Related Stories

  • The ease and difficulty in taking down a botnet
    Last week FireEye analyzed the Grum spam botnet, which was at the time the world’s third most active botnet below Cutwail and Lethic, responsible on its own for 17.4% of worldwide spam traffic. Now FireEye reports some success against it.
  • 22-year old botherder, Hermes, arrested in Russia
    News of the detention in Russia of ‘Hermes’, also known as ‘Arashi’ emerged over the weekend. His botnet comprised 6 million infected systems. Russian security firm Dr Web assisted the Russian authorities.
  • Microsoft Fights Botnets Through Disruption
    According to the Microsoft Digital Crime Unit (DCU), botnets are the cyber-weapon of choice in 2012, and disrupting the criminal infrastructure is the best way of taking down a botnet-based cybercrime. In February 2010, Microsoft got a court order to sever 277 domains believed to be part of the Waledac botnet in what became known as Operation b49.
  • Kelihos.B, son of Kelihos (and father of Kelihos.C) taken down
    While Microsoft has been busy taking down Zeus botnets, its earlier partner in anti-crime, Kaspersky Labs, has been engaged in taking down Kelihos.B; the direct linear descendant of the original Kelihos.
  • Rogue anti-virus up and Kelihos botnet is back
    GFI Software’s report for February highlights two main issues: the incidence of rogue anti-virus is continuing to increase; and the Kelihos botnet ‘taken down’ last year is resurgent.

Top 5 Stories


Takedown of Grum botnet completed

20 July 2012

Earlier this week FireEye reported that the takedown of the Grum botnet – the world’s third largest spam machine – was a ‘work in progress’. Yesterday it announced that the work in progress is complete: Grum is no more.

FireEye's task started with an analysis of the bots, discovery of the four command and control servers, and crucially, discovery that the C&C IP addresses are hard coded into the botnet. Two of these were in the Netherlands, one in Panama and one in Russia. FireEye contacted the Dutch authorities and the Dutch servers were quickly taken down. Panama and Russia, however, remained in operation.

Then came news that the Panamanian authorities had responded to mounting pressure. “The ISP owning this server at last buckled under the pressure applied by the community,” said Atif Mushtaq in a new blog. “It was great news.” But it still left the server in Russia, meaning that the bot herders still had access to their botnet. The “good news was soon followed by some bad news,” he added. “The bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine.”

Mushtaq went back to the community. He shared his intelligence with Spamhaus, CERT-GIB (the Russian CERT), and an independent researcher known as Nova7. It worked. “As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today,” he reported.

Grum is dead – or at least truly fatally wounded. “According to data coming from Spamhaus,” wrote Mushtaq, “on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well.”

Unlike many takedowns where the botnets just seem to keep coming back, Grum has gone and gone forever. The infected zombies will remain infected but inactive. James Todd, technical lead at FireEye, explained his confidence. “Since Grum uses hard coded IP addresses to communicate with the primary and secondary CnC servers rather than host names, removing those IP addresses permanently disconnects all infected machines and prevents them ever reconnecting.” So unless the bot herders can persuade ISPs to reassign the same IP addresses to servers they control, Grum is gone. Any new Grum would have to be rebuild from the ground up.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×