Rustock

Infection Statistics

As explained in the “How Win32/Rustock Works” section earlier in this report, Rustock variants are designed to contact a number of algorithmically generated domain names for instructions if the primary C&C servers are unavailable. Microsoft researchers successfully reverse-engineered the Rustock domain name generation algorithms prior to the March 16 takedown, which enabled them to register many of the domain names themselves to prevent the Rustock operators from gaining control of them. These domain names were assigned to sinkholes (server complexes designed to absorb and analyze malware traffic) operated by Microsoft so botnet traffic could be observed and studied. The telemetry generated by the sinkhole servers has provided valuable information about the geographic scope of the Rustock botnet.

Figure 1. Unique IP addresses contacting the Rustock sinkhole during the first 8 weeks after the takedown, by week

Unique IP addresses contacting the Rustock

Click on the Image to Enlarge

Like most malware families, Rustock does not affect all parts of the world equally. The following figure shows the number of hits received by sinkhole servers from Rustock-infected computers during the first week after the takedown.

Figure 2. Worldwide distribution of Rustock traffic during the first week after the takedown

Worldwide distribution of Rustock traffic

Click on the Image to Enlarge

Infected computers in the United States generated  the most sinkhole traffic during week 1, with 55.8 million hits. Following the United States were France (13.7 million hits), Turkey (13.4 million), Canada (11.4 million), India (7.3 million), and Brazil (7.1 million). Some locations with large numbers of computers nevertheless generated relatively few hits, including China (423,078 hits in week 1), Chile (500,925), Denmark (539,577), and Norway (581,263).

The number of IP addresses contacting the sinkhole decreased 44.2 percent between the 1st and 8th week after the takedown, as Rustock variants were removed from affected computers by antivirus software and through other means such as scripts, removal tools and computer reinstallation. As with the initial infections, this decrease did not affect all parts of the world equally. Figure 10 and Figure 11 show the percentage decrease in unique IP addresses contacting the Rustock sinkhole between the 1st and 8th weeks after the March 16 takedown in different locations around the world, and for the most affected Autonomous System Numbers (ASNs).

Figure 3. Decreases in IP addresses contacting the Rustock sinkhole during the first eight weeks after the takedown, by location

Decreases in IP addresses contacting the Rustock

Click on the Image to Enlarge

Figure 4. Rustock traffic decrease from the 15 most-affected ASNs between March 16 and May 17

Rustock traffic decrease

Click on the Image to Enlarge

Top of page Top of Page

Featured Articles

Locations

United States Change All Microsoft Sites

Search

Feedback:

Was the information in this article helpful?