Backdoor.Rustock Evolves from Spam-Sending Bot to Attack Platform
IntelliShield: Applied Mitigation Bulletin
2009 April 20 20:26 GMT
2009 April 20 20:26 GMT
Cisco Security Intelligence engineers have detected an update to the Rustock botnet, indicating that the malicious code has changed from a botnet primarily used to send spam to one that is using exploits to compromise other systems.
The Rustock botnet has been known primarily as a prolific spam source. IntelliShield previously reported on this backdoor trojan in IntelliShield Daily Malicious Code Summaries 11062 and 11243. Sources indicate that the botnet may account for some 26% of all spam. Normally it is capable of sending hundreds of thousands of spam messages an hour from a single, low-end system. However, recently Cisco Security Intelligence engineers noticed a change in Rustock behavior, and the botnet is now attempting to grow even larger by exploiting other systems.
Sometime between April 18 and April 19, 2009, Rustock began updating to include code that exploits the MS08-067 vulnerability (CVE-2008-4250), which is described in
IntelliShield alert 16941. This is the same vulnerability the A and B variants of Conficker use to propagate. Exploitation of this vulnerability is detected by Cisco IPS signature 7280-0, which is vulnerability-specific.
While updates to the Rustock code have been made to facilitate this change in tactics, it is possible that other detection methods that identified Rustock may still identify this new variation.
Administrators are encouraged to monitor networks for malicious activity, and to monitor systems that had recently been responsible for sending significant amounts of e-mail.
Administrators are also encouraged to take proper standard protective measures, such as keeping systems updated with patches and antivirus software to prevent and detect exploitation. Host-based intrusion prevention systems, such as Cisco Security Agent, may assist in the detection and prevention of exploits as well.
Cisco will update this alert as more information on these developments becomes available.
The security vulnerability applies to the following combinations of products.
Security Activity Bulletin
Original Release Base
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.