Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:33 PM
Dark Reading
Dark Reading
Products and Releases

Rustock Botnet: One Year Later

Spam volumes at lowest point in years

Berlin, March 14, 2012 – The Rustock botnet, which had been responsible for a large percentage of global pharmaceutical spam and primarily controlled bots in Western Europe and the USA, was shut down on March 16, 2011. As a result, spam levels decreased by over 60% within 24 hours. One year later, the Research Team at eleven, leading German e-mail security provider, analyzed the consequences of the Rustock takedown and has summarized the most important ramifications.

Spam, malware, and phishing occurrence

Spam levels in February 2012 were 61.2% below the value from February 2011, thus putting them at approximately the same level as immediately after the Rustock shutdown. Spam volumes temporarily increased in the fourth quarter of 2011, but then collapsed again just as quickly. By contrast, the number of dangerous e-mails has increased significantly. Malware e-mails increased by 50.5% since February 2011 and virus outbreaks more than doubled (107.0%).

Phishing e-mails saw the largest jump, increasing by 145.0% between February 2011 and February 2012. (see image)

The five most important spam trends since Rustock

1. Change in spam topics Rustock was the world’s main source of pharmaceutical spam. As a consequence, that type of spam lost its title as the most important spam topic to online casino ads. Since the beginning of 2012, the percentage of Viagra and related spam has again increased and there has been a lack of major casino spam waves. Pharmaceutical spam was back in first place by February 2012 with a 26.9% share of overall spam levels, followed by casino spam at 14.4%.

2. New spamming frontrunners A change also occurred in the sources of spam e-mail. Prior to the Rustock takedown, the USA was the unchallenged leader in spamming. Other western industrial nations, including Germany, made up the top ten list of spammers. While their shares have appreciably decreased, emerging countries from Asia and Eastern Europe have surfaced and are dominating as the new leading spammers. India has come out as the frontrunner for several months (9.5% in February 2012).

3. Creation of new botnet infrastructures Since early 2012, the eleven Research Team has been monitoring renewed shifts in spam sources and topics. First, pharmaceutical spam has reclaimed its position as the most important spam topic. Second, the United States – once the longtime world leader in spam – is back among the top spam senders: in February, the US came in third behind India and Russia with a 6.9% share.

Those figures represent a clear indication that a massive effort is currently underway to rebuild new botnet infrastructures as a means of replacing the ones lost by the shutdown of Rustock and other botnets in 2011. It still remains to be seen whether these are new botnets or the revival of old networks. (see image)

4. Phishing The “winners” of the Rustock takedown are the phishers. Not only did they pick up their game in terms of quantity, but they considerably increased their quality as well: the most important trend is an increasing regionalization in which local companies are used as alleged senders and e-mails are written in each country’s local language. The goal is to in considerably increase the number of e-mails that are opened. A further trend is greater thematic diversity; in addition to bank and credit card data, phishers today are focusing on access data to social networks as well as web hosting and e-mail accounts.

5. Cross-platform malware attacks The first step in spamming via botnet is infecting as many computers as possible. eleven is currently seeing a rise in drive-by attacks in which seemingly harmless documents (e.g. PDFs) are attached to an e-mail. The file serves as a gate to the computer and attempts to locate security gaps in order to infiltrate the system through malware. Another method: links to infected websites. Infection occurs when a website is opened in a browser (drive-by download). The method affects standard programs and plugins for all operating systems.

eleven on Twitter: http://twitter.com/elevensecurity

eleven – E-mail security "Made in Germany"

eleven is a leading e-mail security provider based in Germany. Its unique eXpurgate technology offers a spam filter and e-mail categorization service that protects the user reliably against spam and phishing, detects potentially dangerous e-mail and can distinguish between individual messages and any kind of mass e-mail. eXpurgate also offers numerous virus protection options and a powerful e-mail firewall.

Over 45,000 companies of all sizes use eXpurgate to check and categorize more than a billion e-mail messages every day. Customers include Internet service providers and telecommunication carriers such as T-Online, O2, Vodafone and freenet as well as many well-known companies and public institutions, including Air Berlin, BMW, the Federal Association of German Banks, DATEV, the Free University of Berlin, Landesbank Berlin, RTL, ThyssenKrupp and Tobit Software AG. For more information, visit our website at:


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...