This post was updated on July 17, 2012, at 3:15 PM.
Last week, I wrote an article covering various aspects of a large spam botnet named Grum. This article mainly covered the current command and control (CnC) coordinates of this botnet. The intention behind this article was not only to share this information for a general awareness, but also to invite the research community to come forward to take down this spam beast. I can see that this strategy is really working. Dutch authorities have pulled the plug on two of the CnC servers pointing to IP addresses 188.8.131.52 and 184.108.40.206.1 Thanks to the Dutch authorities for swift action.
These two CnC servers were responsible for pumping spam instructions to their zombies. With these two servers offline, the spam template inside Grum's memory will soon time out and the zombies will try to fetch new instructions but will not able to find them. Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world's third largest spam botnet will have a significant impact on the global volume.
However, this is not a complete victory. The master CnC servers located in Panama and Russia are still alive and kicking.
|220.127.116.11 18.104.22.168||Master Master||RUSSIAN FEDERATION RUSSIAN FEDERATION||GAZINVESTPROEKT LTD. GAZINVESTPROEKT LTD.||Active Active|
|22.214.171.124 126.96.36.199||Master Master||PANAMA PANAMA||PANAMASERVER.COM PANAMASERVER.COM||Active Active|
The ISP/Colos involved were contacted but they ignored the abuse notifications sent to them, even though they contained clear and complete evidence of bad behaviour. This means that using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side.
Here at FireEye labs, we are monitoring Grum's activities on a 24/7 basis. Any attempt to recover this botnet will be noticed. I don't know if the security community will eventually be able to take down the rest of the Grum botnet, but we are trying and trying very hard. We did not give up after the first failed attempt and will continue to contact the Russian and Panamanian authorities through different channels. So this is an operation still in progress. I will keep you informed with the latest updates.