06:03 PM
Connect Directly
Repost This

Final Blow Kills Remainder Of Grum Botnet

Command and control servers shut down in Panama, Russia, Ukraine

The massive Grum botnet best known for pumping out pharmaceutical spam was finally fully dismantled today with the shutdown of the remainder of its main command-and-control (C&C) servers in Panama and Russia.

Earlier today, FireEye said Spamhaus had led the shutdown of the Panama-based server, and in a new development, FireEye, the Russian CERT and Spamhaus worked together to kill off the last of the botnet this afternoon -- the Russian segment. The servers there were the last to go, after the botnet operators set up seven new ones in Russia and the Ukraine after the other segments had been taken down.

Grum, which accounts for 17.4 percent of worldwide spam and is nearly four years old, earlier this week lost its C&C in the Netherlands when a Dutch ISP cut them off after researchers from FireEye published their findings on the botnet's infrastructure.

The botnet was the third-most prolific botnet in the world, after a stint as the No. 1 botnet in January, with a third of all spam worldwide, according to M86 Security data. The botnet most recently had some 100,000 active bots, according to FireEye.

The two C&C servers in the Netherlands had sent spam instructions to the bots, so when they went offline, that left master C&C servers in Panama and Russia to pick up the slack, which researchers had expected them to do.

From then on, it was a battle of wits between the Grum botnet operators and the research community.

The even better news is that botnet hunters were able to pull the plug on the servers in Russia and the Ukraine, a region favored by cybercriminals. FireEye says this should scare other botnet groups a bit, demonstrating that this region isn't such a safe haven after all.

"So what have I learned from this takedown? When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time," said Atif Mushtaq, senior staff scientist at FireEye in a blog post last night.

Meanwhile, in the wake of the Grum takedown, FireEye says it has seen a drop in spamming from Lethic, the world's largest botnet.

FireEye says Grum doesn't have any apparent backup infrastructure in place to rebound any time soon. But a botnet takedown is rarely, if ever, permanent. Even when a botnet is completely disabled, the operators just go elsewhere and start all over again. Still, security experts say the dismantlement strategy is effective, even if it's mostly temporary.

[ Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet. See Botnet Takedowns Can Incur Collateral Damage. ]

"I'm all for governments and law enforcement taking an active role in hunting these botnets down. They are always going to be somewhat successful, and it's not a bad use of resources," says Ron Gula, CEO at Tenable Security. "But nothing is changing. We're still really vulnerable, and they are coming in with client-side attacks."

Gula says there's plenty more going on behind the scenes with botnets. "Sure, we can find a botnet called Grum and Cutwail, but if I was a bot herder, I would have multiple types of botnets laying around dormant. I'd turn them on" when I needed them, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web