The amount of spam being sent by the disreputable Rustock botnet using TLS encryption has surged in recent weeks, establishing an important new trend in botnet behavior, security companies have said.

Two weeks ago, Symantec's Message Labs division reported noticing huge amount of spam using TLS, an encryption protocol successor to the well-known SSL, and generally a way of securing the contents of an email between server and client.
Then, the % of spam encrypted by Rustock using TLS was approximately 35 % mark, a figure the company says in its most recent Intelligence Report this week has rushed to in so far as 77% of its activity for the duration of the month.

The challenge is that TLS inflicts higher processing demands on mail servers compared to non-TLS traffic, probable to be around 1 KB overhead for each spam email. Given that lots of email is now spam, the add overhead on mail servers has the potential to be high whether the messages are detected as spam or not.

Message Labs is not the solely hosted messaging provider to detect Rustock's use of TLS. Around the same time as the group put out its first Rustock limiting, a blog by Terry Zink of Microsoft's control online defense gulf mentioned a parallel copy using Rustock and its use of the TLS protocol.

"We set up a node in our Labs using TLS and cheery that some Rustock botnets were certainly with TLS," said Phil Hay, a spam authority at M86 defense. "Our statistics show that Rustock is still the first mine of spam yield and this new use of TLS highlights an escalating intensity of sophistication."

"In essence this means that organisations can't rely on enforcing TLS as a means for dipping spam. It does have an achieve on skill funds however, as all forms of encryption do," said Hay.

Why Rustock has adopted this skill is open to examine. Adding TLS to outbound spam slows the think at which spam can be delivered, which would look to hurt the spammer's resolve to increase non-legitimate transmit as far and busily as doable. It is also the landlord that TLS-encrypted transmit is no longer automatically trusted by receiving servers, so it is suspect to be a folksy avoidance skill.

Experts such as Zinc speculate that it could be applied to the modern clampdown on numerous botnets by law enforcement, counting the bust that led monitor in Spain to arrest three men accused of managing the Mariposa botnet. Infiltrating Mariposa - certainly infiltrating any botnet - involves cracking its dictate and dictate layer. TLS could be and relieve that makes such interception harder.