This is really good news for everyone who has an inbox. In an operation that took just 10 days from its initial report through today to complete there was a huge success in the battle against spam. Grum, one of the world’s largest spamming bot nets, was severely crippled losing over 4/5th of its network. The Grum network itself was responsible for 18% of the ENTIRE world’s spam. This is good news for everyone not just any particular country.
The bot net itself was brought down primarily by the actions of FireEye’s Atif Mushtaq who had initially reported on July 9th that he had discovered the bot net and what it would take to remove it from all of our inbox’s lives. For those who are wondering FireEye is one of the premiere trackers of spam and malware and tirelessly work to end their reign of annoyance through terror of what can be done to our computers. In Musthtaq’s outline he pinpointed the 3 major servers that ran this four-year-old network of thousands of computers. Not only did he pinpoint them but he laid out a plan on how to take the bot net down once and for all.
While at 18% now – The bot net, at its peak, was responsible for at least 33% of the world’s spam.
The outline that Mushtaq had created clarified that its command-and-control (CnC) servers were located in Panama, the Netherlands and Russia.
This post spread like wildfire through the cyber security research community and on July 16th Dutch authorities were the first to respond by taking down the CnC server located in the Netherlands. While this was a good initial strike against the bot net though they would quickly find out that the Netherland based server was only the secondary server that helped run Grum.
Not to be outdone though the Panamanian ISP that was hosting Grum’s server on their side stepped up to the plate and took it down as well. This made it so instead of just having a dent in the system they had now struck a true blow on how the it was running. With the backup and one server down Grum was only running on one CnC server and for the first time in its history was close to actually being shut down.
Even with near death you have to keep in mind that the CnC located in Russia was still running. If they could get another backup server quick enough they would not lose the network that had plagued inboxes for years. In a scramble it appears that Grum’s owners were trying to replace the downed servers with new ones in Ukraine. According to Mushtaq: Ukraine, “has been a safe haven for bot herders in the past and shutting down any servers there has never been easy.” This was something that they had to prevent from happening at all costs or the entire effort to date would have been pointless.
While playing cat and mouse they were able to prevent the transition and stop the bot net dead in its tracks by reaching out to their contacts in Russia. By doing so they were able to take down the last of the controlling CnC’s. Without being able to transition to the new servers the Grum bot net’s CnC servers were now dead. Without the CnC servers in place and no way to setup a way for the bot net to arrange locate new ones – Grum is no more.
Or so they thought. They discovered today that it turns out as the Russian CnC wasn’t taken offline before 6 new servers in Ukraine had come up. While the downside is that the servers are still running, the upside is that only 21,000 of the 120,000+ IP addresses are still active. So what exactly happened?
Well according to FireEye:
With the shutdown of the Panamanian server, a complete segment was dead forever. This good news was soon followed by some bad news. After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine. So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy.