I’ve been watching the developing situation with the so-called Rustock spam-sending botnet this week. As first reported by Brian Krebs in his excellent “Krebs on Security” blog, Rustock – one of the more active spam-sending botnets – seems to have been the subject of a coordinated takedown effort (targeting the command and control networks used to send instructions to compromised computers that make up the botnet), resulting an a dramatic drop in spam from Rustock.
Outlets including the Wall Street Journal report that our friends at Microsoft, working in conjunction with US federal law enforcement agents, have been successful in executing a court order allowing the seizure of computers in several datacenters (including Internet hosting providers in Missouri, Pennsylvania, Colorado, Texas, Illinois, Washington and Ohio) thought to be the servers that actually serve as the command infrastructure for Rustock.
While this has had an observable impact on spam volumes, the effect has been less dramatic than some previous botnet takedowns (such as the classic example of the shutdown of rogue ISP McColo).
See the diagram accompanying below for some detail. This chart shows observed spam volumes from an assortment of my company’s spam traps (sometime called honeypots) from the start of 2011 until March 17th (our last full day of data).
What it shows is the year’s unusual beginning, when Rustock and other botnets seemed to have gone on holiday, followed by a sharp increase in spam volume in mid-January. Since that time, spam volumes have oscillated between a baseline and roughly double that baseline. At the very right edge of the chart, you can see spam levels dropping to the baseline level, in part due to the Rustock shutdown.
Our spam watchers stress that even with Rustock gone, spam is expected to continue to exhibit this erratic, bursty behavior with large surges occurring at unpredictable intervals.
While spam volumes are down near the baseline level today, we aren’t seeing huge changes in “injection rate” — that is, new IPs continue to appear in our lists at the “normal” rate.
And in my personal spam quarantines, I’m continuing to see plenty of spam, including phishing messages with malware-infected attachments. So, as usual, it’s no time to drop one’s guard.
We’ll keep watching what happens with the spam volume situation over the next week and report interesting findings here in the blog.