Over the Christmas Holiday, spam activities the world over mysteriously went down. Even Rustock, considered to be the largest botnet, inexplicably went silent on Dec. 25.
Sad to say those spam-free days are over. Two separate security research labs recently reported that Rustock is back and spam numbers are once more on the rise.
“MessageLabs Intelligence analysts did not expect this respite to last, and sadly we were right,” reported Matt Sergeant, senior anti-spam technologist for Symantec Hosted Services. Sergeant and Mathew Nisbet, malware analyst for Symantec, released a report on Tuesday indicating that Rustock resumed operations on Jan. 10.
“MessageLabs Intelligence honeypot servers have seen an increase of roughly 98 percent in spam traffic between 00:00 and 10:00 today (Jan. 10) compared to the same period on January 9,” said Nisbett.
Since Dec. 25, Rustock seemed to have all but shut down, with the amount of spam coming from it consistently accounting for below 0.5 per cent of all spam worldwide, according to Symantec.
Further contributing to the massive reduction in spam levels is the apparent calming of two other major botnets, Lethic and Xarvester. MessageLabs Intelligence saw virtually nothing from Lethic since the Dec. 28 and Xarvester since Dec. 31.
While levels of Rustock output appears marginally lower than before Christmas, according to the Symantec report, the Canadian-based researchers said they anticipate the botnet will soon reach its previous level of activity and bring global spam levels back to approximately 90 per cent of all e-mail.
Possible power struggle
Meanwhile Commtouch, an Internet security technology provider based in Israel, also said its monitors indicate that spam levels began rising back up this week. Commtouch is known for its Command Antivirus utilities that use multi-layered security approach and its patented Recurrent Pattern Detection technologies for malware detection.
Asaf Greiner, vice president of Commtouch, said the lull in Rustock activities remains a mystery to many security researchers. He also broached the possibility of a power struggle or takeover.
Related story – 500,000 bots blotted out with shut down of Web hosting firm
Greiner said rarely do spammers scale back their operations. “An inactive botnet is like an idle factory, a money-losing proposition for spammers,” he said.
“Spammers stop because they are either taken down by law enforcement agencies or rival criminal syndicates,” Asaf said. The Commtouch executive recalled the botnets run by the McColo Corp. in 2008.
“One reason for the spam slow down could be a power change in the botnet structure, perhaps the resurging activity is now under different management,” he said.
“We have seen situations where after a lull in spam or malware distribution, a new tactic is introduced,” Greiner added. He said threat experts should continue to monitor changes in network behaviour in order to proactively block new threats.
Rustock never sleeps
Even during the Holiday lull, Rustock continued to exercise low levels of click fraud, an activity where botnets simulate a “click” on a Web page advertisement to bring automatic revenue from advertisers (who charge on a pay-per-click model) to the operators of the botnet.
Symantec said Rustock was spewing mostly pharma spam with subject heading like “Dear (username) – 80% now”. If you’re surprised how the spammers got hold of your first name, Symantec said spammers take the username from whatever name appears before the @ symbol of your email address.
In its report spam report for Q4 of 2010, Commtouch noted that there were only 142 billion spam and phishing message messages per day compared to 198 billion/day in the third quarter of last year.
The three most popular spam topics were were pharma ads (42 per cent, followed by replica watches (10.8 per cent) and penis enhancers (9.2 per cent).
India was the top zombie producer (17 per cent), followed by Russia (11 per cent) and Brazil (8 per cent).