Spamhaus Declares Grum Botnet Dead, but Festi Surges

A relatively new botnet has taken up the slack left by the shutdown in July of another major spamming botnet called Grum, according to the junk mail fighting organization Spamhaus.

The botnet, named Festi or Spamnost, has surged since the demise of Grum. Spamhaus counts at least 250,000 unique IP addresses showing signs of a Festi infection, up from around 20,000 unique IP addresses preceding Grum's takedown by security researchers.

"Since the beginning of July, the Spamhaus XBL [Exploit Block List] has seen a huge increase in Festi spamming activities," wrote Spamhaus' Thomas Morrison on the organizaton's blog on Thursday. "At the peak, during one 24-hour period the XBL detected nearly 300,000 IP addresses that were infected with Festi, out of a total of one million that were infected with some sort of spam-sending bot.

"The sheer volume of Festi spam overwhelmed spam detection processes at some security organizations," he wrote.

Spamhaus provides its XBL list to email service providers, which use it to block IP addresses that have been found to deliver malware or spam.

Festi, which Symantec detected in December 2011, is now competing with Cutwail to be the most prolific spamming botnet. Festi's rise follows a familiar pattern: As security researchers, vendors and law enforcement have notched more successes in technically interfering with botnets and taking their infrastructure offline, spammers quickly move to other botnets.

Grum, which was sending 18 billion spam messages daily, was the latest major botnet to be shut down. Spamhaus collaborated with security vendors FireEye and the Russian company Group-IB.

Grum's command-and-control servers in Panama and the Netherlands were taken offline. Grum operators quickly set up command-and-control servers in the Ukraine, suing one of the remaining servers in Russia to redirect the infection bots.

The hosting company for the Russian server did not respond to takedown requests, so its ISP dealt the final blow by halting traffic intended for the server.

Send news tips and comments to jeremy_kirk@idg.com

Subscribe to the Security Watch Newsletter

Comments