Symantec: Global spam mail down by a third

Removal of Rustock botnet results in world's spam mail falling by about 33 percent, according to Symantec. Meanwhile, Trend Micro also announces crippling of another botnet ring.
Written by Tyler Thia, Contributor

Global spam mail volumes have been reduced by about a third following the takedown of the Rustock botnet, reported Symantec. This number is expected to decrease further after Trend Micro announced it had crippled a Zeus botnet server, too.

Released Thursday, Symantec's monthly MessageLabs Intelligence report showed that spam volume fell by 33.6 percent between Mar. 15 and 17 following legal action bringing down the command-and-control (C&C) machines running the botnet by Microsoft and the United States' law enforcement agencies.

Rustock was previously responsible sending approximately 44.1 billion e-mail messages a day and accounted for 47.5 percent of all spam mails by the end of 2010, the report noted.

"It remains to be seen whether the criminals behind Rustock will be able to recover from this coordinated effort against what has become one of the most technically sophisticated botnets in recent years," said MessageLabs Intelligence senior analyst Paul Wood.

"Rustock has been a significant part of the botnet and malware landscape since January 2006, much longer than many of its contemporaries."

Since the takedown, spam has gone down from 52 billion to 33 billion e-mail messages per day, the report stated.

However, other botnets have stepped up efforts to "take advantage of the gap", Symantec noted. Bagle, for instance, was sending 8.31 billion spam e-mails daily, mostly linking back to pharmaceutical products.

Zeus botnet stopped
Meanwhile, rival security firm Trend Micro announced in a blog post on Wednesday that it managed to hack into the C&C server of a Zeus botnet and eventually stopped its operations.

Trend Micro's senior threat researchers David Sancho and Rainer Link wrote in the blog post that the company had partnered Web domain registrar CDmon, which the cybercriminals used to buy the botnet's domain name, to gain control of the C&C server and "render it ineffective".

They also said Trend Micro, through this operation, had gained "valuable" information that cybercrooks are targeting.

For example, Web traffic details obtained from the server revealed that over 95 percent of inbound requests to the server came from South America, particularly from Mexico. This implied that the bot may have originated from Latin America or was created using the Spanish language, the researchers noted.

"Its creator may have decided to target banks in Mexico and Chile, as these [financial institutions] often still used single-factor authentication to secure their customers' accounts," the blog post stated.

The researchers also noted  in a separate report that the botnet had also targeted banks in Europe, South America and the U.S. as well as popular online service providers like PayPal, eBay, e-gold, Rupay, and Webmoney.ru.


Editorial standards