14 DAY TRIAL // Rustock, the leading spam botnet in 2010, appears to have been completely repurposed for click fraud and has stopped all spamming operations since late last month.
Security vendors observed a quick decline in spam traffic from Rustock ever since Spamit, the largest rogue online pharmacy affiliate program, announced last September that it plans to close down.
Rustock was one of Spamit's biggest affiliates and, according to data from messaging security provider M86 Security, in August last year, it's output peaked at over 60% of the world's spam traffic.
Meanwhile, Symantec's MessageLabs Hosted Services division reported in September that the botnet shrinked in size from 2.5 million computers in April to 1.3 million in August.
However, its spam output nearly doubled when it stopped encrypting spam traffic with TLS. This allowed each botnet client to send 192 emails per minute instead of 96.
After Spamit closed down on 1st of October, the spam volume coming from Rustock began to decline until it almost stopped on around December 25.
Brian Krebs reports that researchers have just now realized that Rustock was in fact being slowly repurposed for another type of cybercriminal activity - click fraud.
"We missed it the first time because the sheer volume of spam-related traffic overshadowed the pay-per-click traffic. So Rustock was spamming and ‘clicking’ concurrently, but now is just clicking," said Phil Hay, senior threat analyst at M86.
Click fraud is the practice of generating requests for certain URLs using particular referrers in order to get paid for what is ultimately useless traffic.
Mr. Hay notes that Rustock was making rogue GET requests to gamecetera.com, ricead.com, funkclicks.com, bannerflux.com, gamesbannernet.com, mochimedia.com and girlgamesbanner.com, but the targeted domains might change on a daily basis.
The fact that the Rustock gang has switched its operations to click fraud, suggests that this type of illegal activity is at least as profitable as spamming.