• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Botnets   »   The Final Nail on Rustock’s Coffin—Or Is It?

The Final Nail on Rustock’s Coffin—Or Is It?

  • Posted on:March 19, 2011 at 2:04 am
  • Posted in:Botnets, Spam
  • Author:
    Jamz Yaneza (Threat Research Manager)
7

The successful takedown can be considered the most recent and—possibly most effective—nail yet on Rustock’s coffin. While we have to wait before we can see the long-term effects of the recent Rustock botnet takedown, the decline in spam volume is apparent. Data from TrendLabsSM shows a more than 95 percent decrease in Rustock reports on March 16, at around the same time the botnet was taken down.

As with most spam botnets, there has been a long-running battle between the bot’s perpetrators and the security industry. Since the bot was first discovered in 2006, Rustock has been compromising thousands of machines and sending out billions of pharmaceutical spam.

Two years later, the spam volume took a significant blow after the McColo Corp. disconnection. By providing research and intelligence to the HostExploit.com Cyber Crime Report, Trend Micro contributed to the successful takedown of the known spam giant. Interestingly, Rustock was one of the many botnets that was affected by the McColo takedown. The victory, unfortunately, was short-lived and it was business as usual for spammers not long after.

Despite this temporary hurdle, the Rustock botnet continued to grow in size and to evade detection because of its use of Alternate Data Stream (ADS) for its rootkit component. The bot masters also rolled out improvements by using Transport Layer Security (TLS) instead of SSL or HTTP (port 80) in March 2010. Adding this feature enabled Rustock to carry out command-and-control (C&C) communication even in systems that utilized more stringent security measures.

From December 2010 until early January this year, a consistent decline in the Rustock spam volume left the industry speculating about the botnet’s future. It did not take long, however, before the spam volume went back to preholiday levels, proving that the spam botnet was still in business.

With the latest development on the infamous spambot, the question then is if this is the last time we’ll be seeing spam activity from Rustock. As we have seen in the past, even the most successful takedowns like those of McColo and Waledac did not result in completely eliminating the problem. For now, users can only rely on secure computing practices and smart reputation services to effectively deal with spammed messages.

As CTO Dave Rand recommends, “The only way to address this problem in the long term is to secude affected computers—and the only people who are in the position to help with this task are the Internet service providers (ISPs) that provide connectivity to end users. Even a simple email or letter to the customer saying, ‘Your computer was being used as part of the Rustock botnet and we suggest that you find and remove the compromises on your systems’ would go a long way in preventing these same systems from being abused in the future.”

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.