Killing the Beast - Part 5

Back in 2009, I started writing a series of articles called "Killing the Beast." These articles were primarily focused on the command and control (CnC) coordinates of popular spam botnets. These articles not only provided readers greater visibility into these spam botnets, but also served as the basis for two botnet takedowns. So far, four articles under this series have been published. After a long time, I have decided to write the fifth one.

For a refresher, older posts can be accessed using the links shown below:

Part 1, Part 2, Part 3, and Part 4.

In recent years, we have seen the fall of many spam botnets including Srizbi, Rustock, Mega-D, Pushdo.A, Storm, and Waledac. But one botnet that has kept itself well under the radar is the Grum botnet. When I look into my Botnet Lab logs, I can see traces of Grum's earlier versions recorded around February 2008. That means that, as of today, this botnet is more than four years old. Readers who have been following the evolution of different botnets would agree that keeping a botnet active and alive for this many years is an achievement in itself.

Based on the latest statistics from M86Security, Grum is currently responsible for 17.4% of worldwide spam traffic, making it the world's third most active spam botnet after Cutwail and Lethic. Interestingly, Grum, which was once the world's number one spam botnet around January 2012 (at that time, Grum was responsible for 33.3% of worldwide spam), is already on its decline after losing its position to the Cutwail botnet.

For a successful takedown attempt, we need to clearly identify Grum's command and control coordinates. We also need to find out what would happen if the master CnC servers become unavailable during a takedown attempt. If Grum has a fallback mechanism, then we need to disrupt the secondary CnC structure as well and so on. The most important of all is the geo location of active command and control servers. Historically, it has been relatively easy to shutdown CnC servers located inside of the U.S. as compared to countries like Ukraine, Russia, and China.

Let's discuss Grum's main characteristics one by one:

  1. Grum has two different types of CnC servers 
    - CnCs that are responsible for serving configuration files and initial registration. I would refer to them as master CnCs.
    - CnCs that serve spam related activities. I would refer to them as secondary CnCs.
  2. Grum uses hard-code IP addresses instead of domain names.
  3. Grum is divided into small segments i.e., different malware builds talk to their own assigned set of CnCs.
  4. There is no fallback mechanism once the main and secondary CnCs are down. That particular segment will be without a master.


Figure 1. Grum talking to its master CnC

Grum does a variety of requests to its secondary CnC servers. All of these requests accomplish different types of spam-related tasks. For instance, a normal status message to a secondary server looks like this:


Figure 2. Grum talking to its secondary CnC

Based on the data collected during the last 45 days, we have observed five secondary and three master CnCs used by Grum botnet. However, not all of these servers are active as of today, July 6, 2012.

Here are the details:

IP Address Type Geo Locations Status (as of July 6 2012) Master Master PANAMA PANAMA Active Active Master Master PANAMA PANAMA Suspended or abandoned Suspended or abandoned Master Master RUSSIAN FEDERATION RUSSIAN FEDERATION Active Active Secondary Secondary NETHERLANDS NETHERLANDS Active Active Secondary Secondary NETHERLANDS NETHERLANDS Active Active Secondary Secondary NETHERLANDS NETHERLANDS Suspended or abandoned Suspended or abandoned Secondary Secondary NETHERLANDS NETHERLANDS Suspended or abandoned Suspended or abandoned Secondary Secondary NETHERLANDS NETHERLANDS Suspended or abandoned Suspended or abandoned



Keeping all of this information in mind, I am getting mixed feelings. I can see a few factors that can go in favor of the Grum botnet. At the same time, Grum has some obvious architecture-level weaknesses.

Grum's weak points are as follows:

  1. Grum has no fallback mechanism. Once the master CnCs are dead, no new connection can be made to the secondary servers. That said, bots already connected to secondary servers will be unaffected until the infected machine gets rebooted.
  2. There is just a handful of master IPs hard-coded inside Grum binaries.
  3. The Grum CnC mechanism depends upon the hard-coded IP addresses so we just have to deal with the data centers hosting these servers.
  4. The botnet is divided into small segments so even if some CnCs are not taken down, a portion of this botnet can still be dead.
  5. Since January of this year, we have seen a decline in the number of CnCs being used by this botnet. Grum is relatively weak due to its own reasons and this can go in our favor.

Grum has some strong points as well:

  1. The CnC servers are located in countries like Russia, Panama, and the Netherlands where authorities historically have been reluctant when dealing with abuse notifications.
  2. The number of servers are scattered across multiple data centers so one would have to deal with multiple parties.
  3. The botnet is divided into small segments. This is both a good and a bad sign. The bad part is that, unless all the involved CnCs are dead, this botnet cannot be officially declared as dead.

No doubt global spam volume is at a record low, thanks to the research community’s efforts against spammers. But the research community needs to maintain this pressure until we reach a point where the bad guys start thinking that becoming a spammer is not worth the risk. If I were to rank Grum's takedown difficulty level from one to five where five is the most difficult, I would give Grum a two.

Can we dream of a junk-free mailbox? Guess what—it's just a few takedowns away. In my opinion, taking down the top three spam botnets—Lethic, Cutwail, and Grum—is enough for a rapid and permanent decline in worldwide spam level. We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well.





<hr />



<p><em>For a complete behind-the-scenes look at the taking down of the Grum botnet, read <a href="/content/fireeye-www/global/en/www/blog/threat-research/2012/07/killing-the-beast-part-5.html">part 1</a>, <a href="/content/fireeye-www/global/en/www/blog/threat-research/2012/07/grum-cncs-just-a-few-more-to-go.html">part 2</a>, and <a href="/content/fireeye-www/global/en/www/blog/threat-research/2012/07/grum-botnet-no-longer-safe-havens.html">part 3</a>.</em></p>





For a complete behind-the-scenes look at the taking down of the Grum botnet, read Part 1, Part 2, and Part 3.