View Only

Rustock hiatus ends with huge surge of pharma spam  

Jan 10, 2011 11:12 AM

Posted on behalf of Mathew Nisbet, Malware Analyst, Symantec Hosted Services and Matt Sergeant, Senior Anti-Spam Technologist, Symantec Hosted Services

On December 25, 2010, Rustock, the largest of the spam botnets, went quiet. Why this happened, we don't know but what we do know is that global spam levels dropped massively as a result. MessageLabs Intelligence analysts did not expect this respite to last, and sadly we were right.
Since around 00:00 (UTC) on January 10, Rustock has resumed activity, and appears set to continue where it left off on December 25 as the biggest source of global spam.

As Rustock has now returned, this means the overall level of spam has increased. MessageLabs Intelligence honeypot servers have seen an increase of roughly 98 percent in spam traffic between 00:00 and 10:00 today compared to the same period on January 9. While levels of Rustock output appears marginally lower than before Christmas, we see no reason they won't reach those previous levels again, bringing global spam levels back up to the approximately 90% levels we had become so used to.

During the spam lull Rustock continued to exercise click fraud, a profitable activity of using the botnet to simulate a "click" on a web page advertisement, bringing automatic revenue from the advertisers (who charge on a "pay per click" model) to the operators of the botnet.

True to form, Rustock is spewing mostly pharma spam with subjects like, "Dear [username] -80% now" The username is taken as whatever is before the @ symbol in the to address. This appears to be the "Pharmacy express" branding.

The Xarvester botnet has also returned, though as before it shutdown, is sending significantly less spam than Rustock.

It is too early to say what effect this will have on global spam levels, or if this return is permanent, but at the moment it certainly seems as if the holiday is over and it's now back to business as usual.


0 Favorited
0 Files

Tags and Keywords


Feb 03, 2011 04:35 AM

 Considerably, the article is in reality the greatest on this noteworthy topic. I agree with your conclusions and to your next updwill eagerly look forward ates. Saying thanks will not just be sufficient, for the wonderful clarity in your writing. I will immediately grab your rss feed to stay privy of any updates. Pleasant work and much success in your business dealings!

Jan 20, 2011 09:40 PM

When I receive repeat spam e-mails (even after "unsubscribing"), who can I report this to who can try to shut these spammers down?


Jan 20, 2011 10:11 AM

I don't think it's points to some major weakness. How can you possibly exploit the fact that they went on a break in order to come up with a method to crack down on it?

If you ask me, the break was probably because of Winter break at schools as well as the companies shutting down. The college and high-school computer labs across the US would have been shut down for the break which for organisations, only mission critical servers would be running.

As for a this showing a weakness, all it means is that Rustock is dependent on people. If we can educate the majority of organisations about not only the people illegally making profit and wreaking havoc on their computers, but in what we tech savvy people consider basic Internet security, it would put a damper on their activities.

Here's my take:

Jan 16, 2011 05:03 PM

Whatever it is this is proof that it can be shutdown.  More in-depth knowledge will certainly lead to better counter-strike measures.

Considering that 2012 is just around the corner, such knowledge could prove invaluable.


Evil never sleeps hence this  certainly points to a major weakness to be used.



Jan 11, 2011 05:50 PM


From the timing of the lull, it would almost support the theory that it's not home PCs which are the source of these sends - but some kind of business PC system, one that was shut for the holidays, for 2 weeks from Dec 25.

Either that, or the bot-daddies took themselves a holiday, and either forgot to schedule distribution or else didn't pay for their own UPS systems before they went!



Related Entries and Links

No Related Resource entered.