Grum Botnet Officially Decapitated

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

The Grum botnet is killed off, meaning we can expect a big dip in spam

The world’s third-biggest spamming botnet has been killed off, thanks to a coordinated effort between security researchers.

Grum has been in decline for some time, having held the title of world’s biggest spamming botnet in January. This week saw Dutch law enforcement take out a key command and control (C&C) server, but the master servers remained active in Russia and Panama.

It looked as if the Grum masterminds had brought their creation back to life, when they set up six fresh C&C servers in Ukraine to replace those taken out in the Netherlands. Furthermore, the ISPs that were hosting the master servers had not responded to letters informing them of malicious activity on their infrastructure.

But the Panama server was cut off yesterday when the ISP “buckled”, reported FireEye researcher Atif Mushtaq, who has been one of the chief warriors in the war on Grum. Thanks to a collaborative effort involving Mushtaq, two researchers from anti-spam organisation Spamhaus, the Russian Computer Security Incident Response Team and an anonymous expert known as Nova7, the servers in Russia and Ukraine were taken out.

Quick moves

“After they got all the evidence from my side, they moved quickly passing this intelligence back to their contacts in Ukraine and Russia. As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today, 18 July,” Mushtaq wrote in a blog post.

“The primary server located in Russia was not taken down by their ISP, GAZINVESTPROEKT LTD. It was their upstream provider who finally came in and null routed the IP address at our request.”

Many now expect to see a dip in spam as a result of Grum’s demise. The latest figures from M86 Security showed it was responsible for 17.4 percent of worldwide spam traffic. Data from Spamhaus showed that prior to the takedown, Grum consisted of around 120,000 bots pushing out spam, but there were most likely more bots connected to the malicious network.

Mushtaq said the collaborative effort showed how even in countries where ISPs are less complicit with the good guys, botnet infrastructure could be dismantled. “When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders,” he added.

“There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox.”

Spam has seen a dip over the last year, following action against some massive botnets. Other recent major takedowns have included Rustock and Kelihos.

Are you a security pro? Try our quiz!