In a report released on Wednesday, German email security firmeleven released its observations almost year after the Rustock botnet was shut down on March 16, 2011. According to the report, spam levels in February 2012 were 61.2 percent below the value from February 2011, right before the Rustock shutdown.
Beta versions of Rustock malware first appeared around 2005, but Rustock.C, released in 2006, was when it really started to become a problem, according to a report by Ars Technica last year. It evaded detection for months, and infected many machines. At its peak in August 2010, it was responsible for about 60 percent of the spam sent daily, or about 30 billion spam e-mails a day.
The Rustock takedown, led by a small group of researchers backed by Microsoft lawyers, US Marshals, and armed with seizure warrants, was an example of a “polished technique” for getting rid of complex global networks of malicious computers, according to a report by InfoWorld last March. A month later, in April 2011, the US government seized domains to takedown the Coreflood botnet.
The takedown required the cooperation of five hosting providers in the US to sever the IP addresses that controlled the botnet and disable the communication. To prevent a similar instance to from infecting customers, web hosts need to ensure their software is updated and could also monitor network connections in and out of nodes.
While spam levels were down in February 2012 compared to February 2011, the number of dangerous emails increased significantly, according to eleven. In March 2011, MessageLabs reported that the Rustock shutdown cut spam volume by more than a third.
Malware emails increased by 50.5 percent since February 2011 and virus outbreaks more than doubled. Phishing emails increased by 145 percent between February 2011 and February 2012. In December and January, eleven noted an explosive growth of phishing email.
Rustock distributed pharmaceutical spam, and although the popularity of pharmaceutical spam was replaced by online casino ads for a time, pharmaceutical spam was back in first place by February 2012 with a 26.9 percent share of overall spam levels, according to eleven, followed by casino spam at 14.4 percent.
Prior to Rustock, the US was the leading source country of spam. Now, emerging countries from Asia and Eastern Europe are dominating as the new leading spammers, eleven says. India has been the top country for several months.
eleven says that it appears that now that pharmaceutical spam is back, and the US is back among the top spam senders, a massive effort is underway to rebuild new botnet infrastructures as means of replacing the ones lost by the Rustock shutdown.