One down, two more to go? On Wednesday a Russian Internet service provider took down the last master server that controlled compromised computers as part of the Grum botnet, the world's third-largest spam network responsible for more than 17 percent of unsolicited email.
If the botnet stays down, only two more spam networks need to be shuttered to make permanent a significant drop in unsolicited email, said Atif Mushtaq, senior staff scientist at security firm FireEye. If security researchers and Internet service providers can shut down the top two botnets, Lethic and Cutwail, spammers may never recover, he said.
"When it comes to spam botnets, this strategy is truly working," Mushtaq said. "If you take the worldwide spam level and you compare it to the level in 2008 before the McColo takedown, it is a fraction of its previous level."
The Grum takedown came thanks to details of the botnet published by FireEye earlier in July and a flaw in the botnet's architecture that made its operation contingent on three servers -- two in Panama and a third in Russia. One server had already been taken down or otherwise shut down by its operators. But as of earlier this week, the Internet service providers in Panama and Russia remained uncooperative, according to FireEye. Compared to cooperative Dutch network providers, who had taken out a good part of the botnet by shuttering two secondary servers, the contrast was stark.FireEye and other groups raced to apply pressure to take down the remaining master servers, before the spammers could modify their infrastructure and save their botnet.
Good news came on Tuesday, when pressure from the Internet community led the Panamanian provider to disconnect the master server in that country. Because each server managed its own segment of the botnet, closure of the master server resulted in a large segment of the botnet losing its marching orders.
However, the bot herders moved quickly and began pointing secondary control servers to six new master command-and-control systems in the Ukraine.
