July 19, 2012
Spam Botnet Defeated
Michael Harper for redOrbit.com — Your Universe Online
You can put your children safely to bed tonight with an easy mind: Internet security experts last night were able to take down and defeat Grum, the world´s third-largest botnet.
According to the researchers responsible for hunting down the botnet and delivering the final blow, Grum was so large, it was responsible for nearly 18% of the world´s spam, sending out 18 million spammy messages a day.
FireEye – The Botnet Hunters – had been in hot pursuit for three days, taking down its Dutch and Panamanian Command and Control Coordinates (CnC) on Tuesday.
Waking up on Wednesday, the FireEye team noticed Grum´s architects had installed 7 new CnCs in Russia and the Ukraine. Working together with a team in Russia and SpamHaus – a British team which tracks and blocks spam – FireEye was able to attack and defeat these final strongholds in Eastern Europe, finally slaying botnet Grum.
Now, all that remains of Grum are a few thousand zombie computers lost without a proper CnC. According to the reconnaissance team at SpamHaus, Grum consisted of at least 120,000 IP addresses which it used to send out the spammy messages of housing loans, Viagra, and fake accessories. After the day´s conquests, they saw the number of IP addresses shrink to a manageable 21,505. Without a proper CnC to report to, it´s said these zombie computers will eventually wither away.
Do not be fooled by the number of IP addresses, says the FireEye team. While there were 120,000 known IP addresses being used to flood the world´s inboxes, there are many environments (such as corporate offices) wherein outgoing mail is automatically blocked. These computers could have been used to power their promotional sites rather than send out spam.
Russia has often been viewed as a bit of a sanctum for hackers and botnet operators. As such, the slaying of Grum on these supposed “safe” grounds for cyber-criminality can be seen as a sign of things to come. In his blog, FireEye lead researcher Atif Mushtaq gives a post-mortem of Grum and the state of Russia as a safe house for botnets: “When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens.”
“Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time.”
When asked if Grum is truly dead, Mushtaq replied, "The botnet does not have any apparent fall back mechanisms that would allow it to spin back up easily in the days to come.”
Mushtaq has noticed a trend, however, saying most spammers are opting to run smaller operations rather than set up huge botnets which can be easily detected. Now, some spammers are looking to mobile devices running Google´s Android rather than desktop PCs.
According to security expert Terry Zink, at least one Android botnet exists, sending out spammy messages from compromised Yahoo accounts.
Though researchers don´t yet have a copy of the malware being used to recruit these Android devices into the Dirty World of Spam, they predict these users simply downloaded a pirated copy of an otherwise legitimate app.
For now, the world can open their inbox with a little less trepidation knowing there are the likes of Mushtaq and Zink out there, fighting the good fight against spam.