Death By A Thousand Cuts – Rustock Botnet Sending More Encrypted Spam

Posted on behalf of Dan Bleaken, Malware Analyst, Symantec Hosted Services
In the past few days we have noticed that the Rustock botnet has been sending a lot more spam using TLS (Transport Layer Security). TLS is the successor to SSL and is a popular way of sending email through an encrypted channel, rather than sending it in the clear like most emails are sent. MessageLabs Intelligence tracks the use of TLS in order to determine how much spam is sent over TLS, and which botnets are sending it.
Not all mail servers force clients to use TLS, but it is frequently used for securing the communications channel between the client email sender and the email server to which the message is being delivered. It prevents eavesdropping of email traffic that would otherwise be sent in plain sight for anyone else on the network to see if they so wished, perhaps using network analysis tools.  Some businesses mandate TLS for remote clients, for example, an employee connecting via a wireless hot-spot. Often other security mechanisms are used as well, in order to authenticate the client, such as SMTP-AUTH, as many email servers don’t force clients to provide a valid TLS certificate, particularly when the client isn’t an employee, but just another mail server on the internet. 
TLS uses far more server resources and is much slower (continue reading...)