Botnet responsible for 18% of the world's spam shut down
According to US security company FireEye, the world's third-largest botnet has been shut down by disabling its command and control (CnC) servers. The botnet is believed to have been responsible for as much as 18% of total global spam, which amounts to approximately 18 billion messages a day.
After the botnet's CnC servers in Panama and the Netherlands were located and shut down by exerting community pressure on the ISPs that owned the networks they were hosted on, the botnet owners moved control of their bots to secondary servers in Russia and the Ukraine. FireEye worked with London-based Spamhaus and CERT-GIB from Russia to shut these servers down as well. Apparently, the ISP hosting the Russian server did not shut down the CnC node on their network, forcing the researchers to go to its upstream provider who finally null routed the IP address in question.
Data from Spamhaus suggests that the number of active IP addresses belonging to the Grum botnet has dropped from 120,000 to about 21,000 – it is expected that the remaining bots will stop sending spam once their templates expire and they are left without instructions from their CnC servers. FireEye also notes that 120,000 IPs is most likely not the full size of the botnet, however, as systems that have their outgoing email traffic blocked would not turn up in this list.
The action against the Grum botnet is another strike in a series of operations against high-profile botnets in recent months. Microsoft took down the Kelihos botnet in September and, in another strike, collaborated with officials to disable two botnets connected to the banking trojan Zeus in March.