Rustock Botnet Spam Surges

A new surge in spam being pumped out by the Rustock botnet has been detected,

Compromised computers spew spam.

and it’s got a new twist – it’s encrypted. The spam is using Transport Layer Security, which is a successor to Secure Sockets Layer and usually used for emails. Up to 77% of Rustock’s resources are devoted to this new encrypted spam.

“We set up a node in our Labs with TLS and confirmed that some Rustock botnets were indeed using TLS,” said Phil Hay, a spam expert at M86 Security. “Our statistics show that Rustock is still the leading source of spam output and this new use of TLS highlights an escalating level of sophistication. In essence this means that organizations can’t rely on enforcing TLS as a means for reducing spam. It does have an effect on system resources however, as all forms of encryption do,” said Hay.

It’s not clear why the gang behind Rustock has decided to use encryption. It slows down message delivery and isn’t a guaranteed way to evade spam filters. Some experts think it’s meant to protect the botnet’s command and control layer. Rustock was knocked offline by the closing of McColo last year and although it bounced back eventually, the downtime likely cost its herders a lot of money. It seems they may be turning to encryption as a type of insurance to prevent the botnet from being shut down again.

Rustock is best known for its huge spam campaigns hawking Canadian Pharmacy, an internet pharmacy claiming to offer cheap drugs like Viagra, Cialis, Lipitor and other commonly prescribed medications.