Spam Volumes Dip Slightly as Bagle Botnet Fills Rustock Shoes

Global spam volumes dropped by a third immediately after Microsoft and law-enforcement officials shut down Rustock earlier this month, but other botnets are filling the void.

The volume of junk mail fell from around 52 billion daily emails to roughly 33 billion emails a week after the Rustock botnet ceased operations, according to the MessageLabs Intelligence Report for March that Symantec.cloud released March 29. However, despite the dramatic fall in spam volumes in that one-week period, overall spam volumes for the month of March dipped only slightly, by about 2 percent, according to the report.

Overall spam volumes did not fall as much because other botnets have increased their spam output to close the gap left behind by Rustock. About 83 percent of global spam was sent from botnets in March, a 6 percent increase from the end of 2010, when botnets accounted for 77 percent, Symantec.cloud researchers found.

The Bagle botnet is filling the pharmaceutical spam gap, sending out 8.31 billion spam emails daily, according to the report. At the time of its takedown, Rustock alone accounted for 13.82 billion spam messages daily, or 28.5 percent of the total. Rustock was also most known for its pharmaceutical spam.

A coordinated operation between Microsoft and law-enforcement authorities shut down Rustock March 16. The ringleaders behind Rustock remain at large at this time. The hard drives seized from the 96 servers, which had acted as Rustock C&C (command and control) systems have been handed over to a forensic firm to find clues to the botnet operators’ identities.

"It remains to be seen whether the criminals behind Rustock will be able to recover from this coordinated effort against what has become one of the most technically sophisticated botnets in recent years," said Paul Wood, a MessageLabs Intelligence senior analyst at Symantec.cloud.

Rustock has been in operation since January 2006, much longer than most of the other botnets now in operation, Wood said. As the largest spam-sending botnet, Rustock was sending approximately 44.1 billion emails per day, or 47.5 percent of all spam, by the end of 2010.

Despite not being listed on the Top 10 list of spam-sending botnets in the MessageLabs Intelligence 2010 Annual Security Report, the Bagle botnet was the most prolific in sending out spam in March, according to the report. Symantec.cloud researchers noted that despite not having many zombies under its control, Bagle has been very consistent in its output volume.

Botnets have become “the spammers’ air supply,” said Symantec.cloud’s Wood. It would be very difficult for spammers to operate without botnets, he said.

Symantec.cloud expects to see an increase in malware attacks in the coming weeks and months as spammers try to recruit more infected computers into their botnets. The threats can take the form of malware embedded on legitimate Websites or sending malicious links in emails.

The report also noted almost negligible changes in virus activity in March, with email viruses inching up 0.134 percent and emails with links to malicious Websites decreasing 0.1 percent since February. Phishing declined by 0.065 percent, according to the report.