Grum Botnet Taken Offline, Represented 18% of Global Spam

(Ping! Zine Web Tech Magazine) – Good news for online users and bad news for the operators of one massive spam operation: On Wednesday, security firm FireEye announced the takedown of the Grum Botnet, the third largest in the world, according to the company.

Grum started facing extinction when its Dutch server was pulled earlier. However, the operation remained active thanks to servers up and running in countries including Panama and Russia. Then the botnet was finally hit in Panama, being pulled by the ISP.

It didn’t end there. Grum’s operators then frantically worked to reroute the operation to new services in Ukraine. “Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy,” commented FireEye in its blog post.

The security firm then worked with several contacts in both Ukraine and Russia to stop the operation. And in Russia, it was an upstream provider that helped squelch the server.

“When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens,” stated FireEye in its blog. “Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox,” the post continued.

The takedown appeared to have a profound effect on the malware operation. The firm cited data by nonprofit anti-malware company Spamhaus showing that it used to see 120 thousand Grum-infected systems sending spam on a daily base. However, with the server takedowns, that number had since dropped to 21,505, significantly smaller than the initial number.

A report by the BBC noted that experts believed Grum to have accounted for 18% of the world’s spam. Malware has been a significant problem for years.

Last fall, U.S. authorities succeeded in pulling the plug on an infamous botnet known as DNSChanger which operated under rogue servers.  Authorities just recently took servers used to stabilize the matter offline, a move that resulted in some panic with reports signaling the action could result in the loss of online access for users still infected.