Grum botnet shut down

Security researchers have successfully dismantled the Grum botnet, believed to be responsible for almost a fifth of the world's spam.

This is yet another in a series of successful attacks against botnets, though spam levels are unlikely to be permanently reduced.

Malware research organisation FireEye was instrumental in attacking Grum, coordinating activities with other security groups, including anti-spam veterans Spamhaus, as well as several ISPs in countries where Grum's command and control servers were located.

The Grum malware suffered from a fatal flaw - IP addresses of the command servers were hardcoded into the software, and the network was separated into segments, which operated independently. By taking down the command servers faster than new servers could be brought online, the network could be rendered inoperative at a stroke.

This marks another success for the security industry in attacking botnets. However, relatively few criminals have been brought to justice, so new botnets appear almost as fast as others are shut down. Although shutdowns, such as Grum, usually result in a short-term reduction in spam levels, new botnets usually fill the gap quickly to satisfy the junk mail demand. The operator of the BredoLab botnet was tracked down in Armenia in 2010 and jailed for four years in 2012.

Two of the most active spam botnets, Lethic and Cutwail, remain in operation, though Lethic was nearly disabled by researchers in 2010.

Several botnets have been shut down recently. Among the most notable:

* BredoLab, a spam botnet claiming 30 million zombies, was shut down in 2010 and the alleged operator arrested;
* Waledac, a relatively small, but highly active botnet, was shut down in 2010 by Microsoft;
* The Coreflood botnet was dismantled by US authorities in 2011. At its peak, Coreflood included about two million clients;
* Rustock botnet was taken down by Microsoft, FireEye and other researchers in 2011. About 2.4 million zombies were infected by Rustock over its lifespan;
* Kelihos was shut down in 2011 by Microsoft, in collaboration with Kaspersky. A number of criminals suspected of being involved in its operation were named at the time;
* In 2012, several cnc servers of a Zeus botnet were seized by Microsoft, hampering but not eradicating the botnet - the Zeus malware is behind many ongoing botnets; and
* Grum, dismantled in 2012, was believed to be responsible for about 18% of the world's spam.

Botnets are networks of PCs, known as zombies, infected with malware, which allows the botnet controller to control them. Zombies can be instructed to perform malicious activity such as sending spam, conducting denial of service attacks, stealing identities, and so on.

Although botnets can be created and run by amateur hackers, the larger networks are managed by career criminals or organised crime syndicates, and can make hundreds of thousands of dollars from their operation, as well as supporting other criminal activity.

Most botnets are controlled by command-and-control (cnc) servers, often nothing more than a private channel on a chat server, through which the botnet owners can issue commands and update the malware code.

Botnets are rented out by their operators - known as “herders” - to clients such as spammers, who pay relatively small amounts for the huge volumes of spam the network can generate. Spam originating from botnets is harder to block, since it can originate simultaneously from millions of hosts rather than a single e-mail server.

Large botnets can include millions of zombie agents - BredoLab, the largest known, was believed to max out at about 30 million agents - and account for the vast majority of the world's spam.

To attack a botnet, security practitioners usually target the command servers, since disinfecting millions of PCs is impractical (but not impossible - anti-virus companies play an active role in helping disinfect botnet malware).

With no cnc servers operational, zombies remain infected but inactive.

However, it can be very difficult to remove the command servers. Good botnets react to the loss of one cnc server by simply installing another, and using the existing servers to update the zombies accordingly. Some botnets use peer-to-peer technologies to share updates among zombies, making it extremely difficult to prevent network reconfigurations from propagating.

Because of this, it is often necessary to coordinate an attack against the entire network of cnc servers at once, cutting off the hydra's heads simultaneously, preventing new servers from being made available to the zombies.

With servers located in multiple countries, often in regimes unfriendly - or at least uncooperative - towards the West, this can be an extremely difficult task, but researchers have had several successes over the past few years, shutting down notable botnets like BredoLab, Mega-D and now Grum.

Once shut down, the still-infected PCs may be taken over by subsequent malware and reformed into new botnets.