Spam levels plummet as Rustock botnet taken down... for now

815,000 zombies with no master...


Spam volumes shrank on Wednesday after the prolific Rustock botnet fell silent, reportedly as a result of a takedown action.

Rustock, which is made up of a network of compromised (malware-infected) Windows PCs, turns an illicit income for its unknown controllers by being the biggest single source of global spam. The botnet is particularly active in advertising unlicensed net pharmacies, or at least it was until Wednesday afternoon, when its junk mail deluge ran dry.

Security blogger Bryan Krebs, who broke the story of the sudden drop-off, suggests the respite of spam from Rustock is the possible result of a takedown action against the zombie network's command and control system. "Dozens of internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously," he writes. "Such an action suggests that anti-spam activists have succeeded in executing possibly the largest botnet takedown in the history of the internet."

Details of who took this action are unclear at present, though security firms were able to confirm that Krebs is spot on in attributing a sharp drop in spam levels to the shut-down (at least temporarily) of Rustock.

M86 Security Labs, for example, said that Rustock control servers it monitors are unreachable. "It is unclear yet who or what caused the shutdown," the security firm said in a blog post on the Rustock shutdown that includes a graph of the botnet's junk mail output. "It's also possible it has been abandoned."

The Rustock botnet is made up of an estimated 815,000 compromised Windows PCs, controlled via a network of around 26 servers.

Infected machines are still pox-ridden but without instructions to act on and spam templates to drawn upon they have been rendered inert, at least for now. Rustock has been around for around three years and, at its peak, was to blame for half the spam in circulation.

Spam from Rustock previously fell away to almost nothing over the Christmas and New Year holiday before returning in mid-January, possibly as the result of a temporary break by the botherders controlling the network, so it would be unwise to write up Rustock's obituary just yet. Even if Rustock is properly dead, the business of using junk mail messages to spamvertise sites offered unlicensed pharmaceuticals is simply too lucrative to disappear anytime soon. Economic logic dictates that someone will move in and pick up the slack. ®

Similar topics

Broader topics


Other stories you might like

  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading
  • Broadcom buying VMware could create an edge infrastructure and IoT empire
    Hypervisor giant too big to be kept ticking over like CA or Symantec. Instead it can wrangle net-connected kit

    Comment Broadcom’s mooted acquisition of VMware looks odd at face value, but if considered as a means to make edge computing and the Internet of Things (IoT) more mature and manageable, and give organizations the tools to drive them, the deal makes rather more sense.

    Edge and IoT are the two coming things in computing and will grow for years, meaning the proposed deal could be very good for VMware’s current customers.

    An Ethernet switch that Broadcom launched this week shows why this is a plausible scenario.

    Continue reading
  • Ex-spymaster and fellow Brexiteers' emails leaked by suspected Russian op
    A 'Very English Coop (sic) d'Etat'

    Emails between leading pro-Brexit figures in the UK have seemingly been stolen and leaked online by what could be a Kremlin cyberespionage team.

    The messages feature conversations between former spymaster Richard Dearlove, who led Britain's foreign intelligence service MI6 from 1999 to 2004; Baroness Gisela Stuart, a member of the House of Lords; and Robert Tombs, an expert of French history at the University of Cambridge, as well as other Brexit supporters. The emails were uploaded to a .co.uk website titled "Very English Coop d'Etat," Reuters first reported this week.

    Dearlove confirmed his ProtonMail account was compromised. "I am well aware of a Russian operation against a Proton account which contained emails to and from me," he said. The Register has asked Baroness Stuart and Tombs as well as ProtonMail for comment. Tombs declined to comment.

    Continue reading

Biting the hand that feeds IT © 1998–2022