The Grum botnet, which Dutch authorities and security researchers knocked offline earlier this summer, made a second, unsuccessful attempt at a comeback over the weekend when the bot herders stood up two new command-and-control servers in Turkey. The revival was short-lived however, and both C&Cs now are offline.
Grum at one time was one of the larger spam botnets on the Web, accounting for a huge percentage of worldwide spam during its heyday. As most large, noisy botnets do, Grum attracted the attention of security researchers and law enforcement. In June, authorities in the Netherlands, in a joint operation with security researchers from FireEye, located and disabled four Grum C&C servers being hosted in that country. There were two other C&Cs in use by the botnet at the time, one in Russia and the other in Panama.
Those servers were taken offline a few days after the initial Grum takedown, and all seemed right with the world. However, within a week, the bot herders were able to bring up a new set of C&C servers in Ukraine. Those were quickly taken down, as well, after researchers discussed the issue with the ISP that was providing hosting services. Strike two.
Now, the bot herders have swung and missed a third time, in this instance barely getting the servers up and running before they were yanked offline.
“Over the weekend I was notified by Thomas Morrison from Spamhaus that there was a new Grum C&C server in town. The new C&C server 18.104.22.168 was located in Turkey,” Atif Mushtaq of FireEye said in an analysis of the incident.
“That first hint led me to find another live C&C server 22.214.171.124 located in the same colo. The good news is that both servers are dead at the moment, effectively killing this new segment of Grum. Interestingly, the new segment did not try to use its limited time for any major spam-related activities. Most probably, the group was in a rebuilding process and wanted to keep themselves under the radar. Grum has been on our watch list since day one and it is pretty naive on the bot herder’s part to think that their actions would go unnoticed. Their new investment went badly, costing them some real time and money.”
After spending months, or in some cases, years, building up their networks of infected machines and carefully choosing C&C server locations, bot herders understandably are reluctant to let go of their creations even in the face of serious attention from law enforcement. This has happened with a number of other botnets in the last few years and it’s likely to keep occurring, especially given the ease with which attackers can spin up new C&C servers at bulletproof hosting providers or on compromised servers inside legitimate networks.