More than 40 percent of the world’s spam is coming from a single network of computers that computer security experts continue to battle, according to new statistics from Symantec’s MessageLabs’ division.
The Rustock botnet has shrunk since April, when about 2.5 million computers were infected with its malicious software that sent about 43 billion spam e-mails per day. Much of it is pharmaceutical spam.
Now, about 1.3 million computers are infected with Rustock, and the botnet is making up for its decreased size with increased volume, said Paul Wood, a MessageLabs intelligence analyst with Symantec. Those infected computers — most of which are in North America and Western Europe — are collectively sending around 46 billion spam e-mails per day.
The reason for the drop in infected computers could be due to a number of factors, Wood said. Those computers’ antivirus programs may have detected the infections or the people controlling Rustock could have lost the connection to those computers for various reasons.
The computers infected with Rustock have also stopped using TLS (Transport Layer Security), an encryption protocol used to securely send e-mail. Spammers were believed to encrypt their spam using TLS because it was harder for other network equipment to inspect the traffic and figure out if it was spam, Wood said.
But sending e-mail using TLS required more resources and was slower. “It would seem that the botnet controllers, especially those behind Rustock, have perhaps realized that the use of TLS gave them little or no discernible benefits and instead impeded their sending capacity owing to the additional bandwidth and processing overhead needed for TLS,” the report said.
Rustock has proved to be a robust botnet. It was nearly killed off when McColo, an ISP in San Jose, California, was cut off from the Internet in November 2008 by its upstream providers. McColo had hosted the command-and-control servers for several botnets, including Rustock.
But Rustock’s operators were able to switch the command-and-control servers when McColo briefly regained connectivity again before finally being shut off, which has allowed it to run for nearly four years now.
Send news tips and comments to jeremy_kirk@idg.com