Authorities down servers of third-largest spam botnet

Authorities in three countries have taken down a half-dozen command-and-control servers for the Grum botnet, crippling the world's third-largest spam-spewing network.

A total of five servers in Panama and the Ukraine were taken down Tuesday, while the plug was pulled on two servers in the Netherlands over the last few days, Atif Mushtaq, a researcher at FireEye's security lab, said.

FireEye, the Russian Computer Security Incident Response Team and the Spamhaus Project have been playing a cat-and-mouse game with the spammers, who have launched new servers when others are taken down.

"It's a dogfight between the research community and the bot herders," Mushtaq said. Bot herders refer to the operators of the network of malware-infected, commandeered computers in the botnet.

Grum is responsible for more than 17 percent of the world's spam, according to Mushtaq. Most of the spam sells fake Rolex watches and Viagra.

As of late Tuesday, the master server and one command-and-control server were operating in Russia, where Mushtaq believes the spammers are headquartered.

FireEye has watched Grum since 2008, when it was only the seventh or eighth largest spam botnet. Since then, larger botnets, such as Kelihos, Rustock and Zeus, have been taken down, so Grum has climbed up the charts.

Over the last few years, the tech industry has become more aggressive in battling botnets. In March, Microsoft won court permission to seize the servers of the Zeus botnet, which cybercriminals used to steal $100 million over five years.

Most of the money came through stealing online banking and e-commerce credentials. Microsoft also was involved in the takedown of servers in the Kelihos, Rustock and Waledac botnets.

The amount of spam flowing into people's inboxes has fallen at least 60 percent since the peak in 2008, Mushtaq said. Many ex-spammers have switched from running huge botnets that attract the attention of authorities to operating small networks aimed more at infecting computers with information-stealing malware.

"These guys have learned they need to fly under the radar," Mushtaq said. "Making one huge botnet will make them very visible."

Spammers also are turning from PCs to Android devices in building botnets for sending pharmacy, penny stock and e-card spam emails. Microsoft reported this month seeing spam sent from Android devices spewing from Yahoo email servers. The infected devices were located in Ukraine, Russia, Chile, Argentina, Venezuela, Indonesia, Thailand, Philippines, Lebanon, Oman and Saudi Arabia.

The consequence of sending spam from a mobile device is a higher wireless bill for the owner. Thousands of spam messages flowing from a device means a big jump in data traffic, which can lead to additional charges when volume surpasses a person's data plan.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place