Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of spam e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat.  It is the largest spamming botnet that sends mail to our servers.

I decided to take a look at where its spamming IPs were located, geographically, for the date of November 12, 2009.  Below is the chart:


In a surprising twist and departure from the norm, the United States is very under-represented in the above chart.  South America is strongly over-represented.  The top countries are below:

Rank Country Distinct IPs
1 Brazil 3274
2 India 2687
3 Columbia 1211
4 Poland 899
5 United States 836
6 Argentina 760
7 Czech Republic     745
8 Romania 731
9 Thailand 630
10 Israel 464
11 Spain 447
12 Italy 440
13 South Korea 419
14 South Africa 379
15 Great Britain 372
16 Germany 372
17 Turkey 368
18 Peru 363
19 Vietnam 361
20 Ukraine 332

Three of the top six countries are in South America.  Only one is in Asia, and one is in Europe.  This differs significantly from the total spamming IP distribution where the United States has 18% of the total IPs:


For this one day, South America’s representation has doubled compared to its global IP distribution for all spam, the United States is around 1/3, but Asia and Europe are about the same.  For some odd reason, the United States seems to be more resistant to relaying spam from rustock than other countries.  And for some reason, South America is more prone to relaying it.  I’ll take some guesses in my next post as to why this is.