March 16, 2011

The global volume of junk e-mail sent worldwide took a massive nosedive today following what appears to be a coordinated takedown of the Rustock botnet, one of the world’s most active spam-generating machines.

Rustock spam volumes, from M86 Security Labs

For years, Rustock has been the most prolific purveyor of spam — mainly junk messages touting online pharmacies and male enhancement pills. But late Wednesday morning Eastern Time, dozens of Internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously.

Such an action suggests that anti-spam activists have succeeded in executing possibly the largest botnet takedown in the history of the Internet. Spam data compiled by the Composite Spam Blocklist, the entity that monitors global junk e-mail volumes for the anti-spam outfit Spamhaus.org, shows that at around 2:45 p.m. GMT (10:45 a.m. EDT) spam sent via the Rustock botnet virtually disappeared. The CBL estimates that at least 815,000 Windows computers are currently infected with Rustock, although that number is more than likely a conservative estimate.

“This is a truly dramatic drop,” said one anti-spam activist from Ottawa, Canada, who asked not to be named because he did not have permission from his employer to speak publicly about the spam activity spike. “Normally, Rustock is sending between one to two thousands e-mails per second. Today, we saw infected systems take an abrupt dive to sending about one to two emails per second.”

Joe Stewart, director of malware research with Atlanta-based Dell SecureWorks, said none of the 26 Rustock command and control networks he’s been monitoring were responding as of Wednesday afternoon.

“This looks like a widespread campaign to have either these [Internet addresses] null-routed or the abuse contacts at various ISPs have shut them down uniformly,” Stewart said. “It looks to me like someone has gone and methodically tracked these [addresses] and had them taken out one way or another.”

Update, Mar. 18, 10:04 a.m. ET: As many readers have pointed out, the Wall Street Journal is reporting that the takedown of Rustock was engineered by Microsoft, which used the legal process to shutter the botnet’s control networks at various U.S.-based hosting providers. For more on how Microsoft did that, check out my latest story, Homegrown: Rustock Botnet Fed by U.S. Firms.

Original story:

In a report that SecureWorks issued last month, the company said the author(s) of Rustock have pioneered a variety of techniques to evade detection on infected machines and to stymie security researchers hoping to unlock the secrets of its day-to-day operations. For example, the company notes that many PCs infected with Rustock were configured to wait for up to five days before spamming.

From that report:

“The most prolific spam botnet in existence today is Rustock. In past years, Rustock would sometimes be overtaken for the top spot by other botnets, but these days it has pulled away from the pack with a strong lead. The reasons for this are due to the author’s relentless development of stealth tactics that have been added to the Rustock codebase over the years. First and foremost, Rustock was designed as a rootkit, burying its files and activity deep inside the Windows operating system where it can hide from popular anti- malware products and remain on an infected system longer.”

It may yet be too soon to celebrate the takedown of the world’s largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.

Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.

More on this fast-developing story as data becomes available. If you have ground-level data that supports or refutes the conclusions in this blog post, please post the information here or send me a note privately.

Update, March 17, 1:47 p.m., ET: Add the graphic from M86 Security labs, which said on its blog that it also has seen a Rustock spam dry up, and that the botnet’s controllers are not responding.


48 thoughts on “Rustock Botnet Flatlined, Spam Volumes Plummet

  1. Sébastien Duquette

    Little typo, the city is named Ottawa.

    1. BrianKrebs Post author

      Whoops. Thanks. I had fixed that in an earlier version of this blog post, but lost a lot of it when my browser crashed as I was making some last minute edits. Fixed again!

  2. Mark Giles

    Spam stats of relative botnet spam usage is shown at
    http://www.m86security.com/labs/spam_statistics.asp

    Back in August 2010 rustock accounted for 60% of spam.
    In September it dropped out of sight until December/January when it clawed back its share to 10%.
    Last week it was sitting at 5% ranked at number 8 out of 13.

    However, those statistics aside, a shutdown to flat again is a very satisfactory item of news.

    A startling display confirming the overall spam rate drop over the past 18 month is at Cisco’s Ironport graph
    http://www.senderbase.org/home/detail_spam_volume?displayed=last18months

    1. Chris

      Mark, those Cisco IronPort stats look a bit dodgy to me – the “% of Global Email Volume” figures barely change at all despite the spam level dropping to less than a tenth of what they were previously. Or am I reading that wrong?

