Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Dutch authorities have shut down two command-and-control (C&C) servers used by Grum, one of the world's top spam producers.
However, the threat remains active as other C&C servers used by the spam-spewing botnet are still active, according to a security researcher.
Last week, Atif Mushtaq, senior staff scientist at security firm FireEye, posted on the company's Malware Intelligence Lab blog the IP addresses of four C&C servers controlling the Grum botnet. Two servers in the Netherlands served as secondary command hubs, while one in Russia and another in Panama acted as Grum's primary servers, he said.
Not long after, Dutch police pulled the plug on the two secondary servers.
Grum is configured so that the primary units push configuration updates to infected computers, while the secondary servers provide specific instructions on which spam messages to send. That means the Dutch takedown will prevent zombie machines from delivering spam, which should have a huge impact on the global volume of unsolicited email.
However, since the primary servers are still operating, Grum's botmasters can theoretically try to recover its network of compromised PCs by using the remaining ones to push out an update to the zombies, Mushtaq said Tuesday in another blog post. The update could provide IP addresses of new secondary hubs, if the botmasters decide to erect new ones.
The good news is that the bot herders haven't taken action yet.
"There is complete silence from their side," Mushtaq wrote.
But, it's remains unclear if the two servers going offline have crippled the botnet. Grum has no failback mechanism, and has just a few IPs hardcoded into the binaries, Mushtaq wrote. The botnet is divided into small segments, so even if some servers remain active, other parts may be unable to get back online.
Grum is the world's third-largest spam botnet in terms of spam volume, accounting for 17 percent of total unwanted emails flooding inboxes every day, he said. Its first version appeared in early 2008 and it eventually rose to prominence after companies, such as Microsoft, and law enforcement authorities disabled Rustock and other spam botnets.
Recently, Grum briefly overtook the Lethic botnet for the top slot, according to security and compliance vendor Trustwave's spam statistics. Grum, Cutwail and Lethic are currently the three most active spam-sending botnets, and Trustwave estimated Grum may have been responsible, before the takedown, for 35 percent of the world's spam traffic.
Phil Hay, a Trustwave researcher, told SCMagazine.com on Tuesday that he didn't have an idea of the botnet's prevalence in the United States, but pegged it "in the order of tens to hundreds of thousands [of zombie machines]."
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
