Author Topic: Rustock back to business as usual - Revisited... (Read 3406 times)

polonus · « **on:** March 07, 2009, 12:08:34 AM »

Hi malware fighters,

Two bot-nets are responsible for spreading 60% of all spam, the notorious Rustock botnet is responsible for 35%, and the Mega-D botnet spreads the remaining 25%. Rustock took a severe blow when the McColo spam provider went down, but the bot-net re-emerged in full strength. Because of the root-kit involved it is very difficult for users to find out they have a Rustock infection. In the old time "surplus" activity on port 25 (now sometimes bots use port 80 or 443) is/was a give away but Wireshark will give you a bit of insight what goes on under the hood of "your" Spam-spewing machine The malware is the fastest spam-bot of the time, sending 25.000 spam messages per hour per bot. "It is no surprise this bot-net is the big favorite of the big spammers."

http://www.marshal.com/TRACE/traceitem.asp?article=882

http://blog.fireeye.com/research/2008/11/rustock-selling-pills-again.html

http://blog.fireeye.com/research/2008/11/does-antivirus-stop-bots.html

pol

Confused Computer User · « **Reply #1 on:** March 07, 2009, 08:49:31 PM »

I don't have to much (actually any) knowledge in this field. So basic questions:

Does Avast pick this up?

Do any other security software pick this up (ie MBAM, SAS)?

Does the virus cause a significant increase in data transfer over the home network?

Can I use TCP view to see it?

Thanks and Cheers

polonus · « **Reply #2 on:** March 07, 2009, 09:57:30 PM »

Hi Confused Computer User,

A piece of software that alerts to suspicious bot activity is RUBotted, download here:
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted/download
RUBotted intelligently monitors your computer’s system behavior for activities that are potentially harmful to both your computer and other people’s computers. RUBotted monitors for remote command and control (C&C) commands sent from a bot-herder to control your computer. Additionally, RUBotted watches for an array of potentially malicious bot-related activities, including mass mailing - a common activity performed by a bot-infected computer.

RUBotted co-exists with your existing AV software, providing advanced bot specific behavior monitoring. RUBotted does not rely on frequent, network intensive updates to ensure your computer’s continued protection. The use of RUBotted is free as long as it is in beta,

polonus

Confused Computer User · « **Reply #3 on:** March 07, 2009, 10:15:29 PM »

Thanks polonus,

I'll give this a try when I have a bit of spare time.

Cheers

Author Topic: Rustock back to business as usual - Revisited... (Read 3406 times)

polonus

Rustock back to business as usual - Revisited...

Confused Computer User

Re: Rustock back to business as usual - Revisited...

polonus

Re: Rustock back to business as usual - Revisited...

Confused Computer User

Re: Rustock back to business as usual - Revisited...