Dutch authorities have shut down two command-and-control (C&C) servers used by Grum, one of the world’s top spam producers.
However, the threat remains active as other C&C servers used by the spam-spewing botnet are still active, according to a security researcher.
Last week, Atif Mushtaq, senior staff scientist at security firm FireEye, posted on the company’s Malware Intelligence Lab blog the IP addresses of four C&C servers controlling the Grum botnet. Two servers in the Netherlands served as secondary command hubs, while one in Russia and another in Panama acted as Grum’s primary servers, he said.
Not long after, Dutch police pulled the plug on the two secondary servers.
Grum is configured so that the primary units push configuration updates to infected computers, while the secondary servers provide specific instructions on which spam messages to send. That means the Dutch takedown will prevent zombie machines from delivering spam, which should have a huge impact on the global volume of unsolicited email.
However, since the primary servers are still operating, Grum’s botmasters can theoretically try to recover its network of compromised PCs by using the remaining ones to push out an update to the zombies, Mushtaq said Tuesday in another blog post. The update could provide IP addresses of new secondary hubs, if the botmasters decide to erect new ones.
The good news is that the bot herders haven’t taken action yet.
“There is complete silence from their side,” Mushtaq wrote.
But, it’s remains unclear if the two servers going offline have crippled the botnet. Grum has no failback mechanism, and has just a few IPs hardcoded into the binaries, Mushtaq wrote. The botnet is divided into small segments, so even if some servers remain active, other parts may be unable to get back online.
Grum is the world’s third-largest spam botnet in terms of spam volume, accounting for 17 percent of total unwanted emails flooding inboxes every day, he said. Its first version appeared in early 2008 and it eventually rose to prominence after companies, such as Microsoft, and law enforcement authorities disabled Rustock and other spam botnets.
Recently, Grum briefly overtook the Lethic botnet for the top slot, according to security and compliance vendor Trustwave’s spam statistics. Grum, Cutwail and Lethic are currently the three most active spam-sending botnets, and Trustwave estimated Grum may have been responsible, before the takedown, for 35 percent of the world’s spam traffic.
Phil Hay, a Trustwave researcher, told SCMagazine.com on Tuesday that he didn’t have an idea of the botnet’s prevalence in the United States, but pegged it “in the order of tens to hundreds of thousands [of zombie machines].”