Dutch authorities shut down an important part of the Grum spam botnet a week after security firm FireEye recommended swiftly striking Grum and other major spam networks to potentially eliminate most of world's junk email.
FireEye Malware Intelligence Lab researcher Atif Mushtaq reported Monday that Dutch authorities "pulled the plug" on two of the Grum botnet's command-and-control (CnC) servers "pointing to IP addresses 126.96.36.199 and 188.8.131.52."
Without a CnC server to instruct them, Mushtaq said, a portion of the Grum network of infected, spam-generating "zombie" PCs will soon become inert as the master server's spam template times out in the network memory.
"Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world's third largest spam botnet will have a significant impact on the global volume," he said.
But the battle isn't over with regards to Grum, which along with Lethic and Cutwail generates most of the spam that winds up in inboxes around the globe. Mushtaq noted that Grum master servers are still operating in Russia (at IP address 184.108.40.206) and Panama (at IP address 220.127.116.11). FireEye has contacted the relevant Internet service providers about those CnC servers to no avail.
Mushtaq said that unless the rest of Grum is taken down, the action taken in the Netherlands could be repaired by the botnet's operators.
"The ISP/Colos involved were contacted but they ignored the abuse notifications which were sent to them even though they contained clear and complete evidence of bad behaviour," he said. "This means that using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side."
Last week, Mushtaq outlined his recommended methods for taking down Grum, adding that shutting down the three largest spam botnets would be easier than some believe and could result in the virtual elimination of junk email.
"Can we dream of a junk-free mailbox? Guess what — it's just a few takedowns away. In my opinion, taking down the top three spam botnets — Lethic, Cutwail, and Grum — is enough for a rapid and permanent decline in worldwide spam levels. We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well," he wrote in a post published on the FireEye blog.