Rustock Botnet Revs Up Spam Levels

Spam levels may have declined during the holiday season, but spammers are getting back into the swing of things.

Any holiday cheer created by the decline in spam is likely to soon disappear-if it hasn't already.

Driven by the infamous Rustock botnet, spam has begun to tick upward again. Before Christmas, Rustock was accountable for as much as 44 billion spam e-mails per day, according to Paul Wood, MessageLabs senior intelligence analyst for Symantec Hosted Services.

"There were three spam-sending botnets that stopped sending spam, or dropped in terms of volume: Rustock, Xarvester and Lethic," he explained. "Rustock is the single largest botnet, comprising between 1.1 million and 1.7 million computers globally. By the end of 2010, Rustock was responsible for as much as 47.5 percent of all spam. Xarvester and Lethic were much smaller and accounted for less than 0.5 percent of all spam each.

"Rustock and Xarvester have restarted their spam-sending operations, but not on the same scale as previously," Wood said. "Rustock restarted on Jan. 10, and in 24 hours the spam it was sending accounted for 19 percent of all spam."

There was no evidence to suggest that these botnets have been disrupted in any way-by law enforcement or other actions-and the Rustock bots have not been removed from the botnet, Wood added. Instead, research has shown that the bots were still active in other ways, particularly click-fraud, he said.

But spam remains a profitable game, and the United States is still king of the hill. According to Sophos, the United States retained its crown as the top spam relaying country in the world for the last few months of 2010. Between October and December, the country accounted for 18.83 percent of spam. India came in second with 6.88 percent, while Brazil came in third with roughly 5 percent.

"Spam is certainly here to stay; however, the motivations and the methods are continuing to change in order to reap the greatest rewards for the spammers," said Graham Cluley, senior technology consultant at Sophos, in a statement. "What's becoming even more prevalent is the mailing of links to poisoned Web pages-victims are tricked into clicking a link in an e-mail, and then led to a site that attacks their computer with exploits or attempts to implant fake antivirus software."

During the two weeks when it was quieter, Rustock continued to send pharmaceutical spam, Wood said. Though pharmaceutical spam accounted for approximately 64 percent of all spam throughout much of 2010, this fell to less than 1 percent recently.

"Most of the spam from Rustock is pharmaceutical spam, and much of that was related to the 'Canadian Pharmacy' spam operation," Wood said. "Canadian Pharmacy spam stopped following the closure of the affiliate Website, and much of the spam from Rustock now relates to another spam operation called 'Pharmacy Express,' but currently not on the same scale as before. This may change in due course, as the botnet still has the capacity to send large volumes of spam."