Application security, Malware, Network Security

Grum botnet dead after remaining servers are shut off


The prolific spam botnet Grum officially is offline, according to security firm FireEye.

FireEye and spam-tracking nonprofit Spamhaus worked with local internet service providers (ISP) in Panama, Russia and Ukraine to shut down the remaining command-and-control (C&C) servers powering the botnet, Atif Mushtaq, a senior staff scientist with FireEye, said in a blog post on Wednesday.

Earlier this week, Dutch police seized two of the four C&C hubs that controlled Grum. Since the remaining two servers were located in Panama and Russia, the botnet was crippled, but not disabled, Mushtaq said at the time.

The permanent takedown now is "sending a strong message to all the spammers: Stop sending us spam," Mushtaq wrote. "We don't need your cheap Viagra or fake Rolex[es]."

With all the C&C servers offline, Grum officially is dead.

The compromised computers are still infected with the malware, but are harmless as they can no longer communicate with the C&C servers, Mushtaq told on Thursday via email. The Grum trojan was not adaptive, meaning there is no longer a way to update its communication parameters to point to other servers.

The malware is akin to "benign tumors" at this point, making the machines bloated but not causing any harm, he said.

"We should not see Grum revive," he added.

The only way Grum could reappear is if the gang behind it, which has not been caught, rebuilds it from scratch by infecting thousands of machines again, Mushtaq said.

“...right in front of my eyes, the bot herders started pointing their botnet to new destinations."

– Atif Mushtaq, senior staff scientist, FireEye

For this latest takedown, the ISP in Panama caved to "pressure applied by the [security] community" and took the server offline, Mushtaq said. The botmasters reacted quickly and used the remaining Russian server to instructed the infected computers under their control to point to six new servers in Ukraine.

"So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations," Mushtaq wrote.

FireEye worked with Russia's CERT-GIB, Spamhaus and an anonymous researcher to identify the new servers. It then coordinated with local ISPs and domain registrars to take down the remaining servers.

Before the dismantling, Grum accounted for about 17 percent of the world's total spam volume and was one of the top three botnets in terms of volume sent.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.