Security experts on Wednesday claimed that they have finally killed the world’s third-largest botnet, the Grum botnet.
In a post on their blog, security firm FireEye through its expert Atif Mushtaq announced that Grum has finally been wrestled out of the control of its creators on Wednesday.
At its most active point, the Grum botnet was sending out about 18 billion spam emails daily.
“Based on the latest statistics from M86Security, Grum is currently responsible for 17.4% of worldwide spam traffic, making it the world’s third most active spam botnet after Cutwail and Lethic,” Mushtaq wrote.
The operation to bring down the Grum botnet was undertaken by FireEye, Spamhaus, CERT-GIB and other parties. Botnets are networks of computers infected with malware by botnet herders which enable them to utilize these computers to do activities like spamming and participating in Distributed Denial-of-Service (DDoS) attacks.
The final leg of the operation began on Monday when FireEye, along with other security firms, began shutting down, through request to internet service providers and the help of authorities, the Command and Control (CnC) servers used by the Grum botnet in the Netherlands and Panama.
Mushtaq wrote in an earlier port on the FireEye blog that there were two types of CnC servers used by the Grum botnet: master CnCs that “are responsible for serving configuration files and initial registration” and secondary CnCs that “serve spam related activities”.
CnC servers are used in botnets to distribute instructions from the controllers of the whole system.
By Monday, a Panamanian master CnC server and the Dutch secondary CnC servers of the Grum botnet knocked offline by authorities. However, Mushtaq said on Monday that “master CnC servers located in Panama and Russia are still alive and kicking.”
On Wednesday, Mushtaq announced that “after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned.”
Countries like Panama, the Netherlands, Russia and territories in the former Soviet Union have been known as a sort of safe haven for botnet operators because – as Mushtaq puts it in an earlier post on the FireEye blog – authorities in these countries “historically have been reluctant when dealing with abuse notifications” sent to them to request takedowns of servers used by botnet operators.
The takedown of the Grum botnet was relatively easy, however, as the botnet was inherently weak because of the structure it utilized.
“If I were to rank Grum’s takedown difficulty level from one to five where five is the most difficult, I would give Grum a two,” Mushtaq said in a previous entry on the FireEye blog.
The Grum botnet used “just a handful of master IPs hard-coded inside Grum binaries,” Mushtaq said here.
“The Grum CnC mechanism depends upon the hard-coded IP addresses so we just have to deal with the data centers hosting these servers,” Mushtaq explained.
Furthermore, Grum “has no fallback mechanism. Once the master CnCs are dead, no new connection can be made to the secondary servers. That said, bots already connected to secondary servers will be unaffected until the infected machine gets rebooted,” the researcher said.
Compare this for example to the structure used in the Kelihos.B botnet (named Hlux by other security firms) which was taken down by a concerted effort led by Kaspersky Lab, the CrowdStrike Intelligence Team, the Honeynet Project and Dell Secureworks back in March.
The Kelihos.B botnet was a peer-to-peer (P2P) botnet which uses a structure that make them especially resistant to takedowns.
Unlike Grum which has IP addresses for its CnCs hard-coded to its binaries, the Kelihos.B botnet was more dynamic in the sense that CnC servers can be changed by the botnet herders once they know a certain server has been taken down or has been breached by security researchers.
Because of the P2P nature of these types of botnets, instruction sets can be spawned by the herders through other, still-uncompromised CnC servers to propagate a new set of master servers where zombie computers will look to for sets of instructions.
So if a CnC server on a P2P botnet is compromised or taken down by authorities or security researchers, botnet herders can propagate a new list of CnC servers through the P2P botnet network to regain control of the botnet.
Essentially, the takedown of the Grum botnet and the Kelihos.B botnet are different operations. With the Grum botnet, the CnC servers were brought down and because the botnet had hard-coded IPs for its CnCs and no fallback system, the zombie computers were essentially orphaned as their masters were taken down.
With botnets like the Kelihos.B botnet, security researchers need to “sinkhole” the network – fool zombie computers into thinking that servers set up by security researchers are indeed the CnC servers set up by the botnet herders – to take control of the botnet and eventually take it down.
If you have seen a marked decrease in the amount of spam messages you received since Wednesday, the Grum botnet takedown may be the reason why.
Furthermore, the takedown of the Grum botnet has also seemingly spooked the herders of the Lethic botnet as they have gone quiet, reducing Lethic’s activity.