This week, over 50% of spam in our traps is attributed to a single botnet, and the honor belongs to none other than Rustock. For those of you who regularly check our spambot statistics, you will have already seen that Rustock has regularly been at the top of our charts, earning its crown as the spammiest botnet since the McColo takedown. Dominant as it is, Rustock began spamming even more furiously last week and is now responsible of over half of our spam volume.
One of the most active domain names that Rustock has used recently is go-thailand-now[dot]com, Whois info shown below:
Domain name: go-thailand-now[.]com
Registrar: Regtime Ltd.
Creation date: 2009-12-14
Expiration date: 2010-12-14
Status: active
Registrant:
Varshavskaya Mariya
Email: varshava7@bigmir.net
Organization: Thailand Travel PRO
Address: ul. Elninskaya dom 14, korp 1, kv 10
City: Moscow
State: Moscow
ZIP: 121467
Country: RU
Phone: +7.9037290311
Fax: +7.9037290311
The IP addresses that this domain points to change often, in a fast-flux fashion. We have seen the following different IP addresses associated with the domain:
- 95.204.210.199
- 96.0.203.90
- 173.212.243.114
- 173.83.26.34
- 204.12.243.210
We last examined Rustock almost a year ago. While little has changed since then, we have observed some changes to the C&C communication. Shown below are packet captures from a year ago, which are simple and easy to observe from the researchers perspective.
Figure 2
Below, we have a newer packet capture from the latest Rustock bot. This packet shows how the bot currently communicates with its control server when requesting commands and spam templates. As you can see, the commands are a bit more complex in nature than previously.
Figure 3
The new Rustock bot sends the typical POST request. However, to make it look legitimate, it randomly requests different PHP pages from its control server. The control server in return sends encrypted data containing the spam templates.
The torrent of spam from Rustock is usually very uniform, and recently has all been promoting Canadian Pharmacy. Here are a few of the new Rustock spam template traits we have observed:
Figure 4
Figure 5
Figure 4 and 5. Rustock spam usually comes as an HTML only message that contains a clickable link pointing to a Canadian pharmacy website.
Figure 6. As of this writing, the images are hosted at Radikal.ru
Perhaps one of the reason why Rustock continues to dominate is due to its stealthiness. The advanced rootkit capability of its binary make the bot difficult to detect and remove from an infected machine. Additionally the Rustock uses DNS fast-fluxing, which uses multiple networks and bulletproof C&C servers, making it harder for security researchers to deal with.This stealthiness, and the sheer volume of its spam output indicates we all need to give Rustock a great deal more attention.
