Cybercriminals no longer control the third largest spam botnet, researchers say

The remaining command and control servers of the Grum botnet have been shut down

Cybercriminals no longer control one of the world's largest spam botnets, Grum, because all of the servers the botnet relied on for receiving commands were shut down, according to researchers from security firm FireEye.

The last Grum command and control servers, six located in Ukraine and one in Russia, were offline as of Wednesday, FireEye senior staff scientist Atif Mushtaq, said in a blog post. This leaves all of the Grum-infected computers orphaned, he said.

FireEye collaborated in the takedown effort with the Spamhaus Project, a nonprofit organization dedicated to tracking spammers, the Computer Security Incident Response Team of Russian security firm Group-IB (CERT-GIB) and an independent researcher.

Grum was the third largest spam botnet in terms of the number of unique IP (Internet Protocol) addresses associated with it, Spamhaus investigator Vincent Hanna said Thursday via email.

Before the takedown, the organization used to see Grum spam messages originating from 100,000 to 120,000 IPs every day and approximately 500,000 every week. The messages mainly promoted fake prescription drugs.

"We now see only a few leftovers," Hanna said. "These would be infected machines that are finishing their last payloads."

According to FireEye, Grum was responsible for around 18 percent of the global spam volume, which means that it was sending approximately 18 billion spam messages every day.

However, the effect of Grum's takedown on the global spam volume remains to be seen, as there are other botnets that are very efficient at sending spam and could fill the void, Hanna said.

FireEye launched the Grum takedown effort on July 9. At the time, Grum relied on four command and control servers: one located in Panama, one in Russia and two in the Netherlands.

First, the servers located in the Netherlands were shut down by the company hosting them, crippling Grum operators' ability to issue new spamming commands to the botnet.

Then on Tuesday, the Grum server in Panama was disconnected by its ISP, leading to cybercriminals losing control over a segment of the botnet, Mushtaq said.

The Grum operators responded by setting up six additional servers in the Ukraine and using the remaining Russian server to point the infected computers to them.

"Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy," Mushtaq said.

"Most of the spam botnets that used to keep their CnCs [command and control servers] in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones," Mushtaq said. "We have proven them wrong this time."

The server in Russia appears to have been the primary one and shutting it down proved to be the hardest. The company hosting it was unresponsive, so its ISP eventually intervened and stopped routing traffic for the server's IP address.

The FireEye researchers hope that the takedown is permanent, because unlike other botnets, Grum doesn't have any apparent fallback mechanism that its operators can use to regain control.

"However, people who can build a botnet this strong can certainly create a new one," Hanna said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?