Just a couple of days after authorities in the Netherlands pulled the plug on two of the four command-and-control servers behind the Grum spam botnet, the remaining C&C servers have been taken offline as well, thanks to a cooperative effort among researchers. As a result, the number of Grum-infected IP addresses sending spam has fallen from 120,000 down to about 21,000.
Grum was reportedly responsible for as much as 18 percent of the world’s spam and was thought to be the third-largest spam botnet in operation. The takedown effort began with the removal of two C&C servers in the Netherlands earlier this week. Researchers at FireEye contacted police in that country, explaining what the servers were being used for and that they were part of a large, global botnet. Those two servers were taken down, but there were still two other C&C servers in operation, one in Panama and one in Russia.
Yesterday, the ISP in Panama that owned the Grum C&C server there responded to pressure from researchers and removed it. That killed off one of the two major segments of the Grum botner and left only the C&C server in Russia. But the attackers behind Grum were paying attention to the takedown effort, apparently, and responded quickly.
“After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine. So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy,” Atif Mushtaq of FireEye said.
When they saw this, the researchers at FireEye passed the information about the new C&C servers along to other people in the community, including Spamhaus and CERT-GIB, the Russian computer emergency response team. Carel Van Straten and Thomas Morrison from Spamhaus and Alex Kuzmin from CERT-GIB contacted people they knew in Russia and Ukraine and within a few hours, all of the newly minted C&C servers had been taken offline, as well.
“The primary server located in Russia was not taken down by their ISP, GAZINVESTPROEKT LTD. It was their upstream provider who finally came in and null routed the IP address at our request,” Mushtaq said.
“According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with [sic] fade away as well.”
Mushtaq said that the takedown of Grum shows that cooperation among researchers can have some real, valuable results.
“When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time,” he said.