Cybercriminals no longer control one of the world’s largest spam botnets, Grum, because all of the servers the botnet relied on for receiving commands were shut down, according to researchers from security firm FireEye.
The last Grum command and control servers, six located in Ukraine and one in Russia, were offline as of Wednesday, FireEye senior staff scientist Atif Mushtaq, said in a blog post. This leaves all of the Grum-infected computers orphaned, he said.
FireEye collaborated in the takedown effort with the Spamhaus Project, a nonprofit organization dedicated to tracking spammers, the Computer Security Incident Response Team of Russian security firm Group-IB (CERT-GIB) and an independent researcher.
Grum was the third largest spam botnet in terms of the number of unique IP (Internet Protocol) addresses associated with it, Spamhaus investigator Vincent Hanna said Thursday via email.
Before the takedown, the organization used to see Grum spam messages originating from 100,000 to 120,000 IPs every day and approximately 500,000 every week. The messages mainly promoted fake prescription drugs.
“We now see only a few leftovers,” Hanna said. “These would be infected machines that are finishing their last payloads.”
According to FireEye, Grum was responsible for around 18 percent of the global spam volume, which means that it was sending approximately 18 billion spam messages every day.
However, the effect of Grum’s takedown on the global spam volume remains to be seen, as there are other botnets that are very efficient at sending spam and could fill the void, Hanna said.
FireEye launched the Grum takedown effort on July 9. At the time, Grum relied on four command and control servers: one located in Panama, one in Russia and two in the Netherlands.
First, the servers located in the Netherlands were shut down by the company hosting them, crippling Grum operators’ ability to issue new spamming commands to the botnet.
Then on Tuesday, the Grum server in Panama was disconnected by its ISP, leading to cybercriminals losing control over a segment of the botnet, Mushtaq said.
The Grum operators responded by setting up six additional servers in the Ukraine and using the remaining Russian server to point the infected computers to them.
“Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy,” Mushtaq said.
“Most of the spam botnets that used to keep their CnCs [command and control servers] in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones,” Mushtaq said. “We have proven them wrong this time.”
The server in Russia appears to have been the primary one and shutting it down proved to be the hardest. The company hosting it was unresponsive, so its ISP eventually intervened and stopped routing traffic for the server’s IP address.
The FireEye researchers hope that the takedown is permanent, because unlike other botnets, Grum doesn’t have any apparent fallback mechanism that its operators can use to regain control.
“However, people who can build a botnet this strong can certainly create a new one,” Hanna said.