Grum—The Money Factor

As expected, the operators behind Grum are trying their best to reclaim their botnet. In the absence of any built-in fallback mechanisms, the bot herders used another fallback mechanism that is called money. Over the weekend we found that the Ukrainian ISP SteepHost removed the null route on three CnCs that were taken down last week. We suspect the bot herders must have paid a large amount of money in order to get access to these servers. We immediately noticed this change and contacted SteepHost once again. After hours of negotiations, they eventually shut down these CnCs once more. During this time there was a short burst of spam sent by Grum, but it has disappeared as of this morning. 

Grum.1d

Figure 1. Spam volume during this recovery attempt (Source: SpamHaus)

The volume of spam that Grum is sending out has dropped to zero again. Please note here that only three CnCs managed to go online over the weekend. The rest of the Grum segments controlled by other CnCs remained dead during this time period.

What are the odds that something like this will happen again? It's hard to predict at this time. Carel Van Straten of SpamHaus had a conversation with a SteepHost representative this morning. SteepHost assured him that something like this will not happen again. Interestingly, their excuses for letting these servers go online were break-ins and security-related issues. Funny, isn't it? They even claimed that this time they wiped out the CnC servers’ hard drives. Wow, virtually destroying all of the evidence?

A strong warning has been given to SteepHost that if something like this happens again, a complaint will be filed with their upstream provider which might de-peer them off the Internet. Alternatively their whole subnet can be blacklisted which could cause some serious damage to their business.