In another sweeping takedown of yet-another-botnet run by Internet cybercriminals, researchers over at the security firm FireEye are announcing that they have dismantled the Grum botnet’s command and control servers. As of Wednesday, the final CnC servers–six located in Ukraine and one in Russia—had been taken offline; as a result, it’s expected that this may lead to a reduction of overall spam being sent across the Internet for a while.
In this operation, FireEye collaborated with the spam-experts at Spamhaus, a well-known spam-tracking organization, and the Computer Security Incident Response Team of Russian security firm Group-IB (CERT-IB), and an unnamed independent researcher.
The blow-by-blow of the researchers work to neuter the botnet is fascinating, but the crux of the deal is that they needed to proceed with an interantinal operation across multiple nation-states to hit the core servers:
The state of the Grum botnet has changed since we last talked (see previous posts here and here for a look back). On July 16, I reported that while CnC servers in Panama and Russia were alive, shutting down the Dutch server had at least made a dent in this botnet. On the morning of July 17, we at FireEye got the news that the server in Panama was no longer active. The ISP owning this server at last buckled under the pressure applied by the community. It was great news. The shutdown of the Panamanian server meant a lot. I explained in my earlier post that Grum was comprised of two different segments. One was being controlled from Panama and one from Russia.
With the shutdown of the Panamanian server, a complete segment was dead forever. This good news was soon followed by some bad news. After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine. So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy.
According to FireEye, Grum was responsible for almost 18 percent of the global spam volume. The spam from this botnet fashioned itself to sell bogus prescription drugs (instead of Rolex watches or whatever else is vogue in spam right now). Before taking the botnet down, Grum-originating spam spewed forth from 100,000 to 120,000 IPs every day and approximately 500,000 every week—the shutdown should silence those guns for a while, although it may be back.
Because sometimes they come back…
We’ve seen several other major botnets taken to pieces by major Internet companies and firms such as Microsoft, but we’ve also seen that some of them are very hard to keep down. Two good examples include the Kelihos Botnet—initially burned down by Microsoft in September 2011, which then rose from its ashes and had to be put down again—and the ZeuS Trojan botnet that implemented a peer-to-peer mechanism in an attempt to eschew CnC servers in part, but that didn’t save it from being disrupted in March 2012. What makes these botnets so resilient?
It’s that botnets aren’t just CnC servers: they’re also thousands, if hundreds-of-thousands of infected PCs all ready to act as a zombie army.
As botnets continue to rise in sophistication, some of them use internal encryption to protect the CnC protocols, some of them like ZeuS use peer-to-peer networking to allow any infected PC to upgrade itself to a CnC server. With them spreading alongside malware, these communication networks can rise to hundreds in mere days, and even thousands in a week by following infections and security researches must stay ahead of them by collecting samples, decompiling them, and then finally coming up with an antibiotic.
Experts speculate that although the Grum botnet is gone, the people who built it are still at large. As a result, seeing their previous gusto at building such a large and resilient botnet they will more than likely build a new one. Attention must be set to capturing these cybercriminals and taking them out of circulation if we wish to see a lasting peace on the Grum front.