Final Blow Kills Remainder Of Grum Botnet

Command and control servers shut down in Panama, Russia, Ukraine

The massive Grum botnet best known for pumping out pharmaceutical spam was finally fully dismantled today with the shutdown of the remainder of its main command-and-control (C&C) servers in Panama and Russia.
Earlier today, FireEye said Spamhaus had led the shutdown of the Panama-based server, and in a new development, FireEye, the Russian CERT and Spamhaus worked together to kill off the last of the botnet this afternoon -- the Russian segment. The servers there were the last to go, after the botnet operators set up seven new ones in Russia and the Ukraine after the other segments had been taken down.
Grum, which accounts for 17.4 percent of worldwide spam and is nearly four years old, earlier this week lost its C&C in the Netherlands when a Dutch ISP cut them off after researchers from FireEye published their findings on
the botnets infrastructure
.
The botnet was the third-most prolific botnet in the world, after a stint as the No. 1 botnet in January, with a third of all spam worldwide, according to M86 Security data. The botnet most recently had some 100,000 active bots, according to FireEye.
The two C&C servers in the Netherlands had sent spam instructions to the bots, so when they went offline, that left master C&C servers in Panama and Russia to pick up the slack, which researchers had expected them to do.
From then on, it was a battle of wits between the Grum botnet operators and the research community.
The even better news is that botnet hunters were able to pull the plug on the servers in Russia and the Ukraine, a region favored by cybercriminals. FireEye says this should scare other botnet groups a bit, demonstrating that this region isnt such a safe haven after all.
So what have I learned from this takedown? When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time, said Atif Mushtaq, senior staff scientist at FireEye in
a blog post last night
.
Meanwhile, in the wake of the Grum takedown, FireEye says it has seen a drop in spamming from Lethic, the worlds largest botnet.
FireEye says Grum doesnt have any apparent backup infrastructure in place to rebound any time soon. But a botnet takedown is rarely, if ever, permanent. Even when a botnet is completely disabled, the operators just go elsewhere and start all over again. Still, security experts say the dismantlement strategy is effective, even if its mostly temporary.
[ Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet. See
Botnet Takedowns Can Incur Collateral Damage
. ]
Im all for governments and law enforcement taking an active role in hunting these botnets down. They are always going to be somewhat successful, and its not a bad use of resources, says Ron Gula, CEO at Tenable Security. But nothing is changing. Were still really vulnerable, and they are coming in with client-side attacks.
Gula says theres plenty more going on behind the scenes with botnets. Sure, we can find a botnet called Grum and Cutwail, but if I was a bot herder, I would have multiple types of botnets laying around dormant. Id turn them on when I needed them, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Final Blow Kills Remainder Of Grum Botnet