Sprawling spam botnet struck down
Grum responsible for more than 17% of spam worldwide, FireEye security firm says
A California-based computer security company says it and several other experts have taken out a piece of malware responsible for more than 17 per cent of the world's spam.
FireEye wrote in a company blog Wednesday that all of the command and control servers deploying the Grum botnet had been disabled.
Several security experts had spent days playing a game of cat and mouse with the creators of the malware, shutting down servers in Panama and Russia only to have new ones pop up in the Netherlands and Ukraine.
In most cases, the security sleuths managed to convince the internet service providers hosting the servers to shut them down. In Russia, however, it was the upstream provider, which connects ISPs to the internet, that "null routed" — i.e. rendered useless — the IP address affiliated with the primary malware server in that country, wrote FireEye security researcher Atif Mushtaq.
Mushtaq said he co-operated with experts at the Switzerland-based Spamhaus and the Russian computer security incident response team CERT-GIB, as well as with an anonymous researcher known as Nova7, to rally the online community that tracks computer threats to put pressure on the ISPs hosting Grum servers.
Dates back to 2008
Grum has been active since as far back as 2008, an unusually long life for a botnet, Mushtaq said.
As of January 2012, Grum was responsible for 33.3 per cent of worldwide spam, according to data from M86Security compiled by Mushtaq. But recently, its share of the spam market had dropped to 17.4 per cent, "making it the world's third-most active spam botnet after Cutwail and Lethic," Mushtaq wrote.
Mushtaq said the security community's success in taking down the botnet shows that with concerted effort, even ISPs in countries considered safe havens for those looking to set up command and control servers (CnCs) for malware can be pressured to help stop those flooding computer networks with malicious spam.
"There are no longer any safe havens," Mushtaq wrote. "Most of the spam botnets that used to keep their CnCs in the U.S.A. and Europe have moved to countries like Panama, Russia and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox."