Researchers zap huge global spam 'botnet'

July 19, 2012
A computer screen inbox displaying unsolicited spam emails. A huge global 'botnet' responsible for sending out millions of spam messages each day has been shut down by a collaborative effort from security experts in the US, Britain and Russia, researchers said.

A huge global 'botnet' responsible for sending out millions of spam messages each day has been shut down by a collaborative effort from security experts in the US, Britain and Russia, researchers said.

The so-called Grum -- which uses a network of infected computers to automatically generate emails -- "has finally been knocked down," said Atif Mushtaq of the California FireEye.

Mushtaq said in a blog post Wednesday that the shutdown was a joint effort of his group with the British-based Spamhaus Project, a , and the Russian-based Computer Security Incident Response Team known as CERT-GIB.

"All the known command and control servers are dead, leaving their zombies orphaned," Mushtaq said.

He noted that the researchers worked to shut down servers in the Netherlands and later in Panama, where "pressure applied by the community" caused the hosting firm to shut down the operation.

But he said the spam operation moved to new servers in Ukraine after the ones in Panama were closed.

"Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy," he said.

But with the help of Spamhaus, CERT-GIB and an "anonymous researcher," Mushtaq said "all six new servers in Ukraine and the original Russian server were dead as of today, July 18."

He said the shutdown was made by the "upstream provider... at our request."

The researchers said the botnets had been using as many as 120,000 infected "zombie" computers to send out spam each day.

"After the takedown, this number has reduced to 21,505," Mushtaq said. "I hope that once the spam templates expire, the rest of the spam will fade away as well."

He said the to take down Grum sends a "strong message to all the spammers."

Explore further: Microsoft takes down major fake drug spam network

Related Stories

Spam down but 'zombie' armies growing: McAfee

May 7, 2009

Hackers appear to be beefing up armies of "zombie" computers to recover from a major hit scored in the battle against spam email, according to software security firm McAfee.

Microsoft uses law to cripple hacker spam network

February 25, 2010

Microsoft on Thursday said it combined technology with an "extraordinary" legal maneuver to cripple a massive network of hacked computers that had been flooding the Internet with spam.

Microsoft busts spam network

September 27, 2011

Microsoft on Tuesday said it struck another blow in its battle against cyber crooks by busting a spam-sending network of virus-infected computers.

Microsoft engineer eyeballs Android botnet

July 4, 2012

( -- A Microsoft engineer has spotted a botnet that targets Yahoo! Mail users using Android devices. Terry Zink , who also writes an Internet security blog, said he has evidence of a botnet running on Android devices ...

Huge 'botnet' amputated, but criminals reconnect

March 11, 2010

(AP) -- The sudden takedown of an Internet provider thought to be helping spread one of the most promiscuous pieces of malicious software out there appears to have cut off criminals from potentially millions of personal ...

Recommended for you

Archaeologists discover Incan tomb in Peru

February 16, 2019

Peruvian archaeologists discovered an Incan tomb in the north of the country where an elite member of the pre-Columbian empire was buried, one of the investigators announced Friday.

Where is the universe hiding its missing mass?

February 15, 2019

Astronomers have spent decades looking for something that sounds like it would be hard to miss: about a third of the "normal" matter in the Universe. New results from NASA's Chandra X-ray Observatory may have helped them ...

What rising seas mean for local economies

February 15, 2019

Impacts from climate change are not always easy to see. But for many local businesses in coastal communities across the United States, the evidence is right outside their doors—or in their parking lots.

The friendly extortioner takes it all

February 15, 2019

Cooperating with other people makes many things easier. However, competition is also a characteristic aspect of our society. In their struggle for contracts and positions, people have to be more successful than their competitors ...


Adjust slider to filter visible comments by rank

Display comments: newest first

1 / 5 (5) Jul 19, 2012
why do we not simply deploy a counter virus? It could be just like the commercial virus hunters, only, for the good of the internet, distributed freely, and via the same viral vector, it infects the machine and shuts down all suspicious port activity until the user confirms the use as valid.
5 / 5 (1) Jul 19, 2012
No effect here yet, still getting between 6000-7000 spam messages a day, mainly from IN,VN,PK,RU,CN,IR,BY,BR,KZ,KR,ID,PE,IQ,SA.

