The global volume of junk e-mail sent worldwide took a massive nosedive today following what appears to be a coordinated takedown of the Rustock botnet, one of the world’s most active spam-generating machines.
For years, Rustock has been the most prolific purveyor of spam — mainly junk messages touting online pharmacies and male enhancement pills. But late Wednesday morning Eastern Time, dozens of Internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously.
Such an action suggests that anti-spam activists have succeeded in executing possibly the largest botnet takedown in the history of the Internet. Spam data compiled by the Composite Spam Blocklist, the entity that monitors global junk e-mail volumes for the anti-spam outfit Spamhaus.org, shows that at around 2:45 p.m. GMT (10:45 a.m. EDT) spam sent via the Rustock botnet virtually disappeared. The CBL estimates that at least 815,000 Windows computers are currently infected with Rustock, although that number is more than likely a conservative estimate.
“This is a truly dramatic drop,” said one anti-spam activist from Ottawa, Canada, who asked not to be named because he did not have permission from his employer to speak publicly about the spam activity spike. “Normally, Rustock is sending between one to two thousands e-mails per second. Today, we saw infected systems take an abrupt dive to sending about one to two emails per second.”
Joe Stewart, director of malware research with Atlanta-based Dell SecureWorks, said none of the 26 Rustock command and control networks he’s been monitoring were responding as of Wednesday afternoon.
“This looks like a widespread campaign to have either these [Internet addresses] null-routed or the abuse contacts at various ISPs have shut them down uniformly,” Stewart said. “It looks to me like someone has gone and methodically tracked these [addresses] and had them taken out one way or another.”
Update, Mar. 18, 10:04 a.m. ET: As many readers have pointed out, the Wall Street Journal is reporting that the takedown of Rustock was engineered by Microsoft, which used the legal process to shutter the botnet’s control networks at various U.S.-based hosting providers. For more on how Microsoft did that, check out my latest story, Homegrown: Rustock Botnet Fed by U.S. Firms.
In a report that SecureWorks issued last month, the company said the author(s) of Rustock have pioneered a variety of techniques to evade detection on infected machines and to stymie security researchers hoping to unlock the secrets of its day-to-day operations. For example, the company notes that many PCs infected with Rustock were configured to wait for up to five days before spamming.
From that report:
“The most prolific spam botnet in existence today is Rustock. In past years, Rustock would sometimes be overtaken for the top spot by other botnets, but these days it has pulled away from the pack with a strong lead. The reasons for this are due to the author’s relentless development of stealth tactics that have been added to the Rustock codebase over the years. First and foremost, Rustock was designed as a rootkit, burying its files and activity deep inside the Windows operating system where it can hide from popular anti- malware products and remain on an infected system longer.”
It may yet be too soon to celebrate the takedown of the world’s largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.
Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.
More on this fast-developing story as data becomes available. If you have ground-level data that supports or refutes the conclusions in this blog post, please post the information here or send me a note privately.
Update, March 17, 1:47 p.m., ET: Add the graphic from M86 Security labs, which said on its blog that it also has seen a Rustock spam dry up, and that the botnet’s controllers are not responding.