The FireEye Malware Intelligence Lab reports that the Grum botnet, the world's third largest spam botnet, has finally been knocked offline. Grum was reportedly responsible for close to 18-percent of the world's spam and had control of at least 100K active infected machines. Now all known command and control (CnC) servers are eliminated, leaving their infected zombies impotent, the firm reports.
Atif Mushtaq, a senior staff scientist at FireEye, was directly involved in the takedown. He reports that on Tuesday, they took down part of the botnet, tackling command and control (C&C) servers in the Netherlands and Panama. However part of the botnet continued to thrive in Russia via one remaining C&C server, and eventually 7 new C&C servers were spun up in Russia and the Ukraine Tuesday afternoon in response to the Panama take down.
FireEye, working with Russian CERT and SpamHaus, found each of these new C&C servers and knocked them offline as of 11 a.m. PT Wednesday morning, signaling the full shut down of the botnet. Grum does not have any apparent fall back mechanisms either, which would allow it spin back up easily in the days to come, he said.
To get the C&C servers shut down in Russia, FireEye took a "heavy handed approach" in working with Russian ISPs and domain registrars. He said the primary Russian server was not taken down by their ISP, GAZINVESTPROEKT LTD. Instead, it was their upstream provider who finally came in and null routed the IP address at FireEye's request.
"According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well," Mushtaq wrote in his blog on Wednesday.
FireEye said it has already noted a decline in activity from another spam botnet, the world's largest – Lethic - as a result of Wednesday's take down. "Taking down C&C servers in Russia is a big deal," the company stated. "FireEye believes that botnet groups will no longer see Russia and the Ukraine as a 'safe haven' for their operations."
"There are no longer any safe havens," Mushtaq added. "Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox."
We'll do that, thanks.