      1. grumpy

        The %-column looks quite bunk to me too. Unless of course global email volume as a whole has dropped by 90% in the last year. Possible but not likely IMHO.

    2. Jason

      That Cisco graph is curious. Perhaps they’re just analyzing spam that is crossing Cisco equipment? And perhaps their equipment is better at blocking spam? Unless we can see these stats confirmed elsewhere, it’s hard to believe we’re winning the spam war.

    3. Rebecca Herson

      Commtouch Labs posted its traffic graph from the week prior and including the Rustock take down here: http://blog.commtouch.com/cafe/anti-spam/has-the-reported-disruption-of-rustock-affected-spam-levels/. No significant reduction in spam was evident, unfortunately.

      And if you look at the Cisco Ironport graph closely, you will see that it only goes through February 2011, so it doesn’t include the Rustock shut down period in March. It will be interesting to see how the graph looks when it’s updated to include the month of March, since the Jan & Feb levels were already so low according to this graph.

      Incidentally, Commtouch also displays a steady decline from the summer through the end of 2010, however shows a trend upwards in spam traffic for Jan & Feb 2011 – see http://blog.commtouch.com/cafe/anti-spam/reality-check-%E2%80%93-spam-is-going-up/.

      Commtouch’s reported data is actually quite similar to the M86 graph , which goes down towards the end of 2010 and starts climbing back up in Jan/Feb and even March.

  3. Christine

    I would rather you not post this, I just didn’t know how to contact you directly. If I thought that this might have something to do with my computer and the dates match up in Sept, and things I was doing with my computer a lll through the night – how would I know and is there anything I could send that would give insight? If it was mine then it’s just blocked off but will reinstall itself again if I have to redo my system again. I haven’t been using my email out of fear that signals were being sent and triggered that way. I do follow you on twitter I’m kurleycc. I am disabled vet so on my limited income I have been fighting this on my own since last Feb. Sept I caught something in mid update and locked up all the hard drive by assigning me as the owner and only read permissions for anyone else. A bit of a head game war started after that with who ever has been playing with my system. They like to toy with me and my system seems to get the extensions updated along with other files right before spam or browser injections for websites take place. I believe this started from a mafia wars contact on Facebook. I was stalked through the summer with hate messages (still have them all) about lesbians. Around the same time as the attack that I caught I was getting spam with file names that were anti gay all ending in .ru. I may still be searching for my system and not have anything to do with this but some of the dates, times and info seemed to maybe match?

  4. DavidM

    While I sure won’t lose any sleep at the sight of less SPAM in my e-mail…for the time being We can smail at knowing the Rustock gang is scrambling to get their Botnet back online, which I am sure they will over time… but I say Kudos to whoever was behind getting these crooks offline. But let’s enjoy it while it lasts…

  5. Uzzi

    Someone’s glass of water confirming rustock dropping spam volume after/around microsoft updates? oO

  6. Bill in Tennessee

    Here’s a modest proposal (in the spirit of Jonathan Swift): All spammers, all malicious code writers, and anyone else who mucks about with other people’s computers should be hunted down and have their kneecaps shattered with baseball bats. Inform them (after all the annoying screaming and crying settles down) that should they ever again write another line of code or send so much as a single email, they will be revisited and other parts of their anatomy will feel the baseball bat. Several gainful, productive careers might then be suggested, ones that allow people in wheelchairs to engage in (but not computers, of course), and the benefits of their new condition should be pointed out…such as the GREAT parking they are going to have from now on. There, that’s how I feel about spammers… I think Jonathan Swift would be proud.

  7. PJ

    Is there a specific removal tool that one can use to clear a rustock infected computer, other than the routine antivirus programs?

    1. JCitizen

      Dear PJ;

      There is no guarantee that any single solution will even find the Rustock root kit, or remove it even if it does find it. Some knowledgeable folks who are really good at recognizing file types that are out of place, can remove them by booting to a linux LiveCD where they can then see the hidden files.

      If you have a paid anti-virus like Norton, I have had them remote in to look for suspicious looking files/folders in the file tree using special tools, and they did that for free. Otherwise, you might try running a rescue CD from one of the various AV companies burned from a clean PC. However they are starting to get picky about whether you have their product already onboard before you can use the CD, so keep that in mind.

