Botnets are a lot like dandelions; you think they’re dead and then when you’re not looking they pop right back up. It’s happened time and again in the malware ecosystem and the latest member of the undead botnet society is Grum, which was only just taken down last week. Over the weekend several of the command-and-control servers used by the Grum botmasters reappeared in Ukraine.
Researchers at FireEye, who have been closely involved in the takedown of the Grum botnet, found that within the last couple of days, three of the C&C servers used by the botnet were brought back online. Those servers are located in Ukraine and, like the others associated with Grum, had been taken offline last week in an effort to disable Grum. There were additional C&C servers located in the Netherlands and Panama, but those have not been active again.
“Over the weekend we found that the Ukrainian ISP SteepHost removed the null route on three CnCs that were taken down last week. We suspect the bot herders must have paid a large amount of money in order to get access to these servers. We immediately noticed this change and contacted SteepHost once again. After hours of negotiations, they eventually shut down these CnCs once more. During this time there was a short burst of spam sent by Grum, but it has disappeared as of this morning,” Atif Mushtaq of FireEye said.
It’s not unusual at all to see botnets that have been taken down completely or just damaged reemerge after a period of time. In some cases this is the result of the bot herders moving their C&C infrastructure to fall-back servers that are set up for that purpose. In other cases, another attacker or group of criminals will use the same malware–or a close relative of it–and stand up a separate botnet with the same characteristics.
The names may change, but the game stays the game.
In the case of Grum, it was a different story altogether. One of the hosting providers moved to restore connectivity to the three C&C servers it controlled. Mushtaq said that a representative of SpamHaus, the global anti-spam clearinghouse, had talked with officials at SteepHost, the Ukrainian hosing provider, about the wisdom of restoring the Grum C&C servers.
“A strong warning has been given to SteepHost that if something like this happens again, a complaint will be filed with their upstream provider which might de-peer them off the Internet. Alternatively their whole subnet can be blacklisted which could cause some serious damage to their business,” Mushtaq said.
De-peering is an extreme measure that’s typically reserved for the worst offenders among hosting providers, meaning those who knowingly harbor spammers, provide no-questions-asked hosting to cybercriminals and ignore requests from researchers and other hosting providers to remove malicious servers. SteepHost has appeared on the Host Exploit list of Top 50 Bad Hosts in the past, but was not on the most recent list.