SOURCE: Marshal

August 07, 2008 09:20 ET

Rustock Overtakes Srizbi to Become New Spam Champion

Latest Malicious Spam Campaign Exploits CNN and Olympics

ATLANTA, GA--(Marketwire - August 7, 2008) - The Rustock botnet has moved into first place as the world's single largest source of spam after an unprecedented wave of malicious spam, say experts from Marshal's TRACE Team (Threat Research and Content Engineering). The latest Rustock malicious spam campaign uses headlines, purporting to be from CNN, covering prominent current events such as the Olympics.

Rustock has surpassed the Srizbi botnet for the first time as the world's largest spam producing botnet. Srizbi has held the title since February this year, peaking at more than 55 percent of all spam by volume in late May.

In June, the Rustock botnet began its rise to prominence through a sustained six week-long campaign of malicious spam. This past week, Marshal has attributed 31.1 percent of all spam to Rustock, narrowly beating Srizbi on 30.7 percent. Over the same period, malicious spam -- designed to infect email recipients with malware and merge their computers with the botnet -- has risen from 3 percent to its highest recorded level of 32.3 percent.

"Almost one-third of all spam in circulation last week was malicious," said Phil Hay, lead threat analyst for Marshal's TRACE Team. "Rustock is largely responsible for that. The rise in malicious spam and the rise of Rustock are directly linked. Rustock has grown through malicious spam. Its success in infecting more computers through malicious spam has bred further success. It has been able to send even more spam in a kind of ever-increasing cycle."

Rustock began issuing large volumes of malicious spam with fake news headlines in late June. These messages were originally simple in appearance and easy to recognize as spam. Rustock then moved to a more compelling format, combining outrageous satirical headlines linking to a fake web-based video and a Trojan file download disguised as a video codec update.

This week, Rustock stepped up its expansion campaign with a professional-looking CNN format. The messages feature a " Daily Top 10" list of real but highly unusual headlines. The headlines cover topics on everything from the 2008 Olympics in China to harried parents forgetting their child at the airport.

As with previous campaigns, the headlines link to a fake web-hosted CNN video that pretends to require a codec update before playing and asks the user to download an executable file. The downloaded executable sometimes fetches a fake Windows XP anti-virus program but always loads the Rustock botnet in the background.

The infected web pages also use known browser exploits for Microsoft Internet Explorer to try and infect computers automatically.

"A few weeks ago we said that Rustock was having a lot success with these campaigns," said Hay. "As time has gone on, the criminals behind Rustock have adjusted the appearance and sophistication of their messages to become more convincing at fooling recipients into infecting themselves. As Rustock has infected more machines, it has enabled the botnet to send more and more spam. These two factors have combined to push Rustock into first place and the volumes of malicious spam in circulation through the roof."

"The increasing professionalism of the criminals behind the major botnets and the growing emphasis on using spam to aid in the distribution of malware is disturbing," said Hay. "These botnet criminals are earning big money and their revenue is tied to their ability to send increasing volumes of spam on behalf of spammers who pay for the service. The end result is that spam is growing, becoming more professional and more dangerous every week. This also clearly demonstrates a change in botnet tactics, in the past botnet operators subscribed to the 'Go low and go slow' methodology to escape detection, now they are getting a lot bolder and seemingly less concerned about publicity by increasing their activity significantly."

More Information

Statistics on Rustock and malicious spam levels can be found here -

Information on the latest Rustock CNN campaign can be found here -

Information on the previous Rustock "outrageous headlines" campaign can be found here -

The previous Marshal press release regarding Rustock's growth can be found here -

About the Marshal TRACE Team

TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at TRACE services are provided as part of standard product maintenance that includes updates to Marshal's unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides "Zero Day" security protection against new email and virus exploits the day they emerge.

About Marshal

Marshal is a global leader in content security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and Web access against internal abuse and external threats such as viruses, spam and malicious code. More than 7 million users in over 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.

Marshal's Americas headquarters is in Atlanta, Georgia, with corporate headquarters in London (UK) and offices in Auckland (New Zealand), Houston (USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and Sydney (Australia). More information is available at

Contact Information