Sound Of Silence: Researchers Nearly Shut Down Grum Spam Network

Notice anything weird about your email inbox? If you said there wasn’t as much spam lately that’s because researchers at FireEye and the venerable SpamHaus have essentially shut down the Grum botnet by marking and banning IP addresses. The botnet was responsible for 18% of the world’s spam and had lassoed 560,000 to 840,000 computers using a rootkit.

After FireEye and SpamHaus published the inner workings of Grum, public pressure soon forced Dutch ISPs to shut down a major network control hub that sent commands to about 120,000 separate IPs. Then a similar server was shut down in Panama, leaving only a working server in Russia. However, as the Panama server winked out, suddenly, the hunt for Grum became a cat and mouse game as new servers popped up in the Ukraine.

FireEye’s Atif Mushtaq wrote:

With the shutdown of the Panamanian server, a complete segment was dead forever. This good news was soon followed by some bad news. After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine. So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy.

Although the Russian and Ukrainian servers are still running, the group reduced total spam output from 120,000+ IPs to 21,000, reducing the overall spam load. It’s not over yet, but it’s a dent in the overall feed.

Mushtaq closed with a message to the spammers: “Stop sending us spam. We don’t need your cheap Viagra or fake Rolex. Do something else, work in a Subway or McDonalds, or sell hotdogs, but don’t send us spam.”

“Keep on dreaming of a junk-free inbox,” he wrote.

via BBC