Security researchers in the U.K. have struck a blow in the
war against spam.
According to malware intelligence firm FireEye,
Grum, a botnet responsible for an estimated 18 percent of the spam residing in
users' inboxes, has been knocked down following a coordinated effort by multiple
security companies and local ISPs in Panama, the Ukraine and Russia that
effectively shut down the botnet's command and control systems (CNCs) in the
The beginning of the end kicked off when security experts at
FireEye got news that a server in the Netherlands shut down one of the
secondary servers Grum was using July 16. The following day, ISPs in Panama
shut down Grum's primary server there, forcing Grum's creators to redirect
their traffic to a secondary server in the Ukraine. With the help of anonymous
contacts and partners from CERT-GIB and blocklist
removal center Spamhaus, FireEye was
able to exert pressure on ISPs in the Ukraine and neighboring Russia,
effectively shutting down Grum--at least for the meantime.
At the time of the takedown, Grum had experienced something
of a steep
decline from January, when the botnet distributed 33 percent of the world's
known email spam. The botnet had
been active for nearly four years--suggesting a high degree of professional
expertise and financial support--likely illegal.
Grum had been the subject of intense interest in the internet
security community, its techniques dissected by everyone from the International
Journal of Information Technology and Technology
Review. With Grum's demise, the Lethic
(formerly Pushdo) botnets are left as the only two major botnets distributing
spam. Lethic was taken down by security researchers in January 2010, using
techniques similar to those used in the shutdown of Grum, however Lethic
reemerged in a slightly weakened form later that year.
All told, Lethic and Curtwail were responsible for infecting
1.7 to 2.2 million computers worldwide, targeting websites as diverse as the National Institutes of Health, Doctors Without Borders and
Utah's Child Protection Registry.
Yet despite the plethora of blogs and websites rushing to
write Grum's obituary, its death could be greatly exaggerated--when the Rustock
botnet was taken
down in 2011, a lot of the traffic the botnet generated shifted to another
little known botnet that would later become infamous--Grum.