FireEye's task started with an analysis of the bots, discovery of the four command and control servers, and crucially, discovery that the C&C IP addresses are hard coded into the botnet. Two of these were in the Netherlands, one in Panama and one in Russia. FireEye contacted the Dutch authorities and the Dutch servers were quickly taken down. Panama and Russia, however, remained in operation.
Then came news that the Panamanian authorities had responded to mounting pressure. “The ISP owning this server at last buckled under the pressure applied by the community,” said Atif Mushtaq in a new blog. “It was great news.” But it still left the server in Russia, meaning that the bot herders still had access to their botnet. The “good news was soon followed by some bad news,” he added. “The bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine.”
Mushtaq went back to the community. He shared his intelligence with Spamhaus, CERT-GIB (the Russian CERT), and an independent researcher known as Nova7. It worked. “As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today,” he reported.
Grum is dead – or at least truly fatally wounded. “According to data coming from Spamhaus,” wrote Mushtaq, “on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well.”
Unlike many takedowns where the botnets just seem to keep coming back, Grum has gone and gone forever. The infected zombies will remain infected but inactive. James Todd, technical lead at FireEye, explained his confidence. “Since Grum uses hard coded IP addresses to communicate with the primary and secondary CnC servers rather than host names, removing those IP addresses permanently disconnects all infected machines and prevents them ever reconnecting.” So unless the bot herders can persuade ISPs to reassign the same IP addresses to servers they control, Grum is gone. Any new Grum would have to be rebuild from the ground up.