Third Largest Botnet Ring Shut Down
The Grum botnet, known as the third largest spam ring among security researchers, was crippled on Wednesday after most of the command and control (C&C) servers were shut down.
The shutdown came about as a joint effort by Dutch Internet service providers and multiple security firms, including Milpitas, Calif.-based FireEye. They worked to power down the final two Dutch servers and one Panamanian server associated with the ring.
"The takedown, while long overdue, is another welcome example of what the security industry can accomplish cooperatively and without the aid of law enforcement officials," said Brian Krebs, a computer security expert and blogger.
Surfacing in 2008, the Grum botnet had control of hundreds of thousands of computers, which it used to send out pharmaceutical spam. At its height, the Grum botnet was thought to be responsible for 17 percent of all worldwide unsolicited e-mail.
However, while most of the Grum botnet servers have been shut down, it might not be out for good. Security experts believe that the Grum worm may continue, providing the basis for a new botnet. Moreover, a targeted server in Russia managed to survive. Those running the malware ring managed to avert the shutdown of the final C&C server.
"After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine," said FireEye's Atif Mushtaq, in a blog post. "So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations."
These destinations, according to Mushtaq, were located in the Ukraine, which he said has traditionally been a "safe haven for bot herders." Mushtaq and his team quickly compiled the evidence of their exact location and forwarded it to a handful of security experts in the Ukraine area, who moved quickly to shut down the six servers that had sprung up overnight.
While Mushtaq said he believes that the botnet ring is currently dead, many security experts warn that Grum may be back due to the fact that no suspects connected with the malware have been detained or charged.