A botnet known as ‘Grum‘, responsible for sending out 18% of all spam has been taken offline by Atif Mushtaq from the malware intelligence lab called FireEye. After Cutwail and Lethic, it was the third most active botnet in the world.
Atif has posted the main characteristics of Grum in a blog post:
- Grum has two different types of CnC servers:
- CnCs that are responsible for serving configuration files and initial registration. I would refer to them as master CnCs.
- CnCs that serve spam related activities. I would refer to them as secondary CnCs.
- Grum uses hard-code IP addresses instead of domain names.
- Grum is divided into small segments i.e., different malware builds talk to their own assigned set of CnCs.
- There is no fallback mechanism once the main and secondary CnCs are down. That particular segment will be without a master.
CnC stands for Command and Control: this is linked to coordinates of servers that control the botnet. The botnet was active on hundreds of thousands of zombie computers. The servers were located in Panama, The Netherlands and Russia.
Atif ends the fifth part of ‘Killing the Beast’ with a very important point:
Can we dream of a junk-free mailbox? Guess what—it’s just a few takedowns away. In my opinion, taking down the top three spam botnets—Lethic, Cutwail, and Grum—is enough for a rapid and permanent decline in worldwide spam level. We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well.
Will there really be a spam-free future for email? Let’s hope so: it would make our inboxes and email servers a more sane environment.