A Day in the Life of the Rustock Botnet

by Brian Prince

This is a picture of the early evolution of the Rustock backdoor Trojan. Totmau is a Trojan Symantec found a few months before Rustock was discovered. Researchers there suspect the malware authors may be the same or connected, but that has not been established.

This is the actual code Rustock uses to target victims.

Here is a flowchart of a Rustock sample using a method to make things difficult for analysts. The malware author twists the code on purpose in an attempt to obfuscate the real intention.

In this diagram, researchers outlined how the botnet works to infect users and spread spam.

Rustock is a sophisticated and prolific spamming machine. The individual spambots are among the fastest at sending spam that we have observed—we clocked one individual bot at 25,000 messages per hour from a standard desktop PC.

This image shows the flow of information a bot goes through when it queries the C&C server.