What FireEye did was publicize the Grum active C&C servers; one in Panama, one in Russia and two in the Netherlands. “Can we dream of a junk-free mailbox? Guess what,” concluded FireEye’s Atif Mushtaq, “it’s just a few takedowns away.”
Today he returns to the subject in a new blog post. “Dutch authorities have pulled the plug on two of the CnC servers pointing to IP addresses 94.102.51.226 and 94.102.51.227... With these two servers offline, the spam template inside Grum's memory will soon time out and the zombies will try to fetch new instructions but will not able to find them.” That’s how easy it is to take down a botnet. Or is it?
Mushtaq adds that the remaining two servers in Russia and Panama remain under the control of the botherders. Despite receiving abuse reports from FireEye, the relevant ISPs have done nothing. It means, says Mushtaq, “the bot herders might try to recover their botnets by executing a worldwide update.” The problem for the security industry is that the most it can usually do is sever the link between the herders and the zombies. If the herders retain any link with the zombies, they can rebuild, regroup, and restart.
For the moment, FireEye has seen no such attempt from the Grum herders. It expects Grum-based spam to slowly reduce in the short term, but is watching for any sign of renewed activity. “This is an operation still in progress,” says Mushtaq.