Third Largest Botnet Ring Shut Down -- Redmondmag.com

Third Largest Botnet Ring Shut Down

By Chris Paoli
07/20/2012

The Grum botnet, known as the third largest spam ring among security researchers, was crippled on Wednesday after most of the command and control (C&C) servers were shut down.

The shutdown came about as a joint effort by Dutch Internet service providers and multiple security firms, including Milpitas, Calif.-based FireEye. They worked to power down the final two Dutch servers and one Panamanian server associated with the ring.

"The takedown, while long overdue, is another welcome example of what the security industry can accomplish cooperatively and without the aid of law enforcement officials," said Brian Krebs, a computer security expert and blogger.

Surfacing in 2008, the Grum botnet had control of hundreds of thousands of computers, which it used to send out pharmaceutical spam. At its height, the Grum botnet was thought to be responsible for 17 percent of all worldwide unsolicited e-mail.

However, while most of the Grum botnet servers have been shut down, it might not be out for good. Security experts believe that the Grum worm may continue, providing the basis for a new botnet. Moreover, a targeted server in Russia managed to survive. Those running the malware ring managed to avert the shutdown of the final C&C server.

"After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine," said FireEye's Atif Mushtaq, in a blog post. "So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations."

These destinations, according to Mushtaq, were located in the Ukraine, which he said has traditionally been a "safe haven for bot herders." Mushtaq and his team quickly compiled the evidence of their exact location and forwarded it to a handful of security experts in the Ukraine area, who moved quickly to shut down the six servers that had sprung up overnight.

While Mushtaq said he believes that the botnet ring is currently dead, many security experts warn that Grum may be back due to the fact that no suspects connected with the malware have been detained or charged.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.