Skip to main content

World's spam shorn by a fifth as Grum botnet is taken down

The world's third-largest spam-generating network was knocked offline on Wednesday, according to a security researcher who was directly involved with the takedown of the once formidable Grum botnet's infrastructure in three countries.

"I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned," FireEye Malware Intelligence Lab researcher Atif Mushtaq wrote in a blog post.

Until this week, Grum's servers based in Russia, Panama, and the Netherlands were estimated to control at least 100,000 infected "zombie" PCs, or bots, responsible for as much as 18 per cent of the world's spam. Immediately before the takedown, Grum ranked behind only the Cutwail and Lethic spam botnets in size, though as recently as January of this year Grum was considered the world's most active spam generator.

Mushtaq outlined the steps it would take to knock out Grum in a FireEye post last week, then reported on Monday that Dutch authorities had shut down two of Grum's CnC servers in the Netherlands. On Tuesday, a Panamanian ISP playing host to one of Grum's principle CnC servers "buckled under the pressure applied by the community" and pulled the plug, according to the researcher, leaving only the botnet's now crippled infrastructure in Russia to contend with as of Wednesday.

But the takedown mission suffered a setback as "six new CnC servers were spun up in the Ukraine" on Tuesday in response to the server shutdown in Panama, according to a FireEye spokesperson. That meant FireEye now had seven Grum servers to try to dismantle, including the original one hosted in Russia.

So Mushtaq called in the cavalry.

"FireEye, working with Russian CERT-GIB and Spamhaus, found each of these new CnC servers, took a heavy-handed approach in working with Russian ISPs and domain registrars, and took them down as of 11am PT this morning, signaling the full shut down of the botnet," the spokesperson said.

Mushtaq also reported that there's been a nice bonus result from the takedown—spam activity from the world's largest spam botnet, Lethic, has declined noticeably since the plug was pulled on Grum, he said.

The researcher, who has participated in previous takedowns of spam botnets like Srizbi and Rustock, credited "the efforts of many individuals" for the takedown of Grum, singling out Carel Van Straten and Thomas Morrison from Spamhaus, Alex Kuzmin from CERT-GIB, and anonymous security researcher Nova7 for their work over the past few days.

While some of the bots once controlled by Grum servers are still sending spam as of Wednesday, Mushtaq said that should peter out as the network's template memory times out.

"According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has been reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well," he said.

FireEye also believes it will be tough for Grum's architects to resurrect their botnet anytime soon.

"The botnet does not have any apparent fall back mechanisms that would allow it to spin back up easily in the days to come," the security firm's spokesperson said.