The Rustock botnet has shrunk since April. In those heady days the botnet was made up of 2.5 million computers and it sent out 43 billion spam e-mails per day. Now only 1.3 million computers are infected with Rustock, but to make up for the lost numbers it is spitting out huge numbers of mostly pharmaceutical spam.
At the moment, more than 46 billion spam e-mails are coming from Rustock daily. The computers infected with Rustock have also stopped using TLS (Transport Layer Security), an encryption protocol used to securely send e-mail.
According to the MessageLabs bog, spammers were encrypting their spam using TLS because it was harder for other network equipment to inspect the traffic and figure out if it was spam.
However TLS required more resources and was slower and the botnet controllers realised that the use of TLS slowed them down, Message Labs thinks.
Rustock was nearly killed off when McColo, an ISP in San Jose, California, was cut off from the internet in November 2008 by its upstream providers.
McColo had hosted the command-and-control servers for several botnets, including Rustock. Rustock’s operators switched the command-and-control servers.