In its heyday, the Grum botnet came to control more than 100 000 computers throughout the world, being responsible for sending 18% of spam messages on the planet . The network of zombie machines came to an end in July this year from an action of the security firm FireEye, who managed to make an attack able to exterminate it completely.
An article published by the website TechCrunch shows how the company managed this feat, and tell the full story of the botnet. It all began in 2007 when a group of hackers began sending an executable file supposedly belonging to Internet Explorer 7 – Software false assured them control of thousands of PCs that were infected by their owners.
Because the code used by administrators Grum infect an important part of the Windows registry, uninstall it was a process virtually impossible. Through constant updates malicious code, its creators have ensured that infected machines are kept automatically connecting to the servers responsible for sending spam messages that perpetuated the threat.
The time of the attack
Although he was considered the largest network of spam in the world in January 2012, within six months of the Grum suffered a large decrease in the number of servers used to propagate their attacks. This was the time considered ideal by Atif Mushtaq, a scientist at security company FireEye, to make an attack capable of knocking down the botnet.
After identifying the botnet’s servers were located mainly in the Netherlands, Ukraine, Russia and Panama, he contacted the authorities of those countries to get them out of the air. The first to be eliminated was the one present in Dutch territory, and was taken down by local authorities in a matter of little time.
Other groups specializing in security who were watching the operation immediately revealed to help FireEye. After the servers located in Ukraine have been taken down, Grum’s managers acted swiftly to revive its activities in the country.
With the help of Spamhaus groups and CERT-BIG and an anonymous researcher known as Nova7, Mushtaq’s team managed to overturn these new servers and cut access to the original machine located in Russia on July 18 this year. Thus, the network was officially dead: 120 000 of IP addresses that it had at its disposal, only 21,505 remained, all unable to communicate with the administrators of the botnet.
The end of an era
“In a way, we were lucky with that, because we had an existing relationship with all the ISPs involved, since we did not have to call them and explain how the situation was bad etc etc,” said Von Straten Carek, the group Spamhaus. But for FireEye, the story should not end there.
In an update published in the company’s blog, Atif Mushtaq said that “there is no safe places. Most spam botnets that used to keep their servers in the United States and Europe have moved to countries like Panama, Russia and Ukraine thinking that no one could touch them in those areas of comfort. We proved them wrong this time. We will continue dreaming inboxes free of junk. “