Grum botnet takedown puts spam on the run

Security firm FireEye helps bring down the world's third-largest spam botnet, and its spam drops from a deluge down to a trickle

One down, two more to go? On Wednesday a Russian Internet service provider took down the last master server that controlled compromised computers as part of the Grum botnet, the world's third-largest spam network responsible for more than 17 percent of unsolicited email.

If the botnet stays down, only two more spam networks need to be shuttered to make permanent a significant drop in unsolicited email, said Atif Mushtaq, senior staff scientist at security firm FireEye. If security researchers and Internet service providers can shut down the top two botnets, Lethic and Cutwail, spammers may never recover, he said.

"When it comes to spam botnets, this strategy is truly working," Mushtaq said. "If you take the worldwide spam level and you compare it to the level in 2008 before the McColo takedown, it is a fraction of its previous level."

The Grum takedown came thanks to details of the botnet published by FireEye earlier in July and a flaw in the botnet's architecture that made its operation contingent on three servers -- two in Panama and a third in Russia. One server had already been taken down or otherwise shut down by its operators. But as of earlier this week, the Internet service providers in Panama and Russia remained uncooperative, according to FireEye. Compared to cooperative Dutch network providers, who had taken out a good part of the botnet by shuttering two secondary servers, the contrast was stark.FireEye and other groups raced to apply pressure to take down the remaining master servers, before the spammers could modify their infrastructure and save their botnet.

Good news came on Tuesday, when pressure from the Internet community led the Panamanian provider to disconnect the master server in that country. Because each server managed its own segment of the botnet, closure of the master server resulted in a large segment of the botnet losing its marching orders.

However, the bot herders moved quickly and began pointing secondary control servers to six new master command-and-control systems in the Ukraine.

"At one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations," Mushtaq lamented in a blog post on Wednesday. "The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy."

FireEye contacted other researchers in Europe on Tuesday and shared its evidence on the Grum botnet's new home. Mushtaq and other security professional were not hopeful, but overnight the contacts managed to find the right people and all six Ukrainian servers went down. Following that, the upstream provider of the company providing Internet access to the Russian command-and-control server (CnCs) disconnected the route to that IP address as well.

As a result of the operation, spam has gone from a deluge to a trickle. Grum used to send spam from some 120,000 IP addresses every day, but that has dropped to almost 20,000, according to Spamhaus data cited by FireEye.

Will other companies target the remaining two botnets? They should, Mustaq said.

"There are no longer any safe havens," Mustaq said in his post. "Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox."

This story, "Grum botnet takedown puts spam on the run," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.