Spam perseveres, despite Rustock takedown

While the recent takedown of notorious spam botnet Rustock did diminish spam levels, new spam tactics have quickly emerged to flood in-boxes with more dangerous messages

Global spam dropped by one-third immediately after the Rustock Botnet was dismantled in mid March, according to the March edition of the Symantec MessageLabs Intelligence monthly report.

The output fell "dramatically and almost instantaneously," the reports said, suggesting that the botnet was no longer sending any spam and that it had either been taken down or had entered a self-imposed exile, as it did in December 2010.

See also: Rustock death still suppressing world spam levels

Reviewing the data in the days that followed, MessageLabs Intelligence identified that global spam volumes dropped by 33.6 percent between March 15 and 17, comprising a sharp drop of 24.7 percent in global spam volumes between March 15 and 16, and a subsequent drop of 11.9 percent between March 16 and 17.

MessageLabs says it remains to be seen whether those behind Rustock will be able to recover from the coordinated effort against what has become one of the most technically sophisticated botnets in recent years. But since March 26th the amount of data traffic hitting MessageLabs spam traps has increased despite a decline in the number of spam emails, the company says. A new MessageLabs Intelligence blog post states that this is due to the Cutwail botnet, which has been sending more spam emails with zip file attachments. These attachments allow the average size of each email to be larger, and can infect a users machine with Bredolab malware, according to MessageLabs Intelligence.

Meanwhile, Commtouch reports in its quarterly Internet Trends Report that malware sent via email increased by 400 percent in the last week of March. "Botnet takedowns will almost always result in significant attempts at rebuilding, to allow criminal operations to continue," Asaf Greiner, Commtouch vice president of products, said in a statement.

From January to mid-March spam averaged 168 billion emails per day until Rustock was eliminated, Commtouch says, dropping spam to an average of nearly 119 billion messages daily. Zombie activity also dropped significantly after Rustock was taken down,"but large increases of enslaved computers became evident following the malware outbreak at the end of the quarter," according to the Commtouch report.

And Fortinet reports that spam rates continue to remain lower than average following the Rustock takedown. While rates remain low, Fortinet says, the number of spamming machines has not taken a large drop. Most spamming IP addresses the company observed were geolocated to machines in the U.S., India and Brazil.

"Oftentimes machines are infected with multiple viruses or botnets that can continue to send spam and siphon data, despite one threat being mitigated," says Derek Manky, senior security strategist at Fortinet.

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.