|
|
It's a busy time for botnets.
According to Marshal8e6, spam levels are up 60 percent between January and June. The vast majority of that spam comes from massive botnets such as Cutwail and Mega-D.
Today, eWEEK is focusing on just one of those botnets—Rustock—which has been spamming users for the past few years. In its latest biannual report, TRACELabs Marshal8e6 noted Rustock uses rootkit functionality to hide itself, and changes spam templates often. It typically uses HTML templates from legitimate newsletters and inserts its own images and links to give Rustock spam a mask of respectability. This also allows it to dodge spam filters.
In this slideshow, eWEEK has gathered images of Rustock in action to help illustrate a day in the life a prolific botnet. (Images courtesy of SecureWorks, Symantec, Marshal8e6 and FireEye)
|
|
|
|
- A Day in the Life of the Rustock Botnet
by Brian Prince - Evolution of Rustock
This is a picture of the early evolution of the Rustock backdoor Trojan. Totmau is a Trojan Symantec found a few months before Rustock was discovered. Researchers there suspect the malware authors may be the same or connected, but that has not been established. - Rustock Code
This is the actual code Rustock uses to target victims. - Cracking Rustock's Code
Here is a flowchart of a Rustock sample using a method to make things difficult for analysts. The malware author twists the code on purpose in an attempt to obfuscate the real intention. - How It Happens
In this diagram, researchers outlined how the botnet works to infect users and spread spam. - A Side of Spam
Rustock is a sophisticated and prolific spamming machine. The individual spambots are among the fastest at sending spam that we have observed—we clocked one individual bot at 25,000 messages per hour from a standard desktop PC. - Communication Is Key
This image shows the flow of information a bot goes through when it queries the C&C server.
|
�������xڽZ[s۸�~~�d_nw7�ŗXbw�IHB��,�JV��eS�j�y�|8�o�i�&4�oAu�B�>�K9�lHbc.!KvfzC7o`�`ƛV�YQ|v$�UK*7�-;RL�DL1OwҨxLO^>.B࿎F�:���|=F#mX021q�#�yF.#An{R�7Yh[((6j{A،L���QLD�ruzH&$fvȿ�+����|>o~QLg\�M�<4#9
"��L7'f*Ή{'_t�t6g�4Wln(3сױ1,�?ۈnS3�a�ܰ)M�)vtZ4ܪwP臑WhNd�m�\)I�;-<><:�1)+Vʢ M�&x9tKS:f:bL��ÃnF1>�PC
�';�!{0#p\V5�Ra�5�G\攪1O|؈{G{(�a(;}�eq+)P�0nC�-U�̥z�U\Ɋn�'p�`� Ձ
^2R`-*��T� հq셜Þݙo&)?���>d R_�E!*aR= �>I�qv*
.[1aCuTD,O4͌3�Ky �W&�?�׀c:�sBrZ)ĺQĴdv-[�9Ϛ 7s.9n
�ٝօr�I�/ �ah��~I%_zlgŎv�jf�]f�fSO0[h>\
!I$STؖN�
ik'?aWy�Qq�& XR?Ó,)uN~t@���|@>��c/1)rd|�>s\�Mb�SH�;�{�$+}7i�c�q�D�8 +9�(<
^0Z�V� ��{7Ve�Lt"�dY>� "6#�h9p\+ɻt�qO@�"f.[㑙C�B0e�_�.Ն^ovﶍ#+𫄐Х$^�X�r:=
vA͘�wsN%!�JfI+knsqeQ�ap�S�#���Z7�>g6�7c�
3O�#�$��vjڧD�w�%
vӂ��ֽ�WˆלWestOuO~)\9c.��4ga-q�
a�cp+)=�jѤ:�>*7p}SU��A^8/V��K@V�nc�F��јf�TT>�g�_�Y#xO3+�(XP.�u1sg�ֽ]0?� �V|ț�jUxמ�o4g{l
qEig��`oiXI%k#x`+,B!�S]O�LmSg�NVӪ2�讞]BU:���m-.�U��3g`GG�*a�r�;LmTkq�ء�9��j[Xo�2cQ�J�v�V_�ܔ�&˼C]`I`z#p7PD'RMApuP�y#�y&յy8$Pc.kEb
�oDz j�*cnW~#�Z3�H䈘 �M؞(�.�D-bt7��"�)t�h8ɗn�&�5 ;όF�)xp98R.'2]([y�w~��ޑZuU�)RX^c݆��̪f�;OY�*@Λ�5`(�3<>яv&NXyB�)@
SPp�xdMADfTaz8�a��k`�9� &�*nZS�4,PB
qٓu"f�I^K�erDd�T!Ǫl�o�r AmkB� Cs.)�(i��ͩu ?YdbPds[�6d$ͺ4X9X���$��ww�v��3�]�»C.0x`
���acmA4sǑg,Rm�.!����?^>qL玩&G
�\01cX{�}=+�rx>�qek�ZFEbp\|rv�P~|x{/:
�L"s}{z�a��p�'xtOO{W��p
�QXa,m7:~y�3N�e`�)7}x/�\t|�Z�h3�Ow�?7mXΊF+c+�Ѩ�~=ŴYI2UeTF,7vZFS��Ƽ
ܟ.^�:��w%16:�tq@N㭲P�ƫ�zD>,��
|
Network Security & Hardware 
See All Slideshows