Grum CnCs—Just a few more to go

This post was updated on July 17, 2012, at 3:15 PM.

Last week, I wrote an article covering various aspects of a large spam botnet named Grum. This article mainly covered the current command and control (CnC) coordinates of this botnet. The intention behind this article was not only to share this information for a general awareness, but also to invite the research community to come forward to take down this spam beast. I can see that this strategy is really working. Dutch authorities have pulled the plug on two of the CnC servers pointing to IP addresses 94.102.51.226 and 94.102.51.227.1 Thanks to the Dutch authorities for swift action.

 

Dead_cnc

These two CnC servers were responsible for pumping spam instructions to their zombies. With these two servers offline, the spam template inside Grum's memory will soon time out and the zombies will try to fetch new instructions but will not able to find them. Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world's third largest spam botnet will have a significant impact on the global volume.

However, this is not a complete victory. The master CnC servers located in Panama and Russia are still alive and kicking.

IP Type Geo Locations Colo Status
91.239.24.251 91.239.24.251 Master Master RUSSIAN FEDERATION RUSSIAN FEDERATION GAZINVESTPROEKT LTD. GAZINVESTPROEKT LTD. Active Active
190.123.46.91 190.123.46.91 Master Master PANAMA PANAMA PANAMASERVER.COM PANAMASERVER.COM Active Active

The ISP/Colos involved were contacted but they ignored the abuse notifications sent to them, even though they contained clear and complete evidence of bad behaviour. This means that using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side.

Here at FireEye labs, we are monitoring Grum's activities on a 24/7 basis. Any attempt to recover this botnet will be noticed. I don't know if the security community will eventually be able to take down the rest of the Grum botnet, but we are trying and trying very hard. We did not give up after the first failed attempt and will continue to contact the Russian and Panamanian authorities through different channels. So this is an operation still in progress. I will keep you informed with the latest updates.

1 Note: To clarify, the reference to Dutch authorities in this post is to the Dutch Colo/ISP.


For a complete behind-the-scenes look at the taking down of the Grum botnet, read Part 1, Part 2, and Part 3.