According to the January spam report from Symantec's MessageLabs hosted services arm, the Bagle botnet overtook Rustock as the primary source of spam traffic for this month.
Rustock was the dominant spam botnet in 2010 and was responsible for 47.5% of all spam emails sent last year.
M86 Security estimates that at its peak, Rustock accounted for nearly 60% of the world's spam traffic, but its activity started to wind down since the beginning of October when Spamit, the world's largest rogue pharmacy affiliate program, closed down.
The botnet baffled researchers when it stopped spamming entirely on December 25 and remained silent until January 10, however, this was probably due to the winter holidays in Russia.
Rustock returned in force since then, but did not manage to make up for the lost start, which allowed Bagle to jump in front.
"Since its return, Rustock has accounted for approximately 17.5% of all spam in January while the Bagle botnet has taken the lion's share with 20% of spam
," the MessageLabs report says.
Pharmaceutical spam remains Rustock's main signature, the botnet being responsible for 80% of junk emails sent this month in this category.
However, because of its temporary inactivity, the overall rate of pharmaceutical spam has decreased to 59.1% in January from 64% in December.
A change in rogue pharmacy brands promoted by Rustock has also been observed. Before Spamit's closure, the botnet used to put out spam for the infamous "Canadian Pharmacy" gang.
"Further investigation reveals that the most common pharmaceutical spam from Rustock now relates to another spam operation called 'Pharmacy Express,' but not yet on the same scale as before
," the MessageLabs researchers write.
Other type of spam sent by Rustock is related to counterfeit software (17%) and dating (3%). The botnet is expected to increase its activity in the months to come.