Symantec: Rustock Botnet Pumps Most Spam Despite Shrinking

A new report from Symantec put the Rustock botnet at the top of the heap for spamming despite the fact that the number of infected computers under its control was slashed nearly in half.

Rustock retained the top spot as the busiest spam-sending botnet on the Web this month despite the fact the number of bots under its control shrank.

According to Symantec's August 2010 MessageLabs Intelligence Report, Rustock increased its output from 32 percent of botnet spam in April to 41 percent in August. Ironically, this happened even though the number of Rustock bots dropped from 2.5 million to 1.3 million during that same period, researchers found.

"Rustock has shrunk in size perhaps as a result of infected computers being cleaned or replaced," speculates Paul Wood, MessageLabs Intelligence senior analyst for Symantec Hosted Services. "It is likely that a new variant of the Rustock botnet has been created to replace the bots that it has lost. This usually involves a new version of the Trojan code being deployed, which at first appears as a new, unknown botnet. I would expect the botnet to grow again over the coming weeks and months."

In the meantime, Rustock has turned off its use of TLS (Transport Layer Security ) encryption because of the large amount of computing resources it consumes, Wood said. By turning off TLS encryption, the botnet can send great volumes of spam-in this case, 192 spam e-mails per minute instead of 96.

At its peak in March, TLS-encrypted spam accounted for 30 percent of spam from all sources and as much as 70 percent of spam from Rustock. That percentage of TLS-encrypted spam has declined to less than 0.5 percent of all spam.

Outside of Rustock, the Grum and Cutwail botnets were responsible for 16.36 and 6.99 percent of all spam, respectively. First identified in 2007, Cutwail sends more malware than any other botnet, usually in the form of a zip file attachment, the report notes.

Geographically, the United Kingdom was responsible for 4.5 percent of the world's spam during March, more than double its April percentage. It is now the fourth most frequent source of spam behind the United States (number one), India and Brazil, respectively.

The United States is home to the highest number of bots, with most belonging to the Rustock, Storm and Asprox botnets. Some 14 percent of the Rustock bots are in the United States, up from 7 percent in April.

The global ratio of spam to e-mail traffic was one in every 1.08 e-mails (92.2%), the researchers found. Nearly 18 percent of spam came from yet-to-be-classified botnets. Phishing activity also inched up by .1 percent, to one in every 363.1 e-mails.

"Computers are not like washing machines or televisions-they need constant maintenance, upgrading and patching," Wood says. "Security is often left to the end user, and the growth or social networking and user generated content has also made it easier for the criminals to take advantage of people's willingness to be open and share information."