Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Activity Bulletin

Backdoor.Rustock Evolves from Spam-Sending Bot to Attack Platform

 
Threat Type:IntelliShield: Applied Mitigation Bulletin
IntelliShield ID:18062
Version:1
First Published:2009 April 20 20:26 GMT
Last Published:2009 April 20 20:26 GMT
Port: Not available
Urgency:Possible use
Credibility:Corroborated
Severity:Moderate Damage
 
 
Version Summary:

Cisco Security Intelligence engineers have detected an update to the Rustock botnet, indicating that the malicious code has changed from a botnet primarily used to send spam to one that is using exploits to compromise other systems.

 

Description
 

The Rustock botnet has been known primarily as a prolific spam source. IntelliShield previously reported on this backdoor trojan in IntelliShield Daily Malicious Code Summaries 11062 and 11243.  Sources indicate that the botnet may account for some 26% of all spam.  Normally it is capable of sending hundreds of thousands of spam messages an hour from a single, low-end system. However, recently Cisco Security Intelligence engineers noticed a change in Rustock behavior, and the botnet is now attempting to grow even larger by exploiting other systems.
   
Sometime between April 18 and April 19, 2009, Rustock began updating to include code that exploits the MS08-067 vulnerability (CVE-2008-4250), which is described in IntelliShield alert 16941.  This is the same vulnerability the A and B variants of Conficker use to propagate.  Exploitation of this vulnerability is detected by Cisco IPS signature 7280-0, which is vulnerability-specific.

While updates to the Rustock code have been made to facilitate this change in tactics, it is possible that other detection methods that identified Rustock may still identify this new variation.

Administrators are encouraged to monitor networks for malicious activity, and to monitor systems that had recently been responsible for sending significant amounts of e-mail.

Administrators are also encouraged to take proper standard protective measures, such as keeping systems updated with patches and antivirus software to prevent and detect exploitation.  Host-based intrusion prevention systems, such as Cisco Security Agent, may assist in the detection and prevention of exploits as well.

Cisco will update this alert as more information on these developments becomes available.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldSecurity Activity Bulletin Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield