Malicious spam campaigns continues with Rustock botnet

According to experts from Marshal’s TRACE team, emails with exploitive headlines mentioning George Bush, Microsoft and Al Qaeda in their subject lines are part of a coordinated malicious spam campaign from criminals controlling the Rustock botnet.

The recent, large-scale campaign is designed to infect computers with malware and convert them into part of the Rustock botnet — and it is succeeding, says Marshal. Over the last month, Rustock has grown to claim second place among the largest spam producing botnets behind the Srizbi botnet in first place. Rustock has increased its share of global spam volumes from 10 percent in mid-June to 21.5 percent last week, according to Marshal’s TRACE statistics.

Malicious spam, which is designed to infect computers with malware rather than promoting a product, rose to an all-time high of almost 19 percent of spam last week. In June 2008, malware spam surged to its previous highest level of 10 percent, up from 3 percent where it had been steady since February 2008.

Rustock’s latest campaign exhibits a broader trend where spammers hack into legitimate websites to host their malware. Numerous small businesses and private websites have been targeted in this campaign, including a badminton club in China and a hypnotherapist’s site in the United States. Hijacking legitimate websites and using them to host malware makes the spammers harder to track and shut down with less evidence linking the spammers to the malware.

There is a range of messages being sent as part of the campaign, each with a different news headline. Examples include:

“Bush Down to 8 Friends on Myspace”
“Yahoo sold to Microsoft, record price”
“Al Qaeda Reports Declining Revenues in Fiscal ’08”
“Martian Soil Fantastic for Growing Weed Says Nasa”
“Obama Is Anorexic Over-Exerciser”

The body of the messages contains more sensational headlines — usually on a topic unrelated to the subject line — and a URL link. The links typically end with ‘/viewmovie.html’, ‘/stream.html’ or ‘/r.html’. If a recipient clicks on one of these links, a webpage opens showing a fake web video attempting to load and a popup window appears prompting the user to install a file called ‘codecinst.exe’. The file is malware. If it is downloaded and installed it fetches a fake Windows XP anti-virus program as well as the Rustock spambot itself. In addition to this threat, the webpage opened by the link also contains JavaScript components designed to exploit vulnerabilities in Internet Explorer and download the malware automatically.

Rustock is not a name many people are familiar with, but it is well known within the security industry. Today it is one of the most established spambots. It has been operating in various forms for more than two years, is estimated to comprise over 150,000 infected PCs, and distributes close to 30 billion spam messages daily.