Grum, World's Third-Largest Botnet, Knocked Down

I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned. How it all happened is a long story, but I would like to summarize it for you.

The state of the Grum botnet has changed since we last talked (see previous posts here and here for a look back). On July 16, I reported that while CnC servers in Panama and Russia were alive, shutting down the Dutch server had at least made a dent in this botnet. On the morning of July 17, we at FireEye got the news that the server in Panama was no longer active. The ISP owning this server at last buckled under the pressure applied by the community. It was great news. The shutdown of the Panamanian server meant a lot. I explained in my earlier post that Grum was comprised of two different segments. One was being controlled from Panama and one from Russia.

With the shutdown of the Panamanian server, a complete segment was dead forever. This good news was soon followed by some bad news. After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine. So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy.

We immediately shared this new information with three different parties—Carel Van Straten and Thomas Morrison from Spamhaus, Alex Kuzmin from CERT-GIB, and an anonymous researcher who goes by the pseudonym Nova7. After they got all the evidence from my side, they moved quickly passing this intelligence back to their contacts in Ukraine and Russia. As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today, July 18, at 11:00 AM PST. 

Note: The primary server located in Russia was not taken down by their ISP, GAZINVESTPROEKT LTD. It was their upstream provider who finally came in and null routed the IP address at our request.

According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well.

Note: We should not take 120,000 IP addresses as the size of the Grum botnet. 120,000 IP addresses constituted only the zombies actively sending spam. In many corporate and ISP environments, outgoing email traffic is blocked by default so a big portion of the Grum botnet never sends any spam, but the bot herders use them for hosting their promotional websites.

Grum's takedown resulted from the efforts of many individuals. This collaboration is sending a strong message to all the spammers:

"Stop sending us spam. We don't need your cheap Viagra or fake Rolex. Do something else, work in a Subway or McDonalds, or sell hotdogs, but don't send us spam."

Every takedown that I have participated in, such as Srizbi, Rustock 1, Ozdok, and Cutwail 1, has given me a unique experience. So what have I learned from this takedown? When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox.


For a complete behind-the-scenes look at the taking down of the Grum botnet, read Part 1, Part 2, and Part 3.