Fake 'Yahoo sold to Microsoft' spam boosts Rustock botnet

Security vendor Marshal is warning that a growing large-scale botnet – called Rustock - is forwarding spam containing exploitive headlines in an attempt to infect users and grow its network.

Numerous small businesses and private web sites - so far predominantly in US and China - have been targeted in the campaign, claimed Marshal.

The security vendor warned a variety of headlines are being used to lure victims into clicking on a malicious link.

They include: “Yahoo sold to Microsoft, record price;” “Bush Down to 8 Friends on Myspace;” “Al Qaeda Reports Declining Revenues in Fiscal ’08.”

“Some of the headlines are hard to take seriously and some of them are believably enticing,” said Phil Hay, lead threat analyst for Marshal’s TRACE Team.

Hay said the Rustock spammers appear to be experimenting to see which types of headlines solicit the most hits from recipients.

However, if a recipient clicks on one of these links a webpage opens with a fake web video and a popup window that prompts the user to install a file called ‘codecinst.exe’.

“They are trying to disguise the installation of the executable under a believable pretext,” said Hay.

Marshal’s records revealed that Rustock is estimated to comprise over 150,000 infected PCs and distributes close to 30 billion spam messages daily which in terms of volume makes it one of the biggest malicious spam campaigns ever seen.

“Rustock is not a name many people are familiar with but it is well known within the security industry. Today it is one of the most established spambots. Rustock has been operating in various forms for more than two years,” said Hay.