      You can use GMER or Avast with GMER technology, but then we are back to signature based methods which are not guaranteed to work; same situation with rescue disks.

      I should think rootkits for 64bit systems are still rather rare; and I’m not sure they can install themselves if you run as standard user all the time. Perhaps someone with more up to date information can weigh in here.

        1. JCitizen

          Thank you Julia;

          I knew there was at least one out there. I’m sure they will be growing in number as they become more in demand by criminals.

          I still have not read whether Alureon needs administrative rights to install; however, as we know, social engineering can blow through that too.

      1. Purple Library Guy

        Or you could take that Linux LiveCD, shift your personal files to another drive or partition, wipe Windows and install Linux from the LiveCD. Rustock all gone, along with any other rootkits, viruses, spyware and whatnot.
        I know, I know. Few people are going to switch to Linux just for security. Just sayin’.
        😉

        1. JCitizen

          Linux is not immune to rootkits – LiveCDs are. If we could get a LiveCD in Windows; probably people would try it too.

          I’m also not convinced any browser compatible with banking sites would be totally immune to these new threats either; but then the bank site would have to have an infected page. Problem is, some small banks do get pwned that way.

  8. Mark Giles

    Note: I have no affiliation with these companies.
    I don’t want to hijack this thread into a discussion of spam stats, but in reply to queries –
    1. Cisco Ironport sampling size: From http://www.senderbase.org/about
    “SenderBase®— is the world’s largest email and Web traffic monitoring network. First introduced in February 2003 IronPort’s SenderBase Network collects nowadays data on more than 25 percent of the world’s email traffic and provides an unprecedented real-time view into security threats from around the world.”
    2. percentage of spam: From M86 labs http://www.m86security.com/labs/spam_statistics.asp
    See the Spam % of Mail (83%) and the roughly similar Spam Volume Index graph of the decrease over 12 months.
    Spam rate decreases but % of spam stays the same. Go figure!

  9. Kooberfacer

    For every action there is an equal and opposite reaction.Cause and effect.Kudos to whomever took them out.

    1. Uzzi

      So my little glass of water was right… Good job, thanks guys. oO( How about giving those millions of out-dated windows machines some extra love? – Everyone with a little insight knows google, bing, hotmail & co. are aware of out-dated user agent strings and keep silent…)

  10. Davidm

    Thanks guys for the links to the MS and WSJ sites… appreciated!

  11. AlphaCentauri

    Numerous antispammers were sent joe job spams yesterday for jejavascript.net — over 20,000 copies per email address for some of us. We’re wondering if the rustock takedown was the occasion for that little hissy fit. (The joe jobs were mailed from maazben, not rustock.)

  12. Kent

    I have a Hotmail account that’s from the late 1900’s it seems like – and I usually get four to ten spam emails a day even though it’s the acct I use for commercial transactions – Ebay and so on.

    About two months ago or so, I started getting about 10-15 additional spam emails touting programs for “prestigious psychology degree”, Pharmacy assistant”, “Online Doctorate”, “Certified Nursing Assistant” and the like.

    After it didn’t go away I finally decided to check the headers and find where it was coming from, and it all coming from Constellate ips down in Dallas.

    So I emailed them a few times complaining about the spam coming from their ips, and each time a ticket was generated and then the cases summarily closed the next day without comment.

    That was right before the Wednesday take down of Rustock.

    On Thursday, all those “degree” type emails abruptly stopped.

    I see in the WSJ article, some of the hosting companies raided where in Dallas – I’d really like to see some names – would be interesting. Some youtube footage would be even better.

    1. JCitizen

      That’s funny; I give out my email address all over the internet, and I might get maybe one or two spams, every other day on hotmail. They have the best anti-spam ever.

      1. Jason

        Do your post your address online, JCitizen? I mean, on a webpage or blog or whatever?

        1. Kent

          [ @JCitizen
          Like I wrote there, I’ve had that Hotmail address since probably before Spam was even in common parlance. I use it for everything public or commercial. MS’s filters are pretty good, but when you’ve had an email address that long it’s probably been around the world on various spammer’s email lists several times. I’m kind of surprised I don’t have more spam actually.

