Dutch authorities have knocked out two of the command-and-control servers for one of the top spam-producing botnets, known as Grum. The action was not a complete knockout though, as there are still two other C&C servers at work, but researchers are optimistic that the volume of spam will drop as a result.
Researchers at FireEye had been watching the Grum botnet for a while and had pinpointed the four C&C servers being used to control it. Two of the servers were in the Netherlands, one is in Russia and the other in Panama. In the last few days, autorities in the Netherlands pulled the plug on the two servers in their country, severing half of the Grum botnet’s command infrastructure.
“These two CnC servers were responsible for pumping spam instructions to their zombies. With these two servers offline, the spam template inside Grum’s memory will soon time out and the zombies will try to fetch new instructions but will not able to find them. Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world’s third largest spam botnet will have a significant impact on the global volume,” Atif Mushtaq of FireEye wrote in a blog post on the takedown.
Mushtaq said that the company had been in touch with the hosting providers in Russia and Panama where the two remaining C&C servers are located, but have had no luck getting them to respond.
“ The ISP/Colos involved were contacted but they ignored the abuse notifications sent to them, even though they contained clear and complete evidence of bad behaviour. This means that using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side,” he said.
Researchers and law enforcement agencies worldwide have been targeting major botnets with a variety of techniques for several years, with varying degrees of success. Botnets such as Mariposa, Kelihos, Rustock, Zeus and others all have been the subject of some sort of takedown attempt. In some cases, they’ve been quite successful, and have had an effect on the level of spam or other criminal activity. In other cases, the botnets have morphed or bounced back in new forms.
But researchers have been honing their techniques, as well, and the involvement of big companies such as Microsoft, with a lot of legal and financial resources behind them, has made life more difficult for the crews behind these botnets.