Attacks/Breaches
7/18/2012
06:03 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Final Blow Kills Remainder Of Grum Botnet

Command and control servers shut down in Panama, Russia, Ukraine

The massive Grum botnet best known for pumping out pharmaceutical spam was finally fully dismantled today with the shutdown of the remainder of its main command-and-control (C&C) servers in Panama and Russia.

Earlier today, FireEye said Spamhaus had led the shutdown of the Panama-based server, and in a new development, FireEye, the Russian CERT and Spamhaus worked together to kill off the last of the botnet this afternoon -- the Russian segment. The servers there were the last to go, after the botnet operators set up seven new ones in Russia and the Ukraine after the other segments had been taken down.

Grum, which accounts for 17.4 percent of worldwide spam and is nearly four years old, earlier this week lost its C&C in the Netherlands when a Dutch ISP cut them off after researchers from FireEye published their findings on the botnet's infrastructure.

The botnet was the third-most prolific botnet in the world, after a stint as the No. 1 botnet in January, with a third of all spam worldwide, according to M86 Security data. The botnet most recently had some 100,000 active bots, according to FireEye.

The two C&C servers in the Netherlands had sent spam instructions to the bots, so when they went offline, that left master C&C servers in Panama and Russia to pick up the slack, which researchers had expected them to do.

From then on, it was a battle of wits between the Grum botnet operators and the research community.

The even better news is that botnet hunters were able to pull the plug on the servers in Russia and the Ukraine, a region favored by cybercriminals. FireEye says this should scare other botnet groups a bit, demonstrating that this region isn't such a safe haven after all.

"So what have I learned from this takedown? When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time," said Atif Mushtaq, senior staff scientist at FireEye in a blog post last night.

Meanwhile, in the wake of the Grum takedown, FireEye says it has seen a drop in spamming from Lethic, the world's largest botnet.

FireEye says Grum doesn't have any apparent backup infrastructure in place to rebound any time soon. But a botnet takedown is rarely, if ever, permanent. Even when a botnet is completely disabled, the operators just go elsewhere and start all over again. Still, security experts say the dismantlement strategy is effective, even if it's mostly temporary.

[ Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet. See Botnet Takedowns Can Incur Collateral Damage. ]

"I'm all for governments and law enforcement taking an active role in hunting these botnets down. They are always going to be somewhat successful, and it's not a bad use of resources," says Ron Gula, CEO at Tenable Security. "But nothing is changing. We're still really vulnerable, and they are coming in with client-side attacks."

Gula says there's plenty more going on behind the scenes with botnets. "Sure, we can find a botnet called Grum and Cutwail, but if I was a bot herder, I would have multiple types of botnets laying around dormant. I'd turn them on" when I needed them, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web