Spam Reduced by More than a Third Since Rustock Takedown; Bagle and Others Step In to Fill the VoidWritten by Malcolm James on April 6, 2011
It’s only been a couple of weeks since Microsoft (with the aid of the United States Marshall Service and a federal warrant) pulled the trigger on Operation b107, more commonly known as the takedown of the Rustock botnet. In the physical world (assuming the electricians did their job), when you flip a light switch, you expect the lights to turn off. In the cyber world, however, things aren’t always so certain, so it’s a pleasant surprise that several media outlets have reported that global spam has been reduced by more than a third in the days following the dismantling of Rustock.
In the week prior to the takedown of Rustock’s command and control servers, global spam levels were clocking in at around 52 billion spam emails a day. After March 17, when Operation b107 was carried out, spam emails dropped to about 33 billion a day, a decline of 19 billion, or more than 36 percent. The Rustock botnet – a major player in the spam world dating back to early 2006 – represented a headache for every system admin as it advertised unlicensed pharmaceutical websites and accounted for almost 14 billion spam emails each week. Existing reports don’t account for the disparity – about 5 billion spam emails a day that aren’t attributed to Rustock have also gone away – but obviously, no one’s going to split hairs when talking about such a huge victory in the war on spam.
So much for the good news. The bad news is that a multitude of other botnets have picked up the slack in an attempt at filling the gap that was left when Rustock came tumbling down. Computer Weekly reports that the Bagle botnet has taken the helm as the largest sender of spam in 2011, accounting for an average of 8.31 billion emails a day. Other botnets, like Cutwail and Festi, are also alive and well, and it remains to be seen whether the takedown of Rustock is permanent or just the eye of the storm in the endless waves of spam that invade our inboxes on a daily basis.
In the month of March, 83% of global spam was transmitted by botnets, up from 77% at the end of 2010, and over the course of 2010, botnets were responsible for an average of 88% of all spam globally. But only 10 botnets – Rustock included – account for a full 74% of all email spam. Since the majority of spam is consolidated into a manageable number like 9 (now that Rustock has been disabled) botnets, maybe there is hope that these nets can be taken down in an effective and orderly manner. While spam is by no means comprised entirely of botnets, taking down the huge chunk represented by those 9 nets would certainly reduce the spam to tolerable levels; and as system security improves and infected systems are cleaned, perhaps we will see a noticeable reduction in spam.
But taking down the botnets is not a simple undertaking, and the hard work is not done – not even close. In fact, it’s only just begun.
“[Rustock] is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day,” Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit, wrote in a blog post on March 17.
Microsoft continues to work with national CERTs (Computer Emergency Response Teams) to organize the clean up infected computers, which still contain Rustock’s malicious code.
In February, The Register reported a 654 percent increase last year in the number of unique infected PCs, with an average incremental growth of 8 percent over 2010. To make matters worse, hackers are making it incredibly easy for aspiring criminals to jump into the fray.
“In addition to the release of refurbished Zeus crimeware kit, other DIY kits available in underground forums are marketed under names such as Phoenix, Darkness, BlackEnergy, and Eleonore. The packages allow criminals to quickly build botnets without having to write the code from scratch,” The Register reported on February 16.
So with one in the win column due to the recent battle of Rustock, we’d like to know about your experiences: what are your thoughts on the ongoing war? Have you noticed a decrease in spam email since the takedown of Rustock? Have you observed a marked increase or decrease in infected computers over the past several months, or since 2010? Do you see a light at the end of the tunnel, or do you believe things are only going to get worse? Please weigh-in and leave a comment. We’d love to hear from you!