The successful takedown can be considered the most recent and—possibly most effective—nail yet on Rustock’s coffin. While we have to wait before we can see the long-term effects of the recent Rustock botnet takedown, the decline in spam volume is apparent. Data from TrendLabsSM shows a more than 95 percent decrease in Rustock reports on March 16, at around the same time the botnet was taken down.
As with most spam botnets, there has been a long-running battle between the bot’s perpetrators and the security industry. Since the bot was first discovered in 2006, Rustock has been compromising thousands of machines and sending out billions of pharmaceutical spam.
Two years later, the spam volume took a significant blow after the McColo Corp. disconnection. By providing research and intelligence to the HostExploit.com Cyber Crime Report, Trend Micro contributed to the successful takedown of the known spam giant. Interestingly, Rustock was one of the many botnets that was affected by the McColo takedown. The victory, unfortunately, was short-lived and it was business as usual for spammers not long after.
Despite this temporary hurdle, the Rustock botnet continued to grow in size and to evade detection because of its use of Alternate Data Stream (ADS) for its rootkit component. The bot masters also rolled out improvements by using Transport Layer Security (TLS) instead of SSL or HTTP (port 80) in March 2010. Adding this feature enabled Rustock to carry out command-and-control (C&C) communication even in systems that utilized more stringent security measures.
From December 2010 until early January this year, a consistent decline in the Rustock spam volume left the industry speculating about the botnet’s future. It did not take long, however, before the spam volume went back to preholiday levels, proving that the spam botnet was still in business.
With the latest development on the infamous spambot, the question then is if this is the last time we’ll be seeing spam activity from Rustock. As we have seen in the past, even the most successful takedowns like those of McColo and Waledac did not result in completely eliminating the problem. For now, users can only rely on secure computing practices and smart reputation services to effectively deal with spammed messages.
As CTO Dave Rand recommends, “The only way to address this problem in the long term is to secude affected computers—and the only people who are in the position to help with this task are the Internet service providers (ISPs) that provide connectivity to end users. Even a simple email or letter to the customer saying, ‘Your computer was being used as part of the Rustock botnet and we suggest that you find and remove the compromises on your systems’ would go a long way in preventing these same systems from being abused in the future.”