Botnets Rebuild After Rustock Takedown

In March, Microsoft, the U.S. Federal Marshal service and security firm FireEye took down the Rustock botnet, a network of a million compromised computers surreptitiously managed by a group of criminal bot operators.

While the takedown resulted in spam dropping by nearly a third, it netted an unintended side effect: An increase in the volume of email messages with malicious links or attachments. Security experts theorize that the takedown of the Rustock botnet has left a deep pit in the supply of compromised computers and that bot operators are scrambling to build bigger botnets.

"Whether they are the Rustock group trying to rebuild or they are rivals to Rustock who are trying to take on the demand that was there previously" is uncertain, says Paul Wood, senior analyst with Symantec.cloud, the online security service arm of Symantec. "Obviously they have customers that wanted to send their spam messages and they can't, so they will be looking to rival providers."

What a botnet looks like

This week, security companies Symantec and Commtouch both noted that malicious email traffic had increased. Symantec found that one out of every 169 emails carried a malicious link or attachment, an increase of 24 percent since March.

In its analysis, Commtouch saw a spike in the amount of malicious e-mail in late March and early April. While the dramatic jump in virus-laden spam accounted for as much as 30 percent of total email traffic, it subsided soon after. Yet, the results seem to indicate that the bot masters' attempt to grow their botnets had worked: On Thursday, the company noted a 71 percent increase in zombies since March.

The Rustock botnet, which consists of some 1 million compromised PCs, was capable of sending up to 30 billion spam messages per day. Spam dropped by nearly a third following the takedown, which Microsoft accomplished by convincing a judge to issue a restraining order letting the company seize the servers used to control the botnet. Those servers were hosted in facilities in seven U.S. cities.

The botnet hunters

The Rustock group provided a service to other criminals. Since the takedown, the void in spamming capabilities is being filled, says Wood.

"Likely, there are other rival criminal gangs out there, who are trying to grow and enhance their existing botnets to take up that slack," Wood says. "Just like in the real world, if your postal carrier was to go on strike, you would go to someone else to deliver your mail, your parcel, and then it would be very difficult to go back to the original provider, because you have got another reliable service."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Subscribe to the Security Watch Newsletter

Comments