One week after the much publicized Rustock botnet command and control take down, and subsequent drop in spam volumes, SophosLabs can confirm Rustock has not come back from the dead. “Dawn of the Dead” analogies need not apply.
To illustrate this, the graph below displays weekly spam volumes going back to the start of February (red line is the average volume prior to the take down). Notice the lighter blue line, which highlights the spam volume in the week since the take down:
With the specific messages tied to Rustock remaining flatlined:
For those wondering exactly what type of spam is no longer filling the pipes of networks worldwide, here are two recent examples of spam sent in the days prior to the take down:
Clicking the links or images in these messages will direct the recipient to one of a number of varying criminal “Pharmacy Express” website templates. The “Pharmacy Express” referred to here is not a legitimate online pharmacy, but a well known criminal affiliate spamming operation.
We should all commend the efforts of those involved with this investigation and take down, and hope enough evidence had been gathered to eventually prosecute those involved.
For more information on what motivates these spammers and the methods used to propagate this spam download our technical paper “The Partnerka – What is it, and why should you care?”.