Final Blow Kills Remainder Of Grum Botnet

Command and control servers shut down in Panama, Russia, Ukraine

The massive Grum botnet best known for pumping out pharmaceutical spam was finally fully dismantled today with the shutdown of the remainder of its main command-and-control (C&C) servers in Panama and Russia.

Earlier today, FireEye said Spamhaus had led the shutdown of the Panama-based server, and in a new development, FireEye, the Russian CERT and Spamhaus worked together to kill off the last of the botnet this afternoon -- the Russian segment. The servers there were the last to go, after the botnet operators set up seven new ones in Russia and the Ukraine after the other segments had been taken down.

Grum, which accounts for 17.4 percent of worldwide spam and is nearly four years old, earlier this week lost its C&C in the Netherlands when a Dutch ISP cut them off after researchers from FireEye published their findings on the botnet's infrastructure.

The botnet was the third-most prolific botnet in the world, after a stint as the No. 1 botnet in January, with a third of all spam worldwide, according to M86 Security data. The botnet most recently had some 100,000 active bots, according to FireEye.

The two C&C servers in the Netherlands had sent spam instructions to the bots, so when they went offline, that left master C&C servers in Panama and Russia to pick up the slack, which researchers had expected them to do.

From then on, it was a battle of wits between the Grum botnet operators and the research community.

The even better news is that botnet hunters were able to pull the plug on the servers in Russia and the Ukraine, a region favored by cybercriminals. FireEye says this should scare other botnet groups a bit, demonstrating that this region isn't such a safe haven after all.

"So what have I learned from this takedown? When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time," said Atif Mushtaq, senior staff scientist at FireEye in a blog post last night.

Meanwhile, in the wake of the Grum takedown, FireEye says it has seen a drop in spamming from Lethic, the world's largest botnet.

FireEye says Grum doesn't have any apparent backup infrastructure in place to rebound any time soon. But a botnet takedown is rarely, if ever, permanent. Even when a botnet is completely disabled, the operators just go elsewhere and start all over again. Still, security experts say the dismantlement strategy is effective, even if it's mostly temporary.

[ Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet. See Botnet Takedowns Can Incur Collateral Damage. ]

"I'm all for governments and law enforcement taking an active role in hunting these botnets down. They are always going to be somewhat successful, and it's not a bad use of resources," says Ron Gula, CEO at Tenable Security. "But nothing is changing. We're still really vulnerable, and they are coming in with client-side attacks."

Gula says there's plenty more going on behind the scenes with botnets. "Sure, we can find a botnet called Grum and Cutwail, but if I was a bot herder, I would have multiple types of botnets laying around dormant. I'd turn them on" when I needed them, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights