Grum’s last servers were taken offline in Russia last week, effectively killing the botnet that has no fallback mechanism, said Atif Mushtaq, a researcher at FireEye’s security lab, which collaborated with the Russian Computer Security Incident Response Team and the Spamhouse Project in battling Grum.
At its height, Grum was the world’s largest spam botnet, since January. Before the takedown, the botnet’s120,000 malware-infected, active computers were spewing 18 billion spam e-mail a day, or roughly a third of the world’s spam, said Trustwave.
The impact of Grum’s collapse went beyond the spambot. Stopping Grum caused a slowdown in the world’s largest spam botnet, Lethic, Mushtaq said Thursday. “Due to this [international] community reaction, Lethic has gone underground for awhile.”
With Grum down and Lethic quiet, the total amount of the world’s spam has been cut in half, at least temporarily, said Mushtaq.
Aside from the numbers, the spam-fighters’ success is expected to have a chilling effect on Russian and Ukrainian spam operations, which can no longer assume the countries offer a safe haven, due to weak laws.
Security Teams Unite to Fight
The Grum operation was done without any involvement by law enforcement, showing that security researchers working together can also be effective in fighting botnets, which besides spam are used in denial of service attacks against websites.
With security researchers globally watching them, cybercriminals now have to deal with far more adversaries than in the past. “That will have a huge impact on the mindset of bot herders, and that may be the reason Lethic is going underground,” Mushtaq said. Bot herder is the name given to people who control hijacked computers, or bots, in an illicit network.
Grum’s death leaves tens of thousands of inactive, malware-infected computers. But without the original master computer and the IP addresses of the infected systems, the botnet is unlikely to be resurrected. “There’s no way to hijack this botnet,” Mushtaq said. “[the computers] are lost to us and to bot herders.”
The Grum-killing operation started about two weeks ago when authorities in the Netherlands pulled the plug on two servers. This led to other servers in Panama being taken offline early this week.
In a cat-and-mouse game with spam fighters, the Grum operators launched more servers in Russia and the Ukraine. A service provider in Russia took the last of those computers off the Internet on Wednesday.
How long spam numbers will remain down is unclear. Spammers are sure to start filling the gap at some point. “Major takedowns can have a perceptible impact for weeks, even months, but that doesn’t mean it will be the case here,” David Harley, senior research fellow at ESET, said in an e-mail.