FireEye Leads Takedown of World’s Third-Largest Botnet

Global spam levels reduced 50 percent

FireEye®, Inc., the leader in stopping advanced targeted attacks, announced that it has taken down the world's third-largest botnet, Grum, in a collaborative effort with CERT-GB, SpamHaus, local Internet Service Providers (ISPs), and others in the community. Responsible for roughly 18 billion spam messages each day, which experts estimate to be 18 to 35 percent of global spam, the four-year-old Grum botnet included a network of hundreds of thousands of infected computers. Spam volume from another major botnet, Lethic, also plunged overnight as the operators of that botnet may have gone underground. Since the takedown on Wednesday, worldwide spam levels have reached a new low.

The FireEye-led takedown began last Monday when FireEye researchers identified the globally distributed servers controlling the hundreds of thousands of infected computers. By Tuesday, working with a Dutch ISP, the Grum botnet's command and control (CnC) servers based in the Netherlands were targeted and shut down. Then, the collaborative effort began as FireEye worked with others in the community to pursue and take down the servers located in Panama and Russia. Throughout Tuesday evening and Wednesday, the cybercriminals responded by building a half dozen new CnC servers in Ukraine to salvage the remainder of the Grum botnet. Working with Russian and Ukranian ISPs and others in the community, the FireEye team, led by senior staff scientist Atif Mushtaq, orchestrated the shutdown of the remaining CnC servers on Wednesday, signaling the botnet's ultimate demise.

"As the leading company focused on stopping advanced cyber attacks, FireEye is uniquely positioned to garner deep insight into some of the world’s most prolific and widespread attacks," said Ashar Aziz, FireEye founder, CEO, and CTO. "We have an important responsibility to act swiftly and responsibly to shut down malicious operations whenever we can. The Grum botnet is just one instance of this activity. We will continue to lead collaborative efforts to help rid the world of organized cybercrime."

"Because of how the malware was written for Grum, when the master servers were killed, the infected machines could no longer send spam or communicate with a new server," said Mushtaq. "Botnet herders would have to start from scratch and infect hundreds of thousands of new machines to get something like Grum started again."

The Grum botnet is the fourth global botnet takedown in which FireEye has been heavily involved in the last four years. Led by the FireEye research team and leveraging the FireEye Malware Protection Cloud and proprietary signature-less analysis technology, the company has also played a key role in taking down the Rustock, Ozdok/Mega-D, and Srizbi botnets since 2008.


About FireEye, Inc.

FireEye is the leader in stopping advanced targeted attacks that use advanced malware, zero-day exploits, and APT tactics. The FireEye solutions supplement traditional and next-generation firewalls, IPS, anti-virus, and gateways, which cannot stop advanced threats, leaving security holes in networks. FireEye offers the industry's only solution that detects and blocks attacks across both Web and email threat vectors as well as latent malware resident on file shares. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis to detect zero-day threats. Based in Milpitas, California, FireEye is backed by premier financial partners including Sequoia Capital, Norwest Venture Partners, and Juniper Networks.

Media Contact

Lisa Matichak

Katherine Nellums

# # #

FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.