          Back in those days though, a French programmer friend of mine got tired of one spammer who had not hidden himself very well, and my friend wrote a little program that sent the guy an email every fifteen seconds, something to the effect of “Give me a reason to turn this off.” The guy actually emailed him the next day, desperate, plead guilty and apologized, and stopped spamming him. ]

          @pat & AlphaCentauri
          Thanks a lot for that info.
          Yes I think that was probably the case – Constellate not being the C&C servers. But from what I saw they’re more of a hosting company than an ISP, so my guess is it might have been inadvertently hosting some infected server(s). It was a good sized handful in of the 64.182.192.0 / 18 range of IPs.

          It was really dramatic how fast it stopped – from 15-20 extra per day to zero in one day, and still zero today .

          1. JCitizen

            Thank you both for your comments. I sign up for stuff like everyone else, and don’t always use my junk mail address; and no I don’t publish it on forums.

            The spammer that got spammed is a riot~! 😀

  13. Kent

    ay, where is the edit button . . .

    “and it all coming from Constellate ips down in Dallas” should be
    “and it was all coming from Constellate ips down in Dallas.”

    “raided where in Dallas” should be “were”

    So it goes.

  14. AlphaCentauri

    Thanks for that link. Here’s the list of hosts from the complaint:

    FDCservers.net, LLC
    Chicago, IL
    Denver, CO
    Woodstock, IL

    Wholesale Internet Datacenter, LLC
    Wholesale Internet, Inc.
    Kansas City, MO

    BurstNET Technologies, Inc d/b/a Network Operations Center, Inc.
    Scranton, PA

    Ecommerce, Inc.
    Columbus, OH

    Softlayer Technologies
    Dallas, TX
    Chantilly, VA
    Tukwila, WA

    VPLS Inc. d/b/a Krypt Technologies
    Santa Ana, CA
    Los Angeles, CA

    DCS Pacific Star, LLC
    Los Altos, CA

    Atjeu Publishing LLC/Atjeu Hosting LLC
    Phoenix, AZ

    Reliable Hosting Services, LLP
    Reston, VA

    Noc4Hosts, Inc.
    Tampa, FL

    @Kent: While your Constellate host isn’t here, remember that the spam you actually see is coming from the computers of victims infected with malware, not from the C&C servers themselves. The appropriate response to some grandmother who was fooled by an email that claimed to be from the IRS and infected her with Rustock malware might well be to just help her get her computer disinfected and try to instruct her how to avoid infection.

    1. Kent

      (whups, posted it above, tacked on to another reply – should have been down here.)

      @pat & AlphaCentauri
      Thanks a lot for that info.
      Yes I think that was probably the case – Constellate not being the C&C servers. But from what I saw they’re more of a hosting company than an ISP, so my guess is it might have been inadvertently hosting some infected server(s). It was a good sized handful in of the 64.182.192.0 / 18 range of IPs.

      It was really dramatic how fast it stopped – from 15-20 extra per day to zero in one day, and still zero today .

  15. Russian Speaker

    Did it just happened so that at the moment of takedown all Rustock’s C&C servers were hosted in just two jurisdictions – US and Netherlands? That’s a serious miscalculation on the botnet owners’ part if it is true.

    1. AlphaCentauri

      Definitely a vulnerability, but probably done on purpose to make it less obvious when infected bots try to contact the C&C server. I would also suspect it means the botherder(s) are located in the US, so that it is less obvious when they contact the C&C servers themselves.

      That sealed court petition was filed February 9, and the takedown was March 16. The question is, how long did the court take to rule on it, and did researchers have a chance to monitor traffic to the servers before they were taken off line?

      1. JCitizen

        I’ve always heard the spammers like the high bandwidth here in the US; so it is worth the risk – I estimate.

    2. Russian Speaker

      Answering my own question:
      from http://blog.fireeye.com/research/2011/03/an-overview-of-rustock.html

      “Along with having a relatively unused tactic to find their C&C, they did something virtually no major malware (outside of the APT world) does today, and that’s use 95+% US based Command and Control servers. Many security products, be it a home security suite or an enterprise secure web gateway, use some notion of “IP reputation” to block or allow traffic. Certainly a US Government system constantly beaconing to Russia, Latvia, or China would raise some flags, and conversely, a beacon to Scranton, PA, or Chicago, IL would receive less scrutiny. Indeed, if you examine the top C&Cs used over the past 6 months, you’ll find that not only have they not had to move IPs, all the top hits were based in the US. You might want to check your firewall logs to look for connections going to the c&c servers we have seen in use recently.”

