Rustock botnet responsible for 40 percent of spam

The botnet has shrunk since April but is making up for its decreased size with increased volume, ditching encryption in order to send out more spam

More than 40 percent of the world's spam is coming from a single network of computers that computer security experts continue to battle, according to new statistics from Symantec's MessageLabs' division.

The Rustock botnet has shrunk since April, when about 2.5 million computers were infected with its malicious software that sent about 43 billion spam emails per day. Much of it is pharmaceutical spam.

[ Windows 7 is making huge inroads into business IT. But with it comes new security threats and security methods. InfoWorld's expert contributors show you how to secure the new Microsoft OS in the "Windows 7 Security Deep Dive" PDF guide. ]

Now, about 1.3 million computers are infected with Rustock, and the botnet is making up for its decreased size with increased volume, said Paul Wood, a MessageLabs intelligence analyst with Symantec. Those infected computers -- most of which are in North America and Western Europe -- are collectively sending around 46 billion spam emails per day.

The reason for the drop in infected computers could be due to a number of factors, Wood said. Those computers' antivirus programs may have detected the infections or the people controlling Rustock could have lost the connection to those computers for various reasons.

The computers infected with Rustock have also stopped using TLS (Transport Layer Security), an encryption protocol used to securely send email. Spammers were believed to encrypt their spam using TLS because it was harder for other network equipment to inspect the traffic and figure out if it was spam, Wood said.

But sending email using TLS required more resources and was slower. "It would seem that the botnet controllers, especially those behind Rustock, have perhaps realized that the use of TLS gave them little or no discernible benefits and instead impeded their sending capacity owing to the additional bandwidth and processing overhead needed for TLS," the report said.

Rustock has proved to be a robust botnet. It was nearly killed off when McColo, an ISP in San Jose, California, was cut off from the Internet in November 2008 by its upstream providers. McColo had hosted the command-and-control servers for several botnets, including Rustock.

But Rustock's operators were able to switch the command-and-control servers when McColo briefly regained connectivity again before finally being shut off, which has allowed it to run for nearly four years now.

Send news tips and comments to jeremy_kirk@idg.com.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies