Botnet takedown cuts world spam by 18 percent

Safe havens may be less safe for bot herders

There's less Viagra spam in your inbox this morning, thanks to the efforts of security experts who took down the world's third-largest botnet in an international coordinated effort this week.

Known as Grum, the botnet is believed to be responsible for 18 billion spam messages steaming out of at least 120,000 infected machines every day.

California-based security firm FireEye, working with British firm Spamhaus and Russian experts at CERT-GIB, were able to pull down command and control servers for the botnet by tracking the botnet's commands back to the ISPs where the command servers were hosted.

It was a quite a slugfest, as takedowns go. The owners of the botnet were likely less than happy when the takedown efforts led to the shutdown of the servers in the Netherlands on Monday, according to FireEye's Atif Mushtaq. But they still had two major command centers working, one in Panama and one in Russia.

"On the morning of July 17, I got the news that the server in Panama was no longer active. The ISP owning this server at last buckled under the pressure applied by the community. It was great news. The shutdown of the Panamanian server meant a lot," Mushtaq wrote in a FireEye report on the takedown.

But even with the Panama segment of the botnet taken off the board, that still left the server in Russia. But the botnet controllers--or "bot herders" as Mushtaq refers to them--had a surprise for the FireEye team. Once the Panama server was down, a new secondary control network with six additional servers were spun up in the Ukraine, a region historically resistant to outside pressure for interventions on these sorts of issues.

"I immediately shared this new information with three different parties--Carel Van Straten and Thomas Morrison from Spamhaus, Alex Kuzmin from CERT-GIB, and an anonymous researcher who goes by the pseudonym Nova7," Mushtaq explained. "After they got all the evidence from my side, they moved quickly passing this intelligence back to their contacts in Ukraine and Russia. As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today, July 18, at 11:00 AM PST."

The success of this operation means a bit more than less spam in the world's inboxes, though that's certainly a good thing. It also represents a serious blow for the notion of safe havens for bot herders. Without such safe havens, botnet systems will be much more vulnerable to these sorts of takedowns in the future.

Read more of Brian Proffitt's Open for Discussion blog and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies