Atif Mushtaq, a security researcher with FireEye, announced the victory news on FireEye's blog on Wednesday evening.
I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down, Mushtaq said. All the known command and control (CnC) servers are dead, leaving their zombies orphaned.
A botnet is essentially a network of computers that has been breached and hijacked; once the cybercriminals have broken in -- usually using malware -- they can control and direct the activities of all the compromised computers using communication channels formed by the network protocols like HTTP and IRC (Internet Relay Chat).
On July 9, Mushtaq described the history of botnets and how Grum fits into the general timeline.
In recent years, we have seen the fall of many spam botnets including Srizbi, Rustock, Mega-D, Pushdo.A, Storm, and Waledac, Mushtaq wrote. But one botnet that has kept itself well under the radar is the Grum botnet. When I look into my Botnet Lab logs, I can see traces of Grum's earlier versions recorded around February 2008. That means that, as of today, this botnet is more than four years old. Readers who have been following the evolution of different botnets would agree that keeping a botnet active and alive for this many years is an achievement in itself.
According to M86Security, Grum was responsible for roughly 17.4 percent of the worldwide spam email traffic, which made it officially the third largest active botnet in the world, after Cutwail and Lethic, respectively. In January 2012, however, Grum became the No. 1 spam botnet in the world, accounting for 33.3 percent of all worldwide spam.
Mushtaq and the FireEye crew had been working to disable the Grum spambot by identifying its command and control (CnC) servers, and then planning a massive takedown attempt. FireEye had identified three main CnCs in the Netherlands, Panama and Russia, but the security team needed help from the authorities and the local communities to help bring down these spammy servers.
On July 17, Mushtaq reported that the Dutch authorities helped pull the plug on two CnC servers in the Netherlands, which helped to make a dent in the botnet. He had also discovered that same day that the server in Panama had been shut down; unfortunately, the cybercriminals were moving quickly. They had set up two secondary servers in Ukraine to help make up for the loss of the Panamanian server.
The hydra-like effect of the Grum botnet was disheartening for Mushtaq.
I must say, for a moment, I was stunned, he wrote. The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy.
Mushtaq was disheartened, but he wasn't defeated. Instead, he reached out to a few different parties, including Carel Van Straten and Thomas Morrison from Spamhaus, an anonymous researcher named Nova7, and Alex Kuzmin from CERT-GIB. He shared his evidence of the Grum botnet with the researchers, who quickly passed the intelligence back to their contacts in Russia and Ukraine. And just like that, Grum's dominance as a spam botnet officially ended as of July 18 at 11:00 a.m. PST.
A World Free Of Spam?
Mushtaq reflected on the successful takedown of Grum on FireEye's blog:
Every takedown that I have participated in, such as Srizbi, Rustock 1, Ozdok, and Cutwail 1, has given me a unique experience, he said. So what have I learned from this takedown? When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox.
While disabling Grum will be very useful in helping to identify and takedown future botnets, unfortunately, we may never be free from spam. That hydra-effect is forever present: When one botnet dies, three more spring up. They're tricky to catch too: They jump from country to country, and they control hundreds of thousands of zombie IP addresses to do their dirty work.
As long as there's money in making spam, people are going to try to create botnets. Georgiy Avanesov, the mind behind the Bredolab botnet, was believed to have made more than $12,000 a month in revenue off his spam generator (He was sentenced to four years in jail in May). Another network, Zeus, is reportedly responsible for millions of pounds in theft, according to researchers at Microsoft.
We may never be truly free from spam, but at least there are people out there trying.