The number of IPs used to send out spam dropped from 120,000 to 21,000 almost immediately

Jul 19, 2012 06:54 GMT  ·  By

Shortly after Dutch authorities took down two of the command and control (C&C) servers used by Grum – the world’s third largest botnet – FireEye experts called out to the security community hoping to convince Russian and Panamanian ISPs to do the same.

It wasn’t easy, but yesterday morning the experts announced the end of Grum.

A few hours after the world learned that the servers from the Netherlands were shut down, researchers noticed that the ISP from Panama which housed the C&C server acted on shutting it down.

However, the botnet’s masters weren’t going to give up that easy. They started moving the servers to Ukraine, a country that up until now has been considered a safe haven for cyber criminals.

Fortunately, Spamhaus representatives, Alex Kuzmin of CERT-GIB, and an anonymous researcher – using the information gathered by FireEye – managed to pull some strings and got down the Russian server and the six ones from Ukraine.

While the Russian ISP responsible for the server wasn’t too collaborative, an upstream provider null routed the IP address it utilized and took it out of the game.

The figures from Spamhaus show that of the 120,000 IP addresses that have been sending out spam messages, there are only around 21,000 left after the takedown.

On the other hand, the 120,000 IPs don’t represent the size of Grum. The botnet was much bigger if we consider that not all the bots sent spam, some of them – hosted in corporate environments – being used to host shady advertisement websites.

“There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox,” Atif Mushtaq of FireEye concluded.