apparent shut down, however, experts warn that Rustock was silenced for several days once before - in December 2010 - before returning to full flow in mid-January 2011, and that there could be any number of reasons for a halt to the spamming which may yet prove only temporary.

The Rustock botnet is estimated to consist of 815,000 compromised Windows PCs, controlled via a network of around 26 servers and typically it has been responsible for 50-70% of the total spam on the Internet.

More commentary is available from Brian Krebs here and from The Register here.

Update: According to an article in the Wall Street Journal the take down of the botnet has been the result of a joint effort between Microsoft's digital crimes unit and US law enforcement agents who together seized equipment from hosting facilities across the US. According to the report, equipment was confiscated from ISPs located in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. Microsoft officials had obtained a federal court order granting them permission to take computers believed to be Rustock command-and-control machines. The full story can be read here.

Posted on 17 March 2011 by Virus Bulletin



Latest posts:

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.