Too early to say if Rustock botnet cutoff is a success

18 Mar 2011

There has been no discernable reduction in the amount of spam flooding inboxes since Microsoft and the FBI tackled the hosting firms behind the massive Rustock botnet on Wednesday, security analysts say.

Microsoft executives say they’ve dealt an enormous blow to the botnet through their raids that took place on Wednesday. Microsoft’s digital crime unit, accompanied by US federal marshals, struck at internet hosting facilities and data centres in Denver, Colorado; Dallas, Texas; Chicago, Illinois; Seattle, Washington; Ohio and Kansas.

A graph produced by security firm Commtouch indicates there has been no dramatic drop in the average level since the attack. But if we want to be optimistic there is evidence the botnet was stopped mid-attack.

No dramatic drop in spam traffic

There is no dramatic drop in the average level on Wednesday or Thursday this week. Comparing the graph (below) to the takedown of the McColo botnet which resulted in a dramatic drop in spam traffic.

A lone “spike” on Wednesday might be of interest – one report describes the Rustock botnet being “cut off in mid attack”.

According to Commtouch, if Rustock has been taken down there are several possible explanations for the generally stable spam levels. One theory is botnet operators are tending to larger groups of small botnets.

This provides them with multiple alternatives, should a particular botnet be brought down.


Spam levels post-Rustock


Spam levels post McColo

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years