Cybercriminals no longer control the third largest spam botnet, researchers say

The remaining command and control servers of the Grum botnet have been shut down

Cybercriminals no longer control one of the world's largest spam botnets, Grum, because all of the servers the botnet relied on for receiving commands were shut down, according to researchers from security firm FireEye.

The last Grum command and control servers, six located in Ukraine and one in Russia, were offline as of Wednesday, FireEye senior staff scientist Atif Mushtaq, said in a blog post. This leaves all of the Grum-infected computers orphaned, he said.

FireEye collaborated in the takedown effort with the Spamhaus Project, a nonprofit organization dedicated to tracking spammers, the Computer Security Incident Response Team of Russian security firm Group-IB (CERT-GIB) and an independent researcher.

Grum was the third largest spam botnet in terms of the number of unique IP (Internet Protocol) addresses associated with it, Spamhaus investigator Vincent Hanna said Thursday via email.

Before the takedown, the organization used to see Grum spam messages originating from 100,000 to 120,000 IPs every day and approximately 500,000 every week. The messages mainly promoted fake prescription drugs.

"We now see only a few leftovers," Hanna said. "These would be infected machines that are finishing their last payloads."

According to FireEye, Grum was responsible for around 18 percent of the global spam volume, which means that it was sending approximately 18 billion spam messages every day.

However, the effect of Grum's takedown on the global spam volume remains to be seen, as there are other botnets that are very efficient at sending spam and could fill the void, Hanna said.

FireEye launched the Grum takedown effort on July 9. At the time, Grum relied on four command and control servers: one located in Panama, one in Russia and two in the Netherlands.

First, the servers located in the Netherlands were shut down by the company hosting them, crippling Grum operators' ability to issue new spamming commands to the botnet.

Then on Tuesday, the Grum server in Panama was disconnected by its ISP, leading to cybercriminals losing control over a segment of the botnet, Mushtaq said.

The Grum operators responded by setting up six additional servers in the Ukraine and using the remaining Russian server to point the infected computers to them.

"Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy," Mushtaq said.

"Most of the spam botnets that used to keep their CnCs [command and control servers] in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones," Mushtaq said. "We have proven them wrong this time."

The server in Russia appears to have been the primary one and shutting it down proved to be the hardest. The company hosting it was unresponsive, so its ISP eventually intervened and stopped routing traffic for the server's IP address.

The FireEye researchers hope that the takedown is permanent, because unlike other botnets, Grum doesn't have any apparent fallback mechanism that its operators can use to regain control.

"However, people who can build a botnet this strong can certainly create a new one," Hanna said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?