Industry News

Global Spam Takes a Blow as Grum Botnet is Taken Down

Roughly 18 percent of global spam was cut down as security experts blocked Grum botnet’s command and control servers in Netherlands and Panama on Tuesday. Shortly after the two servers were blocked, Grum’s architects quickly set up seven new command and control centers in Russia and Ukraine.

The takedown ended successfully on Wednesday morning as a direct result of a successful collaboration between FireEye, a security company based in Milpitas, and its security counterparts in Russia. Internet service providers were notified to shut down the servers hosting the botnet, leaving infected computers without servers to connect to.

The same security experts say Grum’s creators will have a hard time reestablishing the command and control servers, as the botnet was specifically coded to connect to a master server that has been taken down.

“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye.”They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”

The spam botnet was believed to be the third largest. Because infected computers can no longer connect to a master server, it’s unlikely this version of the botnet will surface any time soon.

About the author


Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.


Click here to post a comment
  • “… leaving infected computers without servers to connect to.”
    if they have acces to servers why dont send a “suicide/kill/uninstall/etc” instruction to all bots, but shut down the servers?

  • ”why dont send a “suicide/kill/uninstall/etc”

    1.the server owner will never get direct access on client area to see what is inside … after some reports will try to comunicate with the client about the incident .
    If the reports have all the info and there is something illegal … then the owner have the right to shoutdown the host/server …

    2. the hacking is illegal …. the pentest is illegal ….. … the report is the only legal way to act

    And yes …. the best way is to ”kill” the bot

    Have Fun & Stay Safe !

  • legal… is how you say,

    but what you say about this:
    1. start up a new server with ip of the old cc/redirect the domains address to a controlled server
    2. install a cc/or something like that, with only job to send kill command to all bots that try to connect

    i don’t think this is illegal

    if they have bots servers (infected exe file), they can find all command of the bot, know how communicate with cc, and i think is not very difficult for a php programmer to build a script for sending kill commands (when new bot connect send kill)

    just my opinion. Have fun

  • yes … this is a nice way
    they must find a way to reverse connection and send the selfsuicide comand to the bot server
    … or better …. a costum request filter .. and if someone install a botnet host will be banned at the first test/request

  • communication between cc and bot severs is simple
    new bot or bot after pc start send a hello message to cc:
    bot to cc: hello i’m bot v.007, pc user, pc id
    cc check the bot, if bot is new add the bot in db and the “to do” task for bots
    cc to bot: hello you have to do this

    a good reverse engineer can obtain full bot command from binary file or you can sniff network traffic between bot and cc to see how the communicate
    now, the only problem can be if communication is encrypted with asymmetric encryption