Officials attack Grum: World's third largest botnet (18% of spam)
Update on July 24 - Grum botnet briefly revived, killed by authorities yet again
Dutch authorities this week took down two of the Command and Control (C&C) servers pointing to IP addresses 94.102.51.226 and 94.102.51.227. These were responsible for the world's third biggest spam-producing botnet: Grum. Unfortunately, the action was not a complete one, as the botnet has nerve centers outside of the Netherlands: two other C&C servers are still operational (one in Panama and one in Russia).
Nevertheless, given that this botnet was responsible for 18 percent of the world's spam, security researchers believe we should see an overall drop in the volume of spam. These two C&C servers in particular were responsible for sending spam instructions to the zombie computers. Now that they have been taken offline, the spam template inside Grum's memory will eventually time out and the zombies will try to fetch new instructions which do not exist.
In an ideal world, this should stop the bots from sending anymore spam. This is nothing to get too excited about as the numbers will of course quickly climb back up. They will either be replaced once Grum is fixed or other botnets come in to replace what has been lost.
"The ISP/Colos involved were contacted but they ignored the abuse notifications sent to them, even though they contained clear and complete evidence of bad behaviour," a FireEye spokesperson said in a statement. "This means that using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side. Here at FireEye labs, we are monitoring Grum's activities on a 24/7 basis. Any attempt to recover this botnet will be noticed. I don't know if the security community will eventually be able to take down the rest of the Grum botnet, but we are trying and trying very hard."
Update at 6:30PM PST - The botnet is now completely down, FireEye has confirmed. First the server in Panama was taken down, and although six new ones were setup in Ukraine, authorities moved quickly to kill those as well as the remaining Russian one.
"I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned," a FireEye spokesperson said in a statement. "According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. 120,000 IP addresses constituted only the zombies actively sending spam. In many corporate and ISP environments, outgoing email traffic is blocked by default so a big portion of the Grum botnet never sends any spam, but the bot herders use them for hosting their promotional websites."
Update on July 24 - Grum botnet briefly revived, killed by authorities yet again
See also:
- Apple iOS in-app purchases hacked; everything is free (video)
- Android Forums hacked: 1 million user credentials stolen
- Yahoo fixes flaw behind 450,000 account hack
- The top 10 passwords from the Yahoo hack: Is yours one of them?
- Nvidia confirms hackers swiped up to 400,000 user accounts
- Minecraft account impersonation security flaw disclosed, fixed