The Rustock botnet has been busy lately. In addition to its ‘normal’ spam campaigns, it has also been pumping out malicious spam with outrageous headlines for three weeks now. To give you an idea, here is a small sample of those subject lines:
Here is a recent sample message from our spam traps:
In this case the URL points to an html page called ‘viewmove.html’ hosted on a legitimate site. Currently, this html page name is changing almost daily. We have also seen ‘r.html’, ‘about.html’, ‘start.html’ and ‘stream.html’ being used.
Clicking on the link opens the page, which shows a fake video attempting to load, and a popup window asking the user to install ‘codecinst.exe’.
In addition, the page ‘viewmovie.html’ also contains an iframe that loads a ‘00.html’ page that contains encrypted JavaScript that, when decrypted, attempts an Internet Explorer exploit that attempts to install the same downloader file silently in the background.
Downloading and running this executable will install a downloader that fetches a fake Windows XP program, and also, in the background, the Rustock spambot itself.
This is a serious malicious spam campaign from the Rustock crowd that is gaining in volume and intensity. We would expect spam from this botnet to expand as a result. In fact if we look at last weeks spambot data here , we observe an uptick in spam from Rustock.
MailMarshal customers are protected from this campaign with SpamCensor 256.
