Took only two weeks
Dutch coppers have pulled the plug on the Grum botnet just a week after the servers were identified by malware intelligence firm FireEye.
The speedy removal of the servers shines light on how quickly some law enforcement agencies work to take down spam. FireEye published the details on four servers, actively controlling the Grum botnet. Two in the Netherlands, one in Panama, and one in Russia and appeared to have primary and secondary roles. The backup servers were located in the Netherlands, and once word of their existence was released, Dutch authorities quickly seized them.
FireEye’s Atif Mushtaq wrote that he hoped that the hoped that the research community would come forward to take down the spam monster and he can see that the strategy is really working.
Grum is the world’s third largest botnet, producing some 17 percent of the total spam that floods email boxes daily. While the takedown of the secondary servers is expected to have some impact on the spam volume, it is understood that the impact will be minimal.
The two primary servers are fully active, and the datacenters hosting them are unresponsive to abuse reports. Mushtaq noted that the botnet does has some weak spots, including the fact that Grum has no failback mechanism, has just a few IPs hardcoded into the binaries, and the botnet is divided into small segments, so even if some C&Cs are not taken down, part of botnet can still remain offline.