The security experts of FireEye destroyed Grum, the third largest botnet in the world, responsible for 18% of global spam
Grum … this is not the cry of a bear, or the murmur of geek spent too long sitting at his keyboard. This is the name of a botnet spammers the most virulent of the moment. He is responsible for 18% of global spam traffic, or about 18 billion spam messages daily! And it is also one of the oldest still in operation: it was established in 2008.
According Atif Mushtaq, project manager eradication Grum within FireEye , a company specializing in computer security, the strategy he has implemented, in conjunction with SpamHaus – a British company that operates in the hunt for the spam net – ended up paying “the price of many individual efforts” : Grum lived.
Chess game of global
Because many botnets , its distribution is based on servers scattered around the globe and thousands of PCs “zombies” who receive their instructions to relay sending. The battle has coordinated Atif Mushtaq looks like a chess world. Two types of servers CnC [Command and Control servers that control PCs “zombies” and send them instructions, Ed] have been identified by researchers safe . Two of them were located in the Netherlands and took care to indicate to PCs “zombies” that they had to send spam. Two other servers, responsible for updating the configuration information on the network of infected computers were identified in Panama and Russia.
Initially, the two Dutch servers were quickly out of harm’s way with the help of local authorities. Thus, much of the PC “zombies” found themselves “orphans” and without instructions, have become inactive. On the morning of July 17, 2012, Panama has the server in turn was destroyed. “With the disappearance of the latter is a whole section of which collapsed Grum definitely” , says the researcher from FireEye. On the one hand, some of the infected computers were no longer receiving orders and it was now impossible to update their configuration to make them functional again.
Evil as a hacker …
At this stage, the teams felt that it only remained to remove the Russian server. But cybercriminals have more than one trick up their sleeve: both servers Dutch had already been replaced by six new machines located, this time in Ukraine. This destination “virtual” is particularly popular with pirates on the Net who store their servers because authorities are deemed slow to respond and it is hard to dislodge.
Atif Mushtaq immediately shared this discovery with his counterparts from Spamhaus and CERT-GIB (a Russian company specializing in cybersecurity) as well as an anonymous researcher named Nova7. On the night of July 17 to 18, their consolidated actions supported by the intervention of the ISP and local authorities, came to the end of six Ukrainian and servers “command center” located in Russia. End of the Game: Grum is officially dead.
According to data provided by the firm Spamhaus, the 120,000 IP addresses of PCs “zombies” listed, only, 21,505 remained after the operation. Atif Mushtaq also states that all machines were not used for sending spam and the latter figure, although important, must correspond in fact to the computers hosting the sites to which promotional pirates sent back spams.
He concluded: “All botnets to spam that had their servers hosted in the U.S. or Europe have migrated to countries like Panama, Russia or Ukraine, imagining that no one would dislodge these comfortable places . We proved them wrong. Continue to dream of a mailbox spam free. “