The Rustock botnet was a large botnet with over 1 million infected computers under its control. This botnet was used to send large volumes of spam. Researchers at Microsoft observed a single Rustock infected computer sending 7,500 spam emails in 45 minutes – a rate of 240,000 spam emails per day. At times Rustock was capable of sending an estimated 30 billion spam emails per day.
Much of the spam email that the Rustock botnet sent advertised counterfeit or unapproved knock-off versions of pharmaceuticals. Microsoft worked with Pfizer who conducted test purchases of the drugs advertised by Rustock. Pfizer’s analysis of the kind of drugs advertised through this type of spam often contained the wrong active ingredients, incorrect dosages, or ingredients not related to medicine at all. It turns out that fake drugs are often contaminated with substances including pesticides, lead-based highway paint, and floor wax, to name just a few examples.
Microsoft’s Digital Crimes Unit worked with Pfizer, the network security provider FireEye, and security experts at the University of Washington, as well as the Dutch High Tech Crime Unit within the Netherlands Police Agency, and CN-CERT, to take the Rustock botnet down in March of this year.
We have just published a special edition Security Intelligence Report that will provide you with granular details on how this botnet worked and how it was taken down. This is required reading for security professionals that need to understand the tactics and techniques bot operators are currently using.
Figure: Rustock botnet activity detected by Forefront Online Protection for Exchange in 1Q11, by messages received and IP addresses used