Grum Botnet Shutdown Sharply Cuts Spam Levels, but for How Long?

Servers controlling the Grum botnet are out of commission, knocking one of the world's most active spam distribution botnets offline.

One of the world's largest spamming botnets has been knocked out of commission€”though it is unclear just how long the respite users may be seeing from spam will last.

Grum, which may have been responsible for roughly 20 percent of the world's spam, has been taken offline. Dutch authorities got the ball rolling July 16 when they took down two of the command-and-control (C&C) servers to IP addresses and, which researchers at IT security company FireEye had linked to the notorious botnet.

This was only a partial victory, however, as master C&C servers in Panama and Russia were still operating. Then the server in Panama was shut down the following day. However, some bad news arrived as several new servers had emerged in the Ukraine to take the place of the servers that had been taken offline. That move only bought the botnet's operators a day, however, as the servers in the Ukraine and the one in Russia were taken down July 18.

"Eighteen percent of worldwide spam from Grum [is now] completely offline," said Atif Mushtaq, senior staff scientist at FireEye. "We've seen the number of infected machines sending emails drop from 120,000 to 20,000 to zero. In addition, reports from SpamHaus and Trustwave indicate that the Lethic botnet has gone underground. Overall, we're seeing a global reduction in spam of about 50 percent€”the lowest levels ever."

Grum's name can be added to a list of botnets that have been taken down due to the efforts of the research community. In the past three years, Microsoft for example had spearheaded an effort to take botnet operators to court, and has helped successfully target the operators of Kelihos, Rustock Waledac and a Zeus botnet.

€œThis illustrates again that the private sector is increasingly getting involved in cyber-defense issues,€ commented Kapil Raina, director of product marketing at security firm Zscaler. €œTraditionally, government entities monitored and pursued these entities, but now we are starting to see a dramatic shift in the private sector community directly getting involved to protect end users. In the short term, this will be very beneficial for consumers, but longer-term implications of legal policy and enforcement have yet to be sorted out.€

In the case of Grum, the success of the takedown shows that spammers do not have the safe havens they once had, Mushtaq opined. He admitted he was briefly stunned when the bot herders replaced the two Dutch servers with the six in the Ukraine, a place that traditionally has been a safe spot for bot herders and where getting servers shut down has never been easy.

"I immediately shared this new information with three different parties€”Carel van Straten and Thomas Morrison from Spamhaus, Alex Kuzmin from CERT-GIB, and an anonymous researcher who goes by the pseudonym Nova7," Mushtaq noted in a blog post. "After they got all the evidence from my side, they moved quickly passing this intelligence back to their contacts in Ukraine and Russia. As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today, July 18, at 11:00 AM PST."

The primary server located in Russia was not taken down by their ISP, but by an upstream provider who came in and null-routed the IP address at FireEye's request, the researcher added.

"The takedown of the Grum botnet should last; we reverse-engineered Grum and determined there are no adaptive mechanisms for the infected machines to communicate with the new servers," Mushtaq told eWEEK.

Historical trends however show that spam levels will not stay down forever, usually kicking back up about four to six weeks after a takedown, said Adam Wosotowsky, messaging data architect at McAfee Labs.

"That being said, lately botnet shutdowns have tended to push botmasters away from spam and more towards persistent infections and exfiltrating of intellectual property," he said. "It's safer for the botnet and can probably produce more money. This time around I would not expect for the recovery in spam to be quite as fast as it has been in the past, for just that reason."