The Rustock botnet has been known primarily as a prolific spam source. IntelliShield previously reported on this backdoor trojan in IntelliShield Daily Malicious Code Summaries 11062 and 11243. Sources indicate that the botnet may account for some 26% of all spam. Normally it is capable of sending hundreds of thousands of spam messages an hour from a single, low-end system. However, recently Cisco Security Intelligence engineers noticed a change in Rustock behavior, and the botnet is now attempting to grow even larger by exploiting other systems.
Sometime between April 18 and April 19, 2009, Rustock began updating to include code that exploits the MS08-067 vulnerability (CVE-2008-4250), which is described in
Alert 16941. This is the same vulnerability the A and B variants of Conficker use to propagate. Exploitation of this vulnerability is detected by Cisco IPS signature 7280-0, which is vulnerability-specific.
While updates to the Rustock code have been made to facilitate this change in tactics, it is possible that other detection methods that identified Rustock may still identify this new variation.
Administrators are encouraged to monitor networks for malicious activity, and to monitor systems that had recently been responsible for sending significant amounts of e-mail.
Administrators are also encouraged to take proper standard protective measures, such as keeping systems updated with patches and antivirus software to prevent and detect exploitation. Host-based intrusion prevention systems, such as Cisco Security Agent, may assist in the detection and prevention of exploits as well.
Cisco will update this alert as more information on these developments becomes available.