Cybercriminals no longer control the third largest spam botnet, researchers say

The remaining command and control servers of the Grum botnet have been shut down

Cybercriminals no longer control one of the world's largest spam botnets, Grum, because all of the servers the botnet relied on for receiving commands were shut down, according to researchers from security firm FireEye.

The last Grum command and control servers, six located in Ukraine and one in Russia, were offline as of Wednesday, FireEye senior staff scientist Atif Mushtaq, said in a blog post. This leaves all of the Grum-infected computers orphaned, he said.

FireEye collaborated in the takedown effort with the Spamhaus Project, a nonprofit organization dedicated to tracking spammers, the Computer Security Incident Response Team of Russian security firm Group-IB (CERT-GIB) and an independent researcher.

Grum was the third largest spam botnet in terms of the number of unique IP (Internet Protocol) addresses associated with it, Spamhaus investigator Vincent Hanna said Thursday via email.

Before the takedown, the organization used to see Grum spam messages originating from 100,000 to 120,000 IPs every day and approximately 500,000 every week. The messages mainly promoted fake prescription drugs.

"We now see only a few leftovers," Hanna said. "These would be infected machines that are finishing their last payloads."

According to FireEye, Grum was responsible for around 18 percent of the global spam volume, which means that it was sending approximately 18 billion spam messages every day.

However, the effect of Grum's takedown on the global spam volume remains to be seen, as there are other botnets that are very efficient at sending spam and could fill the void, Hanna said.

FireEye launched the Grum takedown effort on July 9. At the time, Grum relied on four command and control servers: one located in Panama, one in Russia and two in the Netherlands.

First, the servers located in the Netherlands were shut down by the company hosting them, crippling Grum operators' ability to issue new spamming commands to the botnet.

Then on Tuesday, the Grum server in Panama was disconnected by its ISP, leading to cybercriminals losing control over a segment of the botnet, Mushtaq said.

The Grum operators responded by setting up six additional servers in the Ukraine and using the remaining Russian server to point the infected computers to them.

"Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy," Mushtaq said.

"Most of the spam botnets that used to keep their CnCs [command and control servers] in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones," Mushtaq said. "We have proven them wrong this time."

The server in Russia appears to have been the primary one and shutting it down proved to be the hardest. The company hosting it was unresponsive, so its ISP eventually intervened and stopped routing traffic for the server's IP address.

The FireEye researchers hope that the takedown is permanent, because unlike other botnets, Grum doesn't have any apparent fallback mechanism that its operators can use to regain control.

"However, people who can build a botnet this strong can certainly create a new one," Hanna said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?