Grum Zombie Botnet Shut down, Says Spam-Fighting Researcher Atif Mushtaq

The Internet Patrol default featured image
Share the knowledge

Grum, the world’s third-largest botnet, has been shutdown, according to one of the security researchers who helped take the botnet offline, Atif Mushtaq. Mushtaq, who works for the “malware intelligence lab” FireEye, announced the good news on the security company’s blog yesterday after two intense days battling Grum. You may see less spam related to cheap “Cilais,” “Vigara,” or “Levtira” (misspellings of Cialis, Viagra, and Levitra, respectively) and fewer unwanted messages advertising Rolex watches as a result of the Grum botnet shutdown. With a command and control server in the Netherlands, and additional servers in countries such as Panama and Russia, taking down Grum required international coordination and effort.

Grum was responsible for sending about 18 percent of the world’s spam. The botnet was sending up to 18 billion unsolicited emails a day that advertised products like fake Rolex watches and various erectile dysfunction pills. If you use email, you are almost certainly all too familiar with these annoying messages (but hopefully you aren’t seeing them in your actual inbox – at best, spam messages should make it to the spam folder of your email program, for the record).

As a botnet, Grum was network of so-called “zombies,” computers infected with malware that allow criminals to engage in all manners of cyber crime, including sending spam messages and stealing personal information. A computer joins the zombie network when an unsuspecting user opens a malicious file or clicks on a pernicious link. Once a computer is infected – after it has joined the zombie army, as it were – it can be forced to perform automated tasks, like sending spam to inboxes all over the world. It is worth noting that the vast – overwhelming – majority of zombied computers are Windows computers, which is one of the main reasons that we advocate using a Mac or Linux computer.

It was not easy to shut down Grum, requiring as it did the work of multiple researchers and the cooperation of Internet service providers (ISPs) in several countries. The first two servers that controlled the botnet (called a “command and control” server, or CnC) fell in the Netherlands, which occurred on July 16. The next Grum servers to go were located in Panama, one of the two main places (the other was Russia) from where the international botnet operated. If the fall of the Dutch server represented a light shove to Grum, then the collapse of the Panamanian server was a full-blown punch, knocking out one part of the botnet’s operation completely.

Get New Internet Patrol Articles by Email!


However, the criminals behind the botnet quickly set up new servers in Ukraine, a safe haven for cyber crime. It is not easy to take down servers located in Ukraine, but the team working on this noble project was able to take down the six new Ukrainian servers, as well as the original server in Russia, by presenting evidence to their contacts in these countries. By the morning of July 18, just two days after the two Dutch servers fell, the Grum botnet had been successfully taken down.

Share the knowledge

2 thoughts on “Grum Zombie Botnet Shut down, Says Spam-Fighting Researcher Atif Mushtaq

  1. Of course the Ukraine is also a major IT center with many of the best programmers in the world, sought after by western corporations. The Ukrainian government will not jeopardize the reputation of the country and its growing IT industry.

  2. So if I can read this post, and got here from Facebook, I can presume my PC is not affected. (Proof!) I went to 2 or 3 sites that check your computer over the past 2 mos, and back then, they said I was clean.

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.