Grum botnet briefly revived, killed by authorities yet again

Grum, the third largest known botnet, was taken down last week. Those behind Grum attempted to bring it back this week, but security researchers stepped in and put it back into the ground once again.


Last week, authorities took down Grum, the world's third largest botnet at the time . The cybercriminals responsible for the malicious network attempted to bring it back yesterday, but thankfully officials stepped in and killed it again.

In the absence of any built-in fallback mechanisms, Grum's botnet herders paid the Ukrainian ISP SteepHost to remove the null route on three Command and Control (C&C) servers. FireEye suspects the cybercriminals paid a large amount of money in order to get access to the servers.

After hours of negotiations, FireEye managed to convince SteepHost to shut down the CnCs once more. As you can see in the chart above, there was a short burst of spam sent by Grum during this time, but activity has once again been reduced to nothing.

Grum originally had four C&C servers. First Dutch authorities took down two of the ones in the Netherlands, then the server in Panama fell, and although six new ones were setup in Ukraine, authorities moved quickly to kill those as well as the remaining Russian one. While an attempt was made to bring back some of the Ukrainian servers this week, I think it's safe to say that Grum is as good as gone since the main servers cannot be recovered.

"A strong warning has been given to SteepHost that if something like this happens again, a complaint will be filed with their upstream provider which might de-peer them off the Internet," a FireEye spokesperson said in a statement. "Alternatively their whole subnet can be blacklisted which could cause some serious damage to their business."

See also: