Bot Herders Failed to Revive Grum

ZDNet.com published a report on 24th July, 2012 stating that the cybercriminals responsible for the Grum botnet made an attempt to bring it back on 23rd July, 2012 but security officials killed it at the right time.

Help net Security published a statement on 24th July, 2012 quoting the comment of Atif Mushtaq, a security researcher with Fire Eye. According to Mushtaq, the bot herders employed another fallback mechanism, money, when there was an absence of any absence of any built-in-fallback mechanisms.

Blog.fjreeye.com published a report on 23rd July, 2012 quoting Mushtaq as saying that during the weekend, Fir Eye found Ukrainian ISP SteepHost detached the untrue route on three Command & Control (CnCs) that was taken down during third week of July, 2012. We instantly noticed this modification and contacted SteepHost and after negotiations they shut down these CnCs. At this time, Grum sent a short explode of spam but it had moved out on the morning of 23rd July, 2012."

It's not unusual to observe botnets which have been taken down or damaged and resurfaced after some time. In a number of cases, this is due to bot herders moving their C&C infrastructure to collapse back servers that are set up especially for this purpose. In different cases, other group of criminals will employ the same malware or a close relative of it and stand up as a distinct botnet with the similar characteristics.

The names may vary but the game remains the same.

The story of Grum was altogether different. One of the hosting contributors moved to re-establish connectivity to three C&C servers it restricted. According to Mushtaq, a representative of a global anti spam clearinghouse SpamHaus talked to officials of SteepHost about the knowledge of restoring Grum C&C servers.

According to SteepHost ISP, the Grum's servers returned online because of break-ins and various other security reasons. However, they were susceptible of getting de-peered off the Internet by their upstream provider or of getting their subnet blacklisted if something happens like this again.

Related article: Bot Builds Spam - Spreading Zombie Army

» SPAMfighter News - 8/1/2012