Home How Cybersleuths Took Down Spam King Grum

How Cybersleuths Took Down Spam King Grum

Governments, researchers and private companies are working overtime to root out spam from the Internet. Today brings good news: Grum, a botnet responsible for 18% of all spam, is no more. Here’s how a team of crack cybersleuths took down the world’s third-largest spammer.

The search-and-destroy stories that surface when a spam botnet is taken down are some of the juiciest to be found in any medium. Botnet takedowns have all the elements of a great plot: a global villain, exotic locales, despicable offenses, dedicated heroes who strive for the good of humanity, and a mystery that takes many steps to uncover. It is “Dick Tracy” meets “Hackers.”

Grum was a devious mist of a network with no obvious central structure. The face of a botnet like Grum is a distributed sub-network of command-and-control (CnC) servers. These machines direct an army of zombie underlings, ordinary personal computers that have been infected with malware that takes orders from CnC to churn out spam. Grum marshaled at least 120,000 spam-spewing zombies, according to Spamhaus. The actual number of zombies in the network could have been a lot more.

Grum has been in existence for at least four years, an impressive lifespan for a botnet, according to Atif Mushtaq, senior staff scientist at security company FireEye. Mushtaq, along with Carel van Straten and Thomas Morrison from Spamhaus and Alex Kuzmin from CERT-GIB, tracked down the botnet. An anonymous security researcher who goes by the name Nova7 also helped track down the spammers. Their mission was to discover the CnC servers and systematically take them offline. 

By tracking IP addresses, FireEye and other researchers were able to track Grum to a central CnC location in the Netherlands. The team sent abuse notifications to the Dutch authorities telling them to cut off access to the servers through its Internet Service Provider (ISP). Authorities in the Netherlands acted fairly quickly and Grum’s primary hub was taken down.

But Grum was not so easily stopped. Like Hercules battling the Lernaean Hydra, the team cut off one head only to watch two grow in its place. Its Dutch head having been decapitated, the botnet moved its resources to secondary servers in Panama and Ukraine. These servers were more difficult to deal with because ISPs in those countries often look the other way, making them notorious safe havens for botnets. “Shutting down any servers there has never been easy,” Mushtaq said.

The sleuths applied pressure until the ISP hosting Grum in Panama shut off access to the botnet. It was a big success for the research team, but the battle was not yet over. 

“After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine,” Mushtaq wrote. “I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine.”

Mushtaq passed this information to the other researchers who then pressured their contacts in Ukraine and Russia to take down these servers. By 11:00 a.m. PST on July 18th, the servers had been taken offline and the battle to destroy Grum was won.

The Battle Against Botnets

For a long while, the primary agents against botnets were governments. These entities could use their power to force ISPs to sever access to CnCs that control the zombie armies. But governments are often not well equipped to do so. Moreover, they act slowly and do not always prioritize campaigns against botnets.

That has changed. In the last several years, the fighting of botnets has become a private-sector effort, with researchers such as those at FireEye leading the charge. Microsoft has also entered the fray. In July 2011, Microsoft offered $250,000 for information leading to the capture and conviction of the individuals responsible for Rustock. This makes sense: Microsoft’s Windows operating system is the most installed computer software in the world. Malicious hackers who launch botnet malware have historically focused on Windows for this reason. It behooves Microsoft to be as proactive as possible in helping track down the people responsible.

“Traditionally, government entities monitored and pursued these entities,” said Kapil Raina of cloud security company Zscaler, “but now we are starting to see a dramatic shift in the private-sector community directly getting involved to protect end users. In the short term, this will be very beneficial for consumers, but longer-term implications of legal policy and enforcement have yet to be sorted out.”

With the destruction of Grum, the globe will see an immediate drop in spam. How long that lasts will depend on how diligently the private security community presses its offensive against botnets.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.