The Grum botnet has been one of the most prominent distributors of spam for years, ranking third in terms of world spam volume. Yesterday, network security corporation FireEye reported that all of Grum’s command and control servers (or CnC’s) had been taken down after a weeks-long effort. Thanks to the work of a number of individuals who contributed to the takedown, we may see a significant decrease in the volume of the world’s spam in the coming months.
For those of you who are unfamiliar with the term “botnet” and how it relates to spam-distribution, here’s a brief summary: A botnet is a network of computers infected with a type of malware that allows one central computer to control the actions of the entire botnet. Spammers then use the botnet to distribute spam. It’s basically computer mind-control.
One such botnet, known as the Grum botnet, has been distributing pharmaceutical spam-emails since roughly 2008. In early 2010, it was estimated that 33.3% of the world’s spam volume could be attributed to Grum. That percentage has since fallen to 17.4% as of early July, making it the world’s third largest botnet (behind the Cutwail and Lethic botnets).
FireEye, a company that assisted with the takedowns of botnets such as Rustock and Mega-D, released a great deal of information they had gathered about Grum on the company’s blog last Monday, July 9. This post detailed multiple aspects of the botnet’s infrastructure, including its general structure, its CnC servers’ IP addresses, and the strong and weak points in its security strategy. According to the article, there were two “master” command and control servers in Panama and Russia, as well as five “secondary” CnC’s located in the Netherlands. These nations are known for their lax attitude toward botnets, making it difficult to shut down the servers. There were also a number of key weaknesses in the botnet, such as a lack of any fallback servers. “If I were to rank Grum’s takedown difficulty level from one to five where five is the most difficult, I would give Grum a two,” says Atif Mushtaq in the post. He goes on to deliver this hopeful statement:
“Can we dream of a junk-free mailbox? Guess what—it’s just a few takedowns away. In my opinion, taking down the top three spam botnets—Lethic, Cutwail, and Grum—is enough for a rapid and permanent decline in worldwide spam level. We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well.”
On Monday the 16th, Mushtaq made another post titled, “Grum CnC’s–Just a Few More to Go.” Authorities in the Netherlands shut down two servers responsible for giving instructions to the “bot” computers comprising the botnet. Without these servers, the network was crippled, but not dead. There remained the two active “master” servers in Panama and Russia. Mushtaq vowed that FireEye was “monitoring Grum’s activities on a 24/7 basis.” The team at FireEye was working tirelessly to bring down the botnet giant.
Yesterday, it was confirmed that Grum had been taken down for good in another post by Mushtaq. On Tuesday morning, he received confirmation that Grum’s Panamanian Internet service provider had blocked the IP address of one of the two master servers. This piece of good news was followed by some bad news, however. In response to the Panamanian takedown, Grum moved its remaining master server to Ukraine and set up an additional six servers to compensate for the botnet’s losses. FireEye shared all its information regarding Grum with Carel Van Straten and Thomas Morrison of Spamhaus, Alex Kuzmin of CERT-GIB, and an independent researcher who goes by “Nova7.” The team led an overnight operation to eradicate the remaining servers. As of 11:00 AM PST of July 18, all seven of Grum’s servers were confirmed dead. Mushtaq leaves us with this message to spammers:
“Stop sending us spam. We don’t need your cheap Viagra or fake Rolex. Do something else, work in a Subway or McDonalds, or sell hotdogs, but don’t send us spam.”
Grum is, of course, just one drop in the ocean of botnets and spammers; it’s a big drop, but a drop nonetheless. There are many more botnets waiting to take Grum’s place and keep filling our inboxes with all manner of things we don’t want. We need to send a message to spammers the world over that we don’t want their irritating advertisements. We need to send them a message by refusing to submit to their schemes and refusing to support them with our credit cards.
- Spam at lowest level since 2008
- Learn some more about botnets with this infographic
- FBI disables botnet Coreflood
- Operation Shady Rat is scary. Be scared!