Some of these are repressive regimes, but can't repress spam, or won't act on complaints.
5 / 5 (6) Jul 19, 2012

because you are still creating a virus -- which means that it has to infect computers - someone isolates it copies it and changes it's purpose and you have a new harmful virus
not rated yet Jul 19, 2012

Repressive regimes, 1. like money, & 2. tend not to give a s**t what others may think of the way the acquire said money. This, I think, explains the connection you mentioned.
1 / 5 (1) Jul 19, 2012
This, I think, explains the connection you mentioned.

I think the vast growth of new and gullible users prone to catching malware, endemic piracy, lack of patch updating is more to blame. ISPs operating on a shoestring are simply overwhelmed with the support required to help disinfect their users. They may care, but are powerless to help *and* stay in business.
Of the 200,000 complaints I have sent to them, some ISPs try to help and some don't want to know. Success ratio is about 5%. Not good, but any success in getting a machine cleaned is better than nothing.
not rated yet Jul 19, 2012

What do ISPs have to do with infected users on their network? That's like asking the city government to fix your flat tire because you let your tires go bald and ran over a nail.
not rated yet Jul 19, 2012
As Skultch said, fixing your computer because you got infected is not the ISPs responsibility. They only time they will get involved is if someone is using their network as a launchpad for attacks. And there a ton of third parties trying to cash in. Companies like UCEProtect publish blackhole lists, then try to extort the people they listed into paying to get off the list. Some RBLs are legit, but there plenty that are cons. Some of these companies also do things that are really great when you work in corporate IT, like blackholing Gmail's outbound servers. Everybody uses goddamn gmail, and one of the more common effects of these lists is that the user will not receive some of their inbound messages. It's based on which outbound gmail servers are listed and which one their message happened to originate from.
not rated yet Jul 19, 2012
As a user of the net for well over 20 years, I've been here many times before. WTF happened to netiquette?
ISPs have a responsibility to at least let their users know if they are abusing the net. There isn't any other way for someone to contact them officially and believably.
RBLs are still the best thing we have as a defence, but only an idiot would block gmail! Gmail manages its own security and compromised accounts fairly well.
5 / 5 (1) Jul 19, 2012

"why do we not simply deploy a counter virus?"

Viruses bad. No give viruses to bad guys. Bad guys reverse-engineer viruses and use on you.
2.3 / 5 (3) Jul 20, 2012
@teledyne: And to add to others' responses: I personally would strongly object to ANY attempt to introduce a virus to my home matter the reason or purpose. I'm pretty sure any corporate sysadmin or security guys will feel even more so about THEIR machines.
not rated yet Jul 20, 2012
ISPs have a responsibility to at least let their users know if they are abusing the net.

Says you and few else. Did you not get my analogy? ISP=road, car=user PC.

Do you have any idea how much that would cost? What is the incentive to track and store all that data? Email doesn't use much bandwidth. Yeah, it adds up, but so do the costs of doing something about it. Downloading and streaming video completely dwarfs the impact of spam email. THAT is what ISPs are concerned about.

I've worked as a senior network designer/engineer for an ISP for the last 6 years. I've literally Never had a conversation about what to do with the "spam email problem" in the way you are talking about. We've had customers get blacklisted and we've helped them get off the list after they cleaned up, but we've Never been proactive about it, nor have I ever even heard about such proactivity from my industry.

Install some AV, stay updated, and surf smartly. Duh.
not rated yet Jul 22, 2012
Many years ago I had let my AV subscription lapse and everything was fine for a while. One night I woke up about 1 am and found my computer in a battle with my ISP. Some application was on my system and trying to mail out spam as fast as my computer could send it at 6Mb/s. Just as quickly my ISP was blocking the mail it had recognized as spam. Each time the outgoing mail was identified as spam and blocked my system beeped. It was beeping about once a second.

I shut down my system and reactivated Norton's AV in safe mode. It wasn't able to do anything as this was a root virus except to identify the file names. Fortunately I was able to remember my old DOS commands and locate and remove the 3-part NetSky virus myself.

My ISP is a small town business and the only one available in my area, but they do have anti spam protections in place for outgoing mail. So it can be done.

For my part, from then on I make sure I buy good AV and other protection software and keep it updated.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.