Global spam volumes have fallen precipitously in the past two months, thanks largely to the cessation of junk e-mail from Rustock – until recently the world’s most active spam botnet. But experts say the hackers behind Rustock have since shifted the botnet’s resources toward other money-making activities, such as installing spyware and adware.
The decline in spam began in early October, shortly after the closure of Spamit, a Russian affiliate program that paid junk e-mail purveyors to promote Canadian Pharmacy brand pill sites. The graphic below, from M86 Security Labs, shows a sharp drop in overall spam levels from October through the end of 2010.
Prior to the Spamit closure, Rustock was responsible for sending a huge percentage of all spam worldwide, M86 reported. But since Christmas Day, the Rustock botnet has basically disappeared, as the amount of junk messages from it has fallen below 0.5 percent of all spam, according to researchers at Symantec‘s anti-spam unit MessageLabs.
Turns out, other spam botnets also have been MIA since Christmas: “The Lethic botnet has been quiet since December 28, and the Xarvester botnet went silent on December 31,” writes Symantec’s Eric Park.
Statistics from SpamCop, shown in the graphic below, also illustrate a substantial drop in spam volumes, particularly during the final week of 2010.
On Tuesday, I interviewed Phil Hay, senior threat analyst with M86, about the possible reasons for the decline. Hay said individual bots infected with the Rustock malware were still phoning home to the Rustock control servers, which appeared to be responding with instructions to download files. But he said the files didn’t appear to have anything to do with spam.
I asked Hay whether it was possible that Rustock was simply being used to install spyware and adware for affiliate programs that pay people to generate installations. As I reported in a Washington Post Magazine story from 2006, this is a very reliable way for botnet owners to make money. Hay said he’d check into it and get back to me.
Today, I received the following response:
“Hello Brian. After talking to you today, we had another look at Rustock. While it was still quiet on the spam front, we did notice the malware performing what looks to be a pay-per-click fraud. When we doubled checked our older Rustock trace files from December, we also noticed the same sort of traffic. We missed it the first time because the sheer volume of spam-related traffic overshadowed the pay-per-click traffic. So Rustock was spamming and ‘clicking’ concurrently, but now is just clicking. The attached image is from Rustock traffic today. It shows a GET request made to www.gamecetera.com with a referrer set to playdrom.com. Other sites we saw Rustock making requests to today include: