Notorious botnet Rustock stops sending spam

The notorious Rustock botnet, which at one point was responsible for sending out more than half of the world's spam, has completely dried up and its control servers have stopped responding, according to security experts.

At around 3pm GMT on Wednesday the botnet shut down and has been quiet ever since, security expert Brian Krebs first revealed on his blog.

"For years, Rustock has been the most prolific purveyor of spam – mainly junk messages touting online pharmacies and male enhancement pills," he wrote.

"But late Wednesday morning Eastern Time, dozens of internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously."

However, in recent months the botnet's output has waned and been overtaken by other bots such as Bagle, meaning overall spam levels are unlikely to be seriously dented as a result.

"What I would expect is that the normal daily spike in activity is likely to be less today without Rustock to drive it, and for spam traffic to be more consistent throughout the day," said Symantec.cloud malware data analyst Mat Nisbet in a blog post.

"Will this takedown or closure be permanent? At the moment, it's far too early to tell."

Symantec.cloud's MessageLabs senior analyst Paul Wood warned, however, that the botnet is not likely to have been shut down by anti-spam activists and has more probably gone silent due to a deliberate move by its controllers.

"To take down a botnet, all the relevant IP addresses need to be effectively identified and then a tightly controlled, coordinated plan of action followed in order to take the botnet offline which involves a huge amount of concerted international effort across many time zones in different languages," he told V3.co.uk.

"For this reason it seems unlikely that the botnet was taken down as a result of community action, given that we have not seen any authorities or organisations come forward to talk about the work that went into taking this botnet offline, unless they are keeping quiet."

Wood added that Rustock fell silent in a similar manner over the Christmas period due to a self-imposed exile but came back strongly, so it is too early to tell if this is also a temporary blip.

"It may be that the business model has been affected, or there could have been a shift in the customer base whereby the customers are going to rival botnets to send spam," he said.

"Alternatively it could be that Rustock is returning to its old pattern of sending out spam which we saw in 2009 whereby it operated in peaks and troughs. We should know more later on today as we continue to monitor spam levels."