Governments, researchers and private companies are working overtime to root out spam from the Internet. Today brings good news: Grum, a botnet responsible for 18% of all spam, is no more. Here’s how a team of crack cybersleuths took down the world’s third-largest spammer.
The search-and-destroy stories that surface when a spam botnet is taken down are some of the juiciest to be found in any medium. Botnet takedowns have all the elements of a great plot: a global villain, exotic locales, despicable offenses, dedicated heroes who strive for the good of humanity, and a mystery that takes many steps to uncover. It is “Dick Tracy” meets “Hackers.”
Grum was a devious mist of a network with no obvious central structure. The face of a botnet like Grum is a distributed sub-network of command-and-control (CnC) servers. These machines direct an army of zombie underlings, ordinary personal computers that have been infected with malware that takes orders from CnC to churn out spam. Grum marshaled at least 120,000 spam-spewing zombies, according to Spamhaus. The actual number of zombies in the network could have been a lot more.
Grum has been in existence for at least four years, an impressive lifespan for a botnet, according to Atif Mushtaq, senior staff scientist at security company FireEye. Mushtaq, along with Carel van Straten and Thomas Morrison from Spamhaus and Alex Kuzmin from CERT-GIB, tracked down the botnet. An anonymous security researcher who goes by the name Nova7 also helped track down the spammers. Their mission was to discover the CnC servers and systematically take them offline.
By tracking IP addresses, FireEye and other researchers were able to track Grum to a central CnC location in the Netherlands. The team sent abuse notifications to the Dutch authorities telling them to cut off access to the servers through its Internet Service Provider (ISP). Authorities in the Netherlands acted fairly quickly and Grum’s primary hub was taken down.
But Grum was not so easily stopped. Like Hercules battling the Lernaean Hydra, the team cut off one head only to watch two grow in its place. Its Dutch head having been decapitated, the botnet moved its resources to secondary servers in Panama and Ukraine. These servers were more difficult to deal with because ISPs in those countries often look the other way, making them notorious safe havens for botnets. “Shutting down any servers there has never been easy,” Mushtaq said.
The sleuths applied pressure until the ISP hosting Grum in Panama shut off access to the botnet. It was a big success for the research team, but the battle was not yet over.
“After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine,” Mushtaq wrote. “I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine.”
Mushtaq passed this information to the other researchers who then pressured their contacts in Ukraine and Russia to take down these servers. By 11:00 a.m. PST on July 18th, the servers had been taken offline and the battle to destroy Grum was won.
The Battle Against Botnets
For a long while, the primary agents against botnets were governments. These entities could use their power to force ISPs to sever access to CnCs that control the zombie armies. But governments are often not well equipped to do so. Moreover, they act slowly and do not always prioritize campaigns against botnets.
That has changed. In the last several years, the fighting of botnets has become a private-sector effort, with researchers such as those at FireEye leading the charge. Microsoft has also entered the fray. In July 2011, Microsoft offered $250,000 for information leading to the capture and conviction of the individuals responsible for Rustock. This makes sense: Microsoft’s Windows operating system is the most installed computer software in the world. Malicious hackers who launch botnet malware have historically focused on Windows for this reason. It behooves Microsoft to be as proactive as possible in helping track down the people responsible.
“Traditionally, government entities monitored and pursued these entities,” said Kapil Raina of cloud security company Zscaler, “but now we are starting to see a dramatic shift in the private-sector community directly getting involved to protect end users. In the short term, this will be very beneficial for consumers, but longer-term implications of legal policy and enforcement have yet to be sorted out.”
With the destruction of Grum, the globe will see an immediate drop in spam. How long that lasts will depend on how diligently the private security community presses its offensive against botnets.