Security researchers join forces to bring down Grum botnet
Security researchers have collaborated to take down Grum, the world’s third-largest botnet of hijacked computers
Security researchers have collaborated to take down Grum, the world’s third-largest botnet of hijacked computers.
The Grum botnet is believed to have been responsible for around 18% of global spam, or 18 billion spam messages a day.
Computer security experts blocked the botnet’s command and control servers in the Netherlands and Panama on Tuesday, but seven new command and control centres were immediately set up in Russia and Ukraine, according to the New York Times.
Security firm FireEye said it worked with its counterparts in Russia and with SpamHaus that tracks and blocks spam, to take down those command and control centres the following day.
"I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned," Atif Mushtaq, a computer security specialist at FireEye wrote in a blog.
"When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders," he said.
Before the takedown, SpamHaus reported 120,000 Grum IP addresses sending spam each day, but Mushtaq said that 120,000 IP addresses cannot be taken as the total size of the Grum botnet.
"120,000 IP addresses constituted only the zombies actively sending spam. In many corporate and ISP environments, outgoing e-mail traffic is blocked by default so a big portion of the Grum botnet never sends any spam, but the bot herders use them for hosting their promotional websites," he said.
According to Mustaq, most of the spam botnets that used to keep their command and control servers in the US and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no-one can touch them.
"We have proven them wrong this time," Mustaq said.
Similar collaborative efforts have resulted in takedowns of the Waledac botnet in 2010 and the Rustock, Kelihos and Zeus botnets in 2011 and 2012.