Rustock take-down proves botnets can be crippled, says Microsoft


In its June report on spam and malware trends, Symantec said that spam levels had not recovered from the Rustock take-down, and in June accounted for 72.9% of all email, down from 83.1% in March.

Alex Lanstein, a senior engineer with FireEye who worked with Microsoft on the Rustock take-down, said the numbers spoke for themselves. "The spam drop is a direct result of the take-down," Lanstein said Monday.

But Symantec also said there was evidence that another botnet, dubbed "Grum," had stepped in to partially replace Rustock. The security firm cited such factors as similar subject lines, sending domains, a change in character sets by Grum just hours after the Rustock take-down and similarities in the two botnets' distribution patterns ( ).

So are botnet take-downs just a game of "Whack-a-Mole," where bashing one botnet only sees it replaced by another?

"I think that's foolish to say," Boscovich said. "If you don't take action, what do you do, sit and watch it happen? This weeds out the smaller players, who decide that they can't afford the higher costs of sending spam. If everyone started doing more proactive work like [take-downs], we really would be able to take down a lot of players, and disrupt the entire spam ecosystem."