Rustock botnet still main global conduit of email spam
December 8, 2010
On average, many Internet security experts say that the Rustock botnet still is the worse spam email botnet in existence today and accounts for almost 90 percent of all spam propagated in 2010.
To be sure, the average global spam rate was 89.1 percent, an increase of 1.4 percentage points over last year, according to a study recently performed by Symantec. Worldwide spam rates peaked at 92.2 percent in August of this year, largely powered by an aggressive campaign designed to distribute the Rustock botnet.
Security experts agree that Rustock is one of the main global conduits of junk mail today. As a whole, botnets in general accounted for 88.2 per cent of all spam for this year.
Overall, official botnet takedown notices and the closure of spam affiliate Spamit in early October of this year meant that the proportion of email spam that could be traced back to botnet networks dropped by about eleven percentage points to 77 percent on average.
But by November 30th, the total number of active bots had returned to roughly the same numbers as at the start of the year, as hackers re-established junk mail communication channels and compromised servers. Globally, the total number of botnets now is between 3.5 and 5.4 million, Symantec estimates.
On average, the top three botnets for spam distribution have not changed much despite the upheavals in the underground economy-- ie: botnet takedowns, Zeus suspect arrests, etc. --during the second half of 2010.
To this day, the Rustock botnet still is the biggest and the most feared of all spam systems, with an output that has doubled over the course of the last year to reach over 44.7 billion spam emails per day.
That is a horrific amount of spam by any standard.
The botnet has also compromised at least a million email hosts all over the globe. Grum and Cutwail are the second and third largest spam botnets, respectively. Each is also associated with the distribution of malware by spam (zombies).
Spammers who control botnets have experimented with different command and control structures, moving from traditional IRC controls (which can be easily blocked at firewalls) to Internet-based controls. Some have experimented with using social networks such as Twitter as a command channel this year.
Overall, Message Labs Inc recorded an average rate for malware in email traffic of one in 284.2 emails, equivalent to about 0.352 percent, during the course of the year, virtually unchanged from the proportion of malware in email it recorded in 2009, or about 0.349 percent.
But the overall number of different strains of malware in these blocked emails grew by a factor of 100 over the last twelve months to reach 339,673 for this year alone. The change reflects the increased industrialisation of malware production, according to Message Labs.
Symantec says that even more sophisticated approaches are in the works with controls hidden in plain view, using steganography, likely to emerge, perhaps within images or music files distributed through file sharing or social networking sites.
The tactic will allow spammers to surreptitiously issue instructions to their botnets without relying on an ISP to host their infrastructure and thus limit the chances that they will be discovered.
And that is very troubling in deed. Something needs to be done and done rapidly to help reduce global email spam and the distribution of malware and worms.
Must we remind you of the Stuxnet worm and all the media attention it has received since July?
Source: Message Labs Inc.
You can link to the Internet Security web site as much as you like.