Rustock - 7 days later

RIP Rustock botnet!  Today marks exactly one week since Rustock, one of the largest spam generator botnets, was taken down by the Microsoft digital crime unit and US federal law enforcement agents. 

Rustock had more than 250,000 bots approximately, and until last Wednesday was one of the biggest known bot networks.  The bot's author was implementing certain stealth techniques to hide his invention as deep as possible in victims' Windows systems and to make it undetectable by various AV engines.  One of the techniques used was to not send spam emails for a certain amount of time after infection took place. 

Rustock was not the first botnet to be taken down.  The same fate befell ex-botnets like Srizbi in 2008, and Waledac in 2010.  In this particular case, several third parties were involved and worked with Microsoft to take down this botnet, as it was affecting their businesses.  Typical Rustock spam emails advertised fake pharmaceuticals products. 

The graph below shows a significant/steep drop in connections to one of the Websense servers on Wednesday 16th and in the following days, coinciding with Microsoft's annihilation of the botnet a week ago. 

At the same time Microsoft applied proactive measures to prevent the reregistration of domains for C&C.  The corporation is working in cooperation with CN-CERT to block the registration of domains in China which they think could be generated by Rustock. 

As seen from history, it is not the first and won't be the last botnet to be taken down.  Websense Security Labs continues to monitor the global spam situation and to provide the best protection for our customers.