      Still baffles me. Rustock is not an APT, it’s an “WMD” type botnet. There is little reason to limit the C&C’s to just two fairly “responsive” jurisdictions and there’s a lot to lose. Probably the bothereders thought they’re the smartest kids on the block and there’s no chance of a calculated takedown. Well, it looks like this time they were wrong and there may be some delayed mortgage payments on some of Rublevka’s mansions in the next months…

  16. Martin

    Whoa, hang on. Something is very, very wrong here. From the FireEye post:
    “Lastly, let us not forget that as part of the operation, Microsoft, along with a forensic company trained in chain-of-custody and evidence preservation, seized the physical hard drives from the servers.”

    Why does Microsoft get custody of the equipment? Shouldn’t law enforcement be handling everything? If this is due process, it’s very disturbing. Wouldn’t it be interesting if one of the “confiscated” servers is a shared host and has some startup competitor’s pre-patent data on it. Almost certainly untrue, but how would we know, and what could be done about it? What is the burden of proof on a corporation to simply take anyone’s anything whenever they feel like it for however long they want? I hope their lawyers and a US Marshal don’t show up at my door and demand my laptop now for speaking out against them. Of course, they would just say that my laptop was participating in Rustock (which it is not), but who would question them?

    1. JBV

      Martin: Tell it to the judge.

      From the WSJ article:

      “As part of that dragnet, U.S. marshals accompanied employees of Microsoft’s digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be “command-and-control” machines …

      “Microsoft launched the raids as part of a civil lawsuit filed in federal court in Seattle in early February against unnamed operators of the Rustock ‘botnet’ ….”

      That hardly sounds like they “simply take anyone’s anything.”

      It’s a civil action, not a criminal case. Microsoft wanted evidence and convinced a federal judge that Microsoft was entitled to get it. It’s highly unlikely that the hosts would have voluntarily handed over the computers, and, with advance warning, it’s reasonably probable that the hosts might tamper with them – hence the raids.

      1. JCitizen

        In some states, if you can’t get a prosecutor interested in your complaint you can hire a lawyer to prosecute the case with the same power as a DA. So I’d say MS was well within its rights to institute this action.

        However this is not a state deal; it is Federal. You get into a whole different ball of wax when you deal with Federal law.

        1. BrianKrebs Post author

          I’m planning several follow-up stories on this takedown, and the one going up tomorrow will delve a bit more into the novel legal strategies that Microsoft used in this case to seize hard drives. It’s definitely pretty interesting, and apparently controversial.

        2. AlphaCentauri

          Microsoft could have gotten a criminal complaint. These servers were being used by websites claiming to sell narcotics. If someone is hosting a Rustock C&C server, one could make a case that they ought to have been aware of it.

          The federal laws for “conspiracy” cover a wide range of activities. If some kid from the ‘hood who happens to be a passenger in the car of a friend who happens to have a kilo of marijuana in his trunk can be sent to federal prison for 10 years, how much more can you make a case against a system administrator whose server has been continuously directing the distribution of percocets on line in massive quantities for 5 years?

          So I am interested to hear if Microsoft and the federal marshalls actually showed up with two subpoenas, so that hosts that chose to challenge the civil seizure would have been served with a criminal complaint and possible arrest.

          I still have problems with handing the servers directly to Microsoft instead of to the FBI or an organization like Team Cymru or NCFTA that isn’t allied with a particular private company.

      2. Martin

        RE: “Microsoft wanted evidence and convinced a federal judge that Microsoft was entitled to get it.” Exactly: Do you really think judges truly understand the technical realities of these situations? I understand that what MS did was technically legal. The raw, real power of a giant, well-paid legal team is absolutely terrifying and unstoppable by any non-F100 company. It was apparently used for good here, but that’s only because MS and “good” had aligned interests. If I were a competitor to MS, I would move my proprietary data to Switzerland.

  17. decula

    Well, its been a couple of weeks. The seeding to replace the lost C&C is in full swing – I just experienced a redirect to a host at ATJEU.COM with a fake virus scan from antivirus.cw.cm

    they don’t learn fast or don’t care. iptable’d 69.50.192.0/19

Comments are closed.