Categories: SecurityWorkspace

Grum Botnet Officially Decapitated

The world’s third-biggest spamming botnet has been killed off, thanks to a coordinated effort between security researchers.

Grum has been in decline for some time, having held the title of world’s biggest spamming botnet in January. This week saw Dutch law enforcement take out a key command and control (C&C) server, but the master servers remained active in Russia and Panama.

It looked as if the Grum masterminds had brought their creation back to life, when they set up six fresh C&C servers in Ukraine to replace those taken out in the Netherlands. Furthermore, the ISPs that were hosting the master servers had not responded to letters informing them of malicious activity on their infrastructure.

But the Panama server was cut off yesterday when the ISP “buckled”, reported FireEye researcher Atif Mushtaq, who has been one of the chief warriors in the war on Grum. Thanks to a collaborative effort involving Mushtaq, two researchers from anti-spam organisation Spamhaus, the Russian Computer Security Incident Response Team and an anonymous expert known as Nova7, the servers in Russia and Ukraine were taken out.

Quick moves

“After they got all the evidence from my side, they moved quickly passing this intelligence back to their contacts in Ukraine and Russia. As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today, 18 July,” Mushtaq wrote in a blog post.

“The primary server located in Russia was not taken down by their ISP, GAZINVESTPROEKT LTD. It was their upstream provider who finally came in and null routed the IP address at our request.”

Many now expect to see a dip in spam as a result of Grum’s demise. The latest figures from M86 Security showed it was responsible for 17.4 percent of worldwide spam traffic. Data from Spamhaus showed that prior to the takedown, Grum consisted of around 120,000 bots pushing out spam, but there were most likely more bots connected to the malicious network.

Mushtaq said the collaborative effort showed how even in countries where ISPs are less complicit with the good guys, botnet infrastructure could be dismantled. “When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders,” he added.

“There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox.”

Spam has seen a dip over the last year, following action against some massive botnets. Other recent major takedowns have included Rustock and Kelihos.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Google Jarvis AI Extension Leaked On Chrome Store

Seemingly accidental leak reveals Google is developing Jarvis AI extension that can browse the web…

2 days ago

Amazon Mulls New Multi-Billion Dollar Investment In Anthropic – Report

Amazon is reportedly in talks to pump billions of dollars more into AI start-up Anthropic,…

2 days ago

FTX’s Caroline Ellison Begins Her Two Year Prison Sentence

Star witness for the US prosecution of FTX founder Sam Bankman-Fried, has begun her two…

2 days ago

More Layoffs For iRobot Staff After Abandoned Amazon Deal

After axing 31 percent of its workforce when it failed to be acquired by Amazon,…

3 days ago

Mozilla Foundation Confirms Layoffs, Eliminates Advocacy Division

Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…

3 days ago

Google To Make MFA Mandatory Next Year

Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…

3 days ago