Roughly 18 percent of global spam was cut down as security experts blocked Grum botnet’s command and control servers in Netherlands and Panama on Tuesday. Shortly after the two servers were blocked, Grum’s architects quickly set up seven new command and control centers in Russia and Ukraine.
The takedown ended successfully on Wednesday morning as a direct result of a successful collaboration between FireEye, a security company based in Milpitas, and its security counterparts in Russia. Internet service providers were notified to shut down the servers hosting the botnet, leaving infected computers without servers to connect to.
The same security experts say Grum’s creators will have a hard time reestablishing the command and control servers, as the botnet was specifically coded to connect to a master server that has been taken down.
“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,†said Atif Mushtaq, a computer security specialist at FireEye.â€They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.â€
The spam botnet was believed to be the third largest. Because infected computers can no longer connect to a master server, it’s unlikely this version of the botnet will surface any time soon.
“… leaving infected computers without servers to connect to.”
if they have acces to servers why dont send a “suicide/kill/uninstall/etc” instruction to all bots, but shut down the servers?
”why dont send a “suicide/kill/uninstall/etc”
1.the server owner will never get direct access on client area to see what is inside … after some reports will try to comunicate with the client about the incident .
If the reports have all the info and there is something illegal … then the owner have the right to shoutdown the host/server …
2. the hacking is illegal …. the pentest is illegal …..
..so … the report is the only legal way to act
And yes …. the best way is to ”kill” the bot
Have Fun & Stay Safe !
legal… is how you say,
but what you say about this:
1. start up a new server with ip of the old cc/redirect the domains address to a controlled server
2. install a cc/or something like that, with only job to send kill command to all bots that try to connect
i don’t think this is illegal
if they have bots servers (infected exe file), they can find all command of the bot, know how communicate with cc, and i think is not very difficult for a php programmer to build a script for sending kill commands (when new bot connect send kill)
just my opinion. Have fun
yes … this is a nice way
they must find a way to reverse connection and send the selfsuicide comand to the bot server
… or better …. a costum request filter .. and if someone install a botnet host will be banned at the first test/request
communication between cc and bot severs is simple
new bot or bot after pc start send a hello message to cc:
bot to cc: hello i’m bot v.007, pc user, pc id
cc check the bot, if bot is new add the bot in db and the “to do” task for bots
cc to bot: hello you have to do this
a good reverse engineer can obtain full bot command from binary file or you can sniff network traffic between bot and cc to see how the communicate
now, the only problem can be if communication is encrypted with asymmetric encryption
[…] July, around 18 percent of global spam was halted after the Grum botnet’s command and control servers in the Ne…. Though cyber-crooks set up seven new centers in Russia and the Ukraine, security experts believed […]