Bagle to succeed Rustock as spam king?

gallery

A botnet known as Bagle could replace the once dominant spam king Rustock, even though the recent takedown had a significant impact on junk mail levels.

Spam volumes dropped by 33.6 per cent between 15 and 17 March, according to MessageLabs Intelligence. The decrease came after Rustock was successfully taken out thanks to a collaborative effort led by Microsoft.

In the following days, spam accounted for around 33 billion emails a day, compared to an average of 52 billion in the previous week.

However, other botnets have upped their game, with Bagle usurping Rustock as the most active spamming botnet of 2011.

Bagle wasn’t even in the top 10 spam-sending botnets at the end of 2010, but is now pushing out around 8.31 billion emails a day – most of which have been linked to pharmaceutical products.

Rustock was a notorious pharmaceutical spammer as well.

Paul Wood, MessageLabs Intelligence senior analyst at Symantec.cloud, said Bagle has been more consistent in sending out spam than Rustock.

“What happened with Rustock was that every two to three days it would send out a massive burst of spam and then would go quiet,” he told IT PRO.

“The amount of spam now coming from Bagle is consistent every day. Even though it doesn’t have as many bots under its control as a botnet like Rustock, it’s actually able to send more spam because of that consistency.”

Rustock may not be gone for good either, according to Wood, as the botnet has some backup redundancy in its command and control channels.

Wood also indicated a “Son of Rustock” could emerge from the ashes of the apparently deceased botnet.

“We did see that when McColo was taken down, when there was a botnet called Srizbi, which accounted then for about 50 per cent of all spam,” Wood added.

“[After the McColo takedown] it was a matter of months before spam levels returned to previous volumes. We were then seeing other botnets picking up the slack. That might be what we’re seeing with Bagle because there is demand there from spammers and affiliates, particularly they want to be able to send this stuff anonymously.”

IT PRO recently spoke to FireEye senior security researcher Alex Lanstein, who worked with Microsoft on the Rustock takedown.

He suggested the perpetrators may give up on Rustock given the amount of money they would have made from the operation and the fact they face being hunted by law enforcement bodies.

Email to a friend

Print this page