It has now been a little over two months since Microsoft and some others shut down the Rustock botnet. Since that time, Rustock has sent us only a trickling of spam and has not resurrected in its previous form. The question I now ask is whether or not other botnets have stepped in to fill in the gap?
I have disputed claims that I have seen elsewhere that the bigger, more well-known botnets have filled Rustock’s shoes. Cutwail, grum, lethic and maazben are all spamming up a storm, but they always have been. They are the most prevalent with Rustock’s demise, but they have not filled in the gaps that Rustock left.
I say this because their behavior was never the same as Rustock who sent a lot of mail from a lot of different IPs and was heavily concentrated in the United States (that is, the IPs that were sending spam were from IPs that were based in the United States).
I hadn’t been paying close enough attention because in the past couple of days, some new bots have arisen. My botnet tracking is still manual in that I track individual stats for a few botnets. When I notice a new bot has appeared, I manually add it to the ones I track individually. On Friday, I noticed a few new bots that were sending us spam in noticeable volume (parentheses are the top country where the bot is located):
- s_artro (US)
- s_gbot (US)
- s_gozi (US)
- s_ponmocup (US)
- s_ramnit (UK)
- s_spyeye (US)
- s_tdss (US)
- s_zeus (UK)
If I check out my limited statistics on them, all of them are heavily concentrated in either the United States or other English speaking countries (UK, Canada, Australia).
What about Rustock’s other distinctive trait? Sending only a small number of messages per email envelope? Based upon my frustrating small data set, here is what the above botnets look like in terms of the average number of messages (recipients) per envelope (email):
- s_artro – 1.33
- s_gbot – 1.08
- s_gozi – 1.07
- s_ponmocup – 1.04
- s_ramnit – 1.10
- s_spyeye – 1.35
- s_tdss – 1.18
- s_zeus – 1.28
What was Rustock’s in the time before it went down? 1.09. Well, well, well. This is beginning to look suspicious.
But maybe there are other botnets morphing themselves. Is it true? I went and looked at the other botnets who had similar msg/envelope ratios and of those, none of them are sending us mail in any sort of volume anymore.
Except for one: Darkmailer.
Darkmailer looks a lot like Rustock – it has a very low msg/envelope count, and most of its IPs are concentrated in the United States (France is number two). However, when Rustock went down, Darkmailer never stopped spamming us. It was unaffected by the botnet shutdown.
That leads me to the following:
- Since Rustock was shut down, it has stayed shut down.
- Several newer, smaller botnets have appeared since Rustock was shutdown.
- The IPs that they are sending from are concentrated mostly in the United States, like Rustock before it was shut down.
- These IPs send low volumes of spam from each IP.
Based upon these, I think that Rustock has split itself into a series of smaller bots and reincarnated as all of these s_* bots (except s_zeus and s_spyeye).
This is still early, but based upon what I know of botnet operators, my guess is that Rustock is back but under a new name and has broken itself into smaller parts to be less detectable.