Blog

Silent Rustock

There has been a significant observed drop in worldwide SPAM levels during the last month or so.  M86 thinks it's due to Rustock, the world's largest spam botnet, suddenly stopped sending spam for unknown reasons.   McAfee has expressed a different point of view. According to them, the steep drop in spam levels is due to recent attempts to shutdown Pushdo.D, another famous spam botnet.  It's clear that spam levels are dropping, so let's look behind the curtain and try to find the actual reasons for the statistical observations.

I can think of two possible reasons why a major spam botnet would suddenly stop sending spam:

1. There was an attempt to shutdown the botnet by taking down its CnC servers.

2. The bot herders are running out of business i.e no one is paying them to send SPAM.

Rustock

Here in the FireEye Malware Intelligence Labs, we monitor the activities of different botnets on a daily basis.  Based on the data we have, there is no indication that CnC servers for Rustock are being shutdown. For example, we observed 39 Rustock's CnCs alive and responding within just the past 24 hours. This number of active CnC servers is what we see on average in the case of Rustock.  It's clear that this botnet is not dead (or even partially damaged.)  Even if it is not sending spam at this moment, it can come back at any time.

Here are the number of active Rustock CnCs observed during each of the last 5 months.

Alive_cncs

Pushdo.D

As I explained in my last post, the earlier attempt to shutdown Pushdo.D botnet merely paused its activities for few days.  We have observed eight new CnC servers emerging since the Pushdo.D shutdown attempt back on Aug 27.  This puts the count of active servers at 18.  In terms of active CnC servers, it is pretty clear to us that the Pushdo.D botnet is back to its normal strength.

I would like to add one thing here, there are multiple Pushdo and Cutwail variants/botnets in circulation at the moment.  For example Pushdo.C was not touched by LastLine during their Pushdo.D shutdown attempt.  I am surprised that no real effort has been made to separate out spam coming from these two different botnets.  Spam being classified as coming from the Pushdo botnet must be a combination of spam coming from both variants.  This is further confusing the overall situation.  How much difference in overall spam volume did LastLine's attempt to kill Pushdo.D make?

Conclusion

The CnC servers behind Rustock, Pushdo.C, Pushdo.D and Cutwail are fully alive and responding. To me, the most logical reason for this spam drop is the recent shutdown of a big spam affiliate program name spamit.com. spamit.com has been a very big source of income for these spammers and in past has been accused of paying spammers for sending spams.

The problem is that these botnets which historically are responsible for large volumes of spam are still fully intact.  The moment the bot herders find new affiliate programs, spam volumes will likely come back to their normal position.  This incident teaches us a lesson that the best way to kill spam is to either stop the bad guys from operating these botnets and/or cut the food chain by stopping these affiliate programs from paying bot herders.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Questions/Comments : research SHIFT-2 fireeye DOT COM

2 thoughts on “Silent Rustock

  1. I thought you should be aware, since you may not be following this, that the #1 criminal spamming operation in the world announced a few weeks ago that it was shutting down on Oct. 1st due to “numerous negative events” which took place over the past year, possibly indicating the removal of Mastercard from their available cards to process.
    I wrote about this on my blog:
    http://ikillspammers.blogspot.com/2010/09/spamitcom-closing-down.html
    This is very likely to be the real reason.
    My team is noticing a wholesale shift away from Spamit properties (the renowned “Canadian Pharmacy” and “Canadian Healthcare”) and over to what were previously identified as being from the AffKing set of websites. (“ManXL”, “Diamond Replicas”, “Pharmacy Express”)
    Thought you should know. M86 is also aware of this development.
    Great research as always.
    SiL / IKS / concerned citizen

  2. Thanks Sil,
    Yes, I am aware that lots of researchers (including you) have written very good stuff about this sudden drop and role of spamit.com in this. I am just trying to fill the gap by telling the state of botnets behind….

Comments are closed.