Anyone looking at our spambot data will notice that Rustock is again back among the spamming botnet leaders, despite being hampered for a time following the McColo takedown last November. Since then it has been a roller coaster ride for Rustock but it is now gaining momentum. Rustock spamming activity is currently responsible for 35% of spam received in our spam traps. Given its prominence, we thought it would be timely to revisit this beast to highlight some of its characteristics.
Figure 1: Spambot percentage breakdown as of March 5, 2009.
Figure 2: The red line in the graph representing Rustock's "Roller-coaster" spamming activity.
A couple of weeks after the McColo takedown, the Rustock botnet came back and started contacting its control server at a different host. Rustock bots have Command and Control (C&C) domain names hardcoded in the malware body, so that the malware authors can change the control host dynamically.
Figure 3: Capture showing Rustock logging in to 91.212.45.10
Here are some domain names found in Rustock samples we have examined:
- onlinescannow.com
- protectionforless.com
- guardandprotector.com
- piecefordesktop.com
- lekatariba.info
- ekbad.me
- mordva2009aa.info
- belarus2014in.com
- moscow1766bc.me
Due to the stealth of this malware, perhaps the most obvious symptom of a Rustock infected computer is the high SMTP Port 25 activity. However, if you use special tools like GMER , TCPView and Wireshark it reveals more detailed Rustock activity. Here are some illustrations:
1. Rustock injects its code into the services.exe process. Using TCPView, we can see services.exe performing a suspicious HTTP connection.
Figure 4
2. Rustock also employs complex rootkit capability. GMER exposes the rootkit driver dropped by this malware. The filename format is usually an eight random character .SYS file.
Figure 5
3. Capturing the network packets, you will also notice a suspicious POST request.
Figure 6: Requesting to login to a control server
Figure 7: Retrieving data from a control server
The spamming templates are dynamic and change often. However, most of the time, the URL links in the message body have a particular Chinese domain format that point to a Canadian Pharmacy website.
Figure 8: Viewing the HTML source code of the message body reveals link pointing to a Chinese domain website.
Rustock is one of the fastest spambots we have observed (~25,000 spam per hour/bot) and employs a complex rootkit capability enabling it to stay hidden on the computer. Its perhaps no surprise that this botnet is taking the lead again amongst the major spammers.
.gif)