Cybercriminals no longer control the third largest spam botnet, researchers say

The remaining command and control servers of the Grum botnet have been shut down

Cybercriminals no longer control one of the world's largest spam botnets, Grum, because all of the servers the botnet relied on for receiving commands were shut down, according to researchers from security firm FireEye.

The last Grum command and control servers, six located in Ukraine and one in Russia, were offline as of Wednesday, FireEye senior staff scientist Atif Mushtaq, said in a blog post. This leaves all of the Grum-infected computers orphaned, he said.

FireEye collaborated in the takedown effort with the Spamhaus Project, a nonprofit organization dedicated to tracking spammers, the Computer Security Incident Response Team of Russian security firm Group-IB (CERT-GIB) and an independent researcher.

Grum was the third largest spam botnet in terms of the number of unique IP (Internet Protocol) addresses associated with it, Spamhaus investigator Vincent Hanna said Thursday via email.

Before the takedown, the organization used to see Grum spam messages originating from 100,000 to 120,000 IPs every day and approximately 500,000 every week. The messages mainly promoted fake prescription drugs.

"We now see only a few leftovers," Hanna said. "These would be infected machines that are finishing their last payloads."

According to FireEye, Grum was responsible for around 18 percent of the global spam volume, which means that it was sending approximately 18 billion spam messages every day.

However, the effect of Grum's takedown on the global spam volume remains to be seen, as there are other botnets that are very efficient at sending spam and could fill the void, Hanna said.

FireEye launched the Grum takedown effort on July 9. At the time, Grum relied on four command and control servers: one located in Panama, one in Russia and two in the Netherlands.

First, the servers located in the Netherlands were shut down by the company hosting them, crippling Grum operators' ability to issue new spamming commands to the botnet.

Then on Tuesday, the Grum server in Panama was disconnected by its ISP, leading to cybercriminals losing control over a segment of the botnet, Mushtaq said.

The Grum operators responded by setting up six additional servers in the Ukraine and using the remaining Russian server to point the infected computers to them.

"Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy," Mushtaq said.

"Most of the spam botnets that used to keep their CnCs [command and control servers] in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones," Mushtaq said. "We have proven them wrong this time."

The server in Russia appears to have been the primary one and shutting it down proved to be the hardest. The company hosting it was unresponsive, so its ISP eventually intervened and stopped routing traffic for the server's IP address.

The FireEye researchers hope that the takedown is permanent, because unlike other botnets, Grum doesn't have any apparent fallback mechanism that its operators can use to regain control.

"However, people who can build a botnet this strong can certainly create a new one," Hanna said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?