The first graphic below represents our current visibility into Rustock (aside from our customer sites).  Much like Srizbi, we registered as many fallback domains as we could find for Rustock.  Rustock is slightly different in that there appears to be no randomly generated domain names, but that they are actually hard coded, in the samples that have a fallback mechanism at all.

The first graph in the top left represents unique sessions per hour (4-tuple) for Rustock domains on our server.  The graph on the bottom left is the number of new IPs seen in a one hour period, compared with the number of unique IPs seen in that same hour.  The pie chart on the right is the breakdown of unique IPs per Rustock fallback domain name that we have hijacked.

The second graph is the same results but for Mega-D/Ozdok.  We do not have the domain name listed as Mega-D does not use HTTP (althought it does use TCP/80) so it isn't as easy to script a logging agent.  We do have the raw data in .pcap format and will be analyzing it at a later time. 

It's worth noting that although we have but a few domains for both Rustock and Mega-D (a dozen or so for Rustock and half that for Mega-D), we have still seen significant activity on these domains.  Many Rustock samples we analyzed had no fallback mechanism whatsoever, so this may have been a major reason that when McColo was briefly routable over the weekend, that they first made an attempt to recover/redirect the Rustock Botnet.

Todd Rosenberry and Alex Lanstein @ FireEye Malware Intelligence Labs

Comments/Questions to research@fireeye.com