The first real test of whether the Rustock shutdown is going to "stick" will be tomorrow (March 18th), which is when the next "spike" would be due.
At at approximately 14:45 GMT (10:45AM Eastern Daylight time) on March 16, 2011, the Rustock spambot appears to have been taken down. Typically representing 50-70% of all spam, Rustock has been the largest emitter of spam on the Internet.
Of late, Rustock has been doing an abrupt spike of up to 80% of all spam every other day with a gradual decay over the rest of the day and sometimes into the next.
At 14:45 GMT, Rustock appears to have been "caught" just at the beginning of one of these spikes, and abruptly and precipitously fell to essentially zero output. The shape of the event is more dramatic than the Rustock "vacation" during late Dec 2010 and early Jan 2011, and if prolonged, will represent a more significant event than the McColo shutdown in November 2008.
At least we have better measurements this time...
Online story: KrebsonSecurity article
Indications are that there are active measures taking place to prevent it resurrecting, but only time will tell.
These six graphs show the recent history of Rustock flow into a group of CBL traps. The charts on the left are Rustock emissions per second, and on the right are the percentage of Rustock in total spam flow. The first row is for Wednesday March 16, 2011, and the second row is for the previous week.
The graphs in the last row is a view of Rustock over the previous 6 months, updated every 10 minutes or so. These will only be made public for a short period and will be withdrawn for operational security reasons when and if Rustock resurrects. In this way, you'll be able to tell, within 10 minutes of it happening, if Rustock restarts.
In the graphs on the left, the Y axis is detections per second.In the graphs on the right, the Y axis is the percentage of total email flow that is Rustock.
The X axis is the date/time in GMT. This snapshot was taken Wednesday, March 16, 2011.
|Day of Rustock Shutdown|
|Week of Rustock Shutdown|
|Continously updating (last 6 months)|