Rustock Revisited

Anyone looking at our spambot data will notice that Rustock is again back among the spamming botnet leaders, despite being hampered for a time following the McColo takedown last November. Since then it has been a roller coaster ride for Rustock but it is now gaining momentum. Rustock spamming activity is currently responsible for 35% of spam received in our spam traps. Given its prominence, we thought it would be timely to revisit this beast to highlight some of its characteristics. 

Figure 1: Spambot percentage breakdown as of March 5, 2009.

A couple of weeks after the McColo takedown, the Rustock botnet came back and started contacting its control server at a different host. Rustock bots have Command and Control (C&C) domain names hardcoded in the malware body, so that the malware authors can change the control host dynamically.

• onlinescannow.com
• protectionforless.com
• guardandprotector.com
• piecefordesktop.com
• lekatariba.info
• ekbad.me
• mordva2009aa.info
• belarus2014in.com
• moscow1766bc.me

Due to the stealth of this malware, perhaps the most obvious symptom of a Rustock infected computer is the high SMTP Port 25 activity. However, if you use special tools like GMER , TCPView and Wireshark it reveals more detailed Rustock activity. Here are some illustrations:

1. Rustock injects its code into the services.exe process. Using TCPView, we can see services.exe performing a suspicious HTTP connection.

2. Rustock also employs complex rootkit capability. GMER exposes the rootkit driver dropped by this malware. The filename format is usually an eight random character .SYS file.

3. Capturing the network packets, you will also notice a suspicious POST request.

Figure 6: Requesting to login to a control server

Figure 7: Retrieving data from a control server

Figure 8: Viewing the HTML source code of the message body reveals link pointing to a Chinese domain website.