You know those tons of spam e-mail you've been getting about fake prescription drugs? A
firm has helped to take down the botnet behind it.
Last week, California-based FireEye Malware Intelligence Labs posted on its blog the command and control (CnC) coordinates of the large spam botnet called Grum. "The intention behind this article was not only to share this information for a general awareness," posted the company's Atif Mushtaq, "but also to invite the research community to come forward and take down this spam beast."
'Pulled the Plug'
And, he reported, that's what happened, except it wasn't the research community but Dutch authorities who did the deed. Mushtaq reported that they have "pulled the plug on two of the CnC servicers pointing to IP addresses 220.127.116.11 and 18.104.22.168."
He added that these two CnC servers were "responsible for pumping spam instructions to their zombies." In this case, zombies refer not to undead humans, but to undead computers that have been commandeered by malware to resend spam, often without their users' knowledge.
With the servers offline, Mushtaq said, the spam template inside Grum would "soon time out and the zombies will try to fetch new instructions" but would not be able to find them.
But, Mushtaq reported earlier this week, Grum's master CnC servers, based in Panama and Russia, were still up -- so Mushtaq published their information as well. He said that the ISPs handling those servers were contacted with abuse notifications, which were ignored. The botnet could update their zombies from these servers, which would reconstitute the spam network.
'Killing the Beast'
Then, on Thursday, Mushtaq posted that the server in Panama had been taken down, the result of the ISP eventually succumbing to community pressure. But then, he wrote, "right in front of my eyes, the bot herders started pointing their botnet" to six new servers in the Ukraine, which has been a safe haven for botnets in the past.
He passed the information on to spam-fighting organizations, such as Spamhaus, which then communicated with their contacts in the Ukraine and Russia. As of the end of this week, all six new servers in the Ukraine and the original server in Russia have been taken down.
This Grum-bashing from FireEye took place in the latest of a series of its blog articles called "Killing the Beast," which focus on the CnC coordinates of major spam botnets. Two previous spam botnet takedowns have been credited to these articles.
The Grum botnet, according to Mushtaq, is over 4 years old, and has recently been responsible for about 17 percent of the world's spam. This makes it the third-largest botnet in the world, after the ones called Cutwail and Lethic.
This is actually a diminished status for Grum, since it had been the No. 1 spam botnet as of January of this year, accounting for about a third of all e-mail spam on the planet.