One of the world's largest spam botnets still alive after suffering significant blow

Two Netherlands-based servers used by the Grum botnet were shut down, but others remain active, a researcher said

One of the world's most active spam botnets -- Grum -- was crippled after two of its command and control (CnC) servers hosted in the Netherlands were taken down, according to researchers from security firm FireEye.

"These two CnC servers were responsible for pumping spam instructions to their zombies," said FireEye senior staff scientist Atif Mushtaq in a blog post on Tuesday. "With these two servers offline, the spam template inside Grum's memory will soon time out and the zombies will try to fetch new instructions but will not able to find them."

If Grum stops sending spam, it will have a significant impact on the global spam volume, Mushtaq said. However, this might be just a temporary victory, because the botnet's creators still control two CnC servers hosted in Russia and Panama.

Grum relies on two types of control servers for its operation. One type is used to push configuration updates to the infected computers and the other is used to tell the botnet what spam emails to send. It's only the second type of servers that were shut down.

This means that Grum's operators can still theoretically use the two remaining configuration servers to update the botnet and direct it to new spam template servers. However, that hasn't happened so far.

"No action has been taken by the bot herders so far," Mushtaq said. "There is complete silence from their side."

FireEye is trying to get the remaining servers shut down. However, the ISPs in Russia and Panama that host the abusive servers have not responded to the company's notifications.

"I don't know if the security community will eventually be able to take down the rest of the Grum botnet, but we are trying and trying very hard," Mushtaq said. "We did not give up after the first failed attempt and will continue to contact the Russian and Panamanian authorities through different channels."

The first versions of the Grum malware appeared in early 2008, which makes Grum one of the oldest botnets still active.

Over the years, the botnet has managed to fill the void left in the spam distribution market by the successful takedowns of other botnets like Srizbi, Rustock or Mega-D/Ozdock.

According to spam statistics published by security firm Trustwave, since the beginning of the year, Grum, Cutwail and Lethic have been the most active spam sending botnets in the world. Grum alone was responsible for nearly 35 percent of the world's spam traffic observed last week.

The takedown of the two Grum spam template servers came after FireEye published a blog post on July 9 in which Mushtaq revealed technical details about the botnet and the infrastructure supporting it.

"In my opinion, taking down the top three spam botnets -- Lethic, Cutwail, and Grum -- is enough for a rapid and permanent decline in worldwide spam level," Mushtaq said at the time. "We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place