Researchers zap huge global spam 'botnet'

The so-called Grum botnet used a network of infected computers to automatically generate emails
A computer screen inbox displaying unsolicited spam emails. A huge global 'botnet' responsible for sending out millions of spam messages each day has been shut down by a collaborative effort from security experts in the US, Britain and Russia, researchers said.

A huge global 'botnet' responsible for sending out millions of spam messages each day has been shut down by a collaborative effort from security experts in the US, Britain and Russia, researchers said.

The so-called Grum -- which uses a network of infected computers to automatically generate emails -- "has finally been knocked down," said Atif Mushtaq of the California FireEye.

Mushtaq said in a blog post Wednesday that the shutdown was a joint effort of his group with the British-based Spamhaus Project, a , and the Russian-based Computer Security Incident Response Team known as CERT-GIB.

"All the known command and control servers are dead, leaving their zombies orphaned," Mushtaq said.

He noted that the researchers worked to shut down servers in the Netherlands and later in Panama, where "pressure applied by the community" caused the hosting firm to shut down the operation.

But he said the spam operation moved to new servers in Ukraine after the ones in Panama were closed.

"Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy," he said.

But with the help of Spamhaus, CERT-GIB and an "anonymous researcher," Mushtaq said "all six new servers in Ukraine and the original Russian server were dead as of today, July 18."

He said the shutdown was made by the "upstream provider... at our request."

The researchers said the botnets had been using as many as 120,000 infected "zombie" computers to send out spam each day.

"After the takedown, this number has reduced to 21,505," Mushtaq said. "I hope that once the spam templates expire, the rest of the spam will fade away as well."

He said the to take down Grum sends a "strong message to all the spammers."

Explore further

Microsoft takes down major fake drug spam network

(c) 2012 AFP

Citation: Researchers zap huge global spam 'botnet' (2012, July 19) retrieved 20 September 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Jul 19, 2012
why do we not simply deploy a counter virus? It could be just like the commercial virus hunters, only, for the good of the internet, distributed freely, and via the same viral vector, it infects the machine and shuts down all suspicious port activity until the user confirms the use as valid.

Jul 19, 2012
No effect here yet, still getting between 6000-7000 spam messages a day, mainly from IN,VN,PK,RU,CN,IR,BY,BR,KZ,KR,ID,PE,IQ,SA.

Some of these are repressive regimes, but can't repress spam, or won't act on complaints.

Jul 19, 2012

because you are still creating a virus -- which means that it has to infect computers - someone isolates it copies it and changes it's purpose and you have a new harmful virus

Jul 19, 2012

Repressive regimes, 1. like money, & 2. tend not to give a s**t what others may think of the way the acquire said money. This, I think, explains the connection you mentioned.

Jul 19, 2012
This, I think, explains the connection you mentioned.

I think the vast growth of new and gullible users prone to catching malware, endemic piracy, lack of patch updating is more to blame. ISPs operating on a shoestring are simply overwhelmed with the support required to help disinfect their users. They may care, but are powerless to help *and* stay in business.
Of the 200,000 complaints I have sent to them, some ISPs try to help and some don't want to know. Success ratio is about 5%. Not good, but any success in getting a machine cleaned is better than nothing.

Jul 19, 2012

What do ISPs have to do with infected users on their network? That's like asking the city government to fix your flat tire because you let your tires go bald and ran over a nail.

Jul 19, 2012
As Skultch said, fixing your computer because you got infected is not the ISPs responsibility. They only time they will get involved is if someone is using their network as a launchpad for attacks. And there a ton of third parties trying to cash in. Companies like UCEProtect publish blackhole lists, then try to extort the people they listed into paying to get off the list. Some RBLs are legit, but there plenty that are cons. Some of these companies also do things that are really great when you work in corporate IT, like blackholing Gmail's outbound servers. Everybody uses goddamn gmail, and one of the more common effects of these lists is that the user will not receive some of their inbound messages. It's based on which outbound gmail servers are listed and which one their message happened to originate from.

Jul 19, 2012
As a user of the net for well over 20 years, I've been here many times before. WTF happened to netiquette?
ISPs have a responsibility to at least let their users know if they are abusing the net. There isn't any other way for someone to contact them officially and believably.
RBLs are still the best thing we have as a defence, but only an idiot would block gmail! Gmail manages its own security and compromised accounts fairly well.

Jul 19, 2012

"why do we not simply deploy a counter virus?"

Viruses bad. No give viruses to bad guys. Bad guys reverse-engineer viruses and use on you.

Jul 20, 2012
@teledyne: And to add to others' responses: I personally would strongly object to ANY attempt to introduce a virus to my home matter the reason or purpose. I'm pretty sure any corporate sysadmin or security guys will feel even more so about THEIR machines.

Jul 20, 2012
ISPs have a responsibility to at least let their users know if they are abusing the net.

Says you and few else. Did you not get my analogy? ISP=road, car=user PC.

Do you have any idea how much that would cost? What is the incentive to track and store all that data? Email doesn't use much bandwidth. Yeah, it adds up, but so do the costs of doing something about it. Downloading and streaming video completely dwarfs the impact of spam email. THAT is what ISPs are concerned about.

I've worked as a senior network designer/engineer for an ISP for the last 6 years. I've literally Never had a conversation about what to do with the "spam email problem" in the way you are talking about. We've had customers get blacklisted and we've helped them get off the list after they cleaned up, but we've Never been proactive about it, nor have I ever even heard about such proactivity from my industry.

Install some AV, stay updated, and surf smartly. Duh.

Jul 22, 2012
Many years ago I had let my AV subscription lapse and everything was fine for a while. One night I woke up about 1 am and found my computer in a battle with my ISP. Some application was on my system and trying to mail out spam as fast as my computer could send it at 6Mb/s. Just as quickly my ISP was blocking the mail it had recognized as spam. Each time the outgoing mail was identified as spam and blocked my system beeped. It was beeping about once a second.

I shut down my system and reactivated Norton's AV in safe mode. It wasn't able to do anything as this was a root virus except to identify the file names. Fortunately I was able to remember my old DOS commands and locate and remove the 3-part NetSky virus myself.

My ISP is a small town business and the only one available in my area, but they do have anti spam protections in place for outgoing mail. So it can be done.

For my part, from then on I make sure I buy good AV and other protection software and keep it updated.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more