Note: The Internet Patrol is completely free, and reader-supported. If something that you find here helps you, please consider supporting us. We also earn a small amount from ads and Amazon links:
Grum, the world’s third-largest botnet, has been shutdown, according to one of the security researchers who helped take the botnet offline, Atif Mushtaq. Mushtaq, who works for the “malware intelligence lab” FireEye, announced the good news on the security company’s blog yesterday after two intense days battling Grum. You may see less spam related to cheap “Cilais,” “Vigara,” or “Levtira” (misspellings of Cialis, Viagra, and Levitra, respectively) and fewer unwanted messages advertising Rolex watches as a result of the Grum botnet shutdown. With a command and control server in the Netherlands, and additional servers in countries such as Panama and Russia, taking down Grum required international coordination and effort.
Grum was responsible for sending about 18 percent of the world’s spam. The botnet was sending up to 18 billion unsolicited emails a day that advertised products like fake Rolex watches and various erectile dysfunction pills. If you use email, you are almost certainly all too familiar with these annoying messages (but hopefully you aren’t seeing them in your actual inbox – at best, spam messages should make it to the spam folder of your email program, for the record).
As a botnet, Grum was network of so-called “zombies,” computers infected with malware that allow criminals to engage in all manners of cyber crime, including sending spam messages and stealing personal information. A computer joins the zombie network when an unsuspecting user opens a malicious file or clicks on a pernicious link. Once a computer is infected – after it has joined the zombie army, as it were – it can be forced to perform automated tasks, like sending spam to inboxes all over the world. It is worth noting that the vast – overwhelming – majority of zombied computers are Windows computers, which is one of the main reasons that we advocate using a Mac or Linux computer.
It was not easy to shut down Grum, requiring as it did the work of multiple researchers and the cooperation of Internet service providers (ISPs) in several countries. The first two servers that controlled the botnet (called a “command and control” server, or CnC) fell in the Netherlands, which occurred on July 16. The next Grum servers to go were located in Panama, one of the two main places (the other was Russia) from where the international botnet operated. If the fall of the Dutch server represented a light shove to Grum, then the collapse of the Panamanian server was a full-blown punch, knocking out one part of the botnet’s operation completely.
However, the criminals behind the botnet quickly set up new servers in Ukraine, a safe haven for cyber crime. It is not easy to take down servers located in Ukraine, but the team working on this noble project was able to take down the six new Ukrainian servers, as well as the original server in Russia, by presenting evidence to their contacts in these countries. By the morning of July 18, just two days after the two Dutch servers fell, the Grum botnet had been successfully taken down.