Fortinet came out with its April threat landscape report, and one of the big findings was that the recent takedown of Rustock seems to have had an effect on spam levels. However, the report also found that the number of spamming machines has remained the same. According to the report:
Tackling Outbound Spam
Too many Internet service providers are relying on anti-spam software primarily designed to fight inbound, rather than outbound, spam.
Spam rates continue to remain lower than average at about 30% following the takedown of the Rustock botnet in March. While rates remain low, the number of spamming IP's (machines) has not taken a large drop. Often times machines are infected with multiple viruses/botnets that can continue to send spam and siphon data, despite one threat being mitigated. Most spamming IP addresses we observed were geolocated to machines in the USA, India and Brazil. Top spammed domains for this report were globalrxgeo.ru and globalrxgift.ru-both Russian top level domains which resolved to different servers in China.
Not surprisingly, even though Rustock isn't a problem, another botnet has been energized:
We saw many new instances of the Torpig botnet emerge, accounting for 30% of new botnet activity this report. Most command and control detections for Torpig originated from machines in Russia and Sudan. By comparison, the Hiloti botnet accounted for roughly 15% of new botnet traffic-the majority in Australia and Sweden.
Fortinet explained that the Torpig botnet has been around for years. It typically spreads through infected webpages-installed with a rootkit (mebroot) that infects a system right from the master boot record.