Grum—New segement came and gone

Back in July, with the help of Spamhaus and CERT-GIB, FireEye took down Grum, one of the world's largest spam botnets. The whole shutdown operation was like a roller coaster ride and is explained in my previous blog posts here and here. Apart from an unsuccessful recovery attempt made by the bot herders a few days after the takedown, we never noticed any movement from the opposite side. Apparently the Grum guys had given up their botnet.

But the bot herders always had the option to take the risk and start rebuilding this botnet from scratch. This is precisely what they tried to do last week. They decided to bet one more time on this dead horse. Over the weekend I was notified by Thomas Morrison from Spamhaus that there was a new Grum C&C server in town. The new C&C server 176.53.30.3 was located in Turkey.

[Test]$ whois 176.53.30.3
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '176.53.30.0 - 176.53.30.255'

inetnum:         176.53.30.0 - 176.53.30.255
netname:         Kiralik-Sunucu-Tr
descr:           Istanbul DC Customer
country:         TR
admin-c:         KSM20-RIPE
tech-c:          KSM20-RIPE
status:          ASSIGNED PA
mnt-by:          SAYFA-NET-MNT
source:          RIPE # Filtered

person:          Kiralik Sunucu Musterisi
address:         Sayfa.NET Datacenter
address:         Radore Levent Metrocity AVM
address:         detayli musteri bilgisi ogrenmek icin email gonderiniz
address:         please email us for customer details
address:         TURKEY
phone:           +905327235263
fax-no:          +905327235263
nic-hdl:         KSM20-RIPE
mnt-by:          ISTANBULDC-MNT
abuse-mailbox:   registry@istanbuldc.com
source:          RIPE # Filtered

That first hint led me to find another live C&C server 176.53.30.2 located in the same colo. The good news is that both servers are dead at the moment, effectively killing this new segment of Grum.

Interestingly, the new segment did not try to use its limited time for any major spam-related activities. Most probably, the group was in a rebuilding process and wanted to keep themselves under the radar. Grum has been on our watch list since day one and it is pretty naive on the bot herder's part to think that their actions would go unnoticed. Their new investment went badly, costing them some real time and money.

We will continue to monitor Grum's activities and coordinate with the community for appropriate actions when needed.