Microsoft reports Rustock botnet down to half strength and still dark

A detailed report from Microsoft into the Rustock botnet, using data from command-and-control (C&C) servers seized in raids, has shown that half of infected PCs are now clean of the malware and that the network remains inactive.

The botnet comprised over 1.6 million systems at its peak, but fell by over 56 per cent to 702,860 in June. India saw the largest decline in infections, but remains the largest component of the defunct botnet, followed by the US and Turkey.

"Since the time of the initial takedown, we estimate the Rustock botnet is now less than half the size it was when we took it down in March," said Microsoft Digital Crimes Unit senior attorney Richard Boscovich.

"That's great news, and the infection reduction has happened much more quickly than it did for Waledac over a similar period last year. But we still have a long way to go."

The malware on infected systems has been removed with a combination of security software updates, automated scripts and reinstallation of computer operating systems.

Microsoft did not attempt a remote-control removal of the malware, similar to that currently under consideration by the US government for those infected with the CoreFlood malware.

Rustock was at one point estimated to account for over half the world's spam, and went dark in mid-March. Microsoft announced shortly afterwards that it had taken action against the botnet.

The C&C servers were seized in raids in seven US cities and around the world, and the malware's recovery systems were compromised.

Microsoft estimated that Rustock could send 30 billion spam emails a day, and that some infected computers were sending 7,500 emails every 45 minutes.

Custom software was found on one of the drives capable of mailing a spam file to 427,000 email addresses from a single data set.