Dutch Law Begins Dismantling Grum Spam Botnet

ENISA botnet report, Mirai

The world’s third largest source of spam could soon be history

Dutch authorities have taken out two of the command and control (C&C) servers used by a “spam beast” botnet known as Grum, a security firm has noted.

Those two servers were used for sending instructions to bots, meaning that the world’s third largest spam botnet is likely to be cut off soon.

“With these two servers offline, the spam template inside Grum’s memory will soon time out and the zombies will try to fetch new instructions but will not able to find them,” explained Atif Mushtaq, from the FireEye Malware Intelligence Lab, in a blog post.

“Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world’s third largest spam botnet will have a significant impact on the global volume.”

Not over yet

However, the botnet will not be completely killed off until master servers in Panama and Russia are disconnected. Grum has no fallback mechanism, meaning once the master servers are dead, there is no coming back.

The ISPs hosting the servers were sent notifications of malicious behaviour on their infrastructure, which were ignored.

“This means that using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side,” Mushtaq added

“Any attempt to recover this botnet will be noticed. I don’t know if the security community will eventually be able to take down the rest of the Grum botnet, but we are trying and trying very hard. We did not give up after the first failed attempt and will continue to contact the Russian and Panamanian authorities through different channels.”

Grum is a four-year-old botnet that has managed to avoid being taken down, despite the recent demise of some of the biggest malicious networks, including Storm and Mega-D. The latest data from M86 Security showed it was responsible for 17.4 percent of worldwide spam traffic.

Only Cutwail and Lethic send more spam, but it was the top dog back in January, when it was responsible for sending out over a third of all spam.

Spam has seen a dip over the last year, following action against some massive botnets.Other recent major takedowns have included Rustock and Kelihos.

Although dismantling infrastructure kills off specific botnet operations, arrests are viewed by the security community as the true panacea for the problem.

Are you a security pro? Try our quiz!