World’s third biggest spam botnet “taken down”

Jul 25, 2012 | Regulation

A botnet called “Grum”, which was responsible for over 18% of all the world’s spam email, has officially been shut down, according to a new report. Online security firm FireEye worked with local internet service providers and spam-tracking service SpamHaus, they were able to locate the “Grum”-net command and control servers in Panama, Russia, and […]

A botnet called “Grum”, which was responsible for over 18% of all the world’s spam email, has officially been shut down, according to a new report.
Online security firm FireEye worked with local internet service providers and spam-tracking service SpamHaus, they were able to locate the “Grum”-net command and control servers in Panama, Russia, and Ukraine.


20,000 other machines are still a part of the overall web, but without their main hubs to report back to they should be going out of service within the next few days.
“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye. “This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”
To get the C&C servers shut down in Russia, FireEye took a “heavy handed approach” in working with Russian ISPs and domain registrars.
He said the primary Russian server was not taken down by their ISP, GAZINVESTPROEKT. Instead, it was their upstream provider who finally came in and null routed the IP address at FireEye’s request.
“According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well,” Mushtaq wrote in his blog on Wednesday.
Grum’s closure is an encouraging development in the international war against spam, and as more and more botnet rings are seeing increased pressure from private companies and governments alike.
Read the official FireEye blog here: http://blog.fireeye.com/research/2012/07/grum-botnet-no-longer-safe-havens.html.