Where’s rustock?
Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of spam e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. It is the largest spamming botnet that sends mail to our servers.
I decided to take a look at where its spamming IPs were located, geographically, for the date of November 12, 2009. Below is the chart:
In a surprising twist and departure from the norm, the United States is very under-represented in the above chart. South America is strongly over-represented. The top countries are below:
| Rank | Country | Distinct IPs |
| 1 | Brazil | 3274 |
| 2 | India | 2687 |
| 3 | Columbia | 1211 |
| 4 | Poland | 899 |
| 5 | United States | 836 |
| 6 | Argentina | 760 |
| 7 | Czech Republic | 745 |
| 8 | Romania | 731 |
| 9 | Thailand | 630 |
| 10 | Israel | 464 |
| 11 | Spain | 447 |
| 12 | Italy | 440 |
| 13 | South Korea | 419 |
| 14 | South Africa | 379 |
| 15 | Great Britain | 372 |
| 16 | Germany | 372 |
| 17 | Turkey | 368 |
| 18 | Peru | 363 |
| 19 | Vietnam | 361 |
| 20 | Ukraine | 332 |
Three of the top six countries are in South America. Only one is in Asia, and one is in Europe. This differs significantly from the total spamming IP distribution where the United States has 18% of the total IPs:
For this one day, South America’s representation has doubled compared to its global IP distribution for all spam, the United States is around 1/3, but Asia and Europe are about the same. For some odd reason, the United States seems to be more resistant to relaying spam from rustock than other countries. And for some reason, South America is more prone to relaying it. I’ll take some guesses in my next post as to why this is.
