RSA Admin

Welcome Back, Rustock.

Blog Post created by RSA Admin Employee on Aug 22, 2012

REPOST - ORIGINALLY POSTED JANUARY 10, 2010

 

It seems that our holiday from rustock-generated spam is over.

 

http://bits.blogs.nytimes.com/2011/01/06/spamming-declines-at-least-temporarily/?partner=rss&emc=rss

 

We monitor a number of botnets at NetWitness and check them occasionally for new information.  Since Rustock is in the news, we’ve paid close attention to it recently.   Sometime this morning, Rustock begain spamming again,  pushing viagra from shady .ru sites.

44710

Looking at the traffic in Investigator,  I see a quick overview of subject lines:

44709

And reconstructed, we see a very in-depth message of “CLICK HERE!”

44705

Which of course takes us to Canadian Pharmacy!

44704

Welcome back Rustock…We can’t say we’ve missed you.   There is no telling if this will be continued activity, but appears to be business as usual for the Rustock operators.

Outcomes