Grum botnet briefly returns from the dead

The creators of the infamous Grum botnet managed to briefly bring the spam network back from the dead, before it was once again shutdown.

Security vendor FireEye reported the attempt to get the botnet back online took place on Monday.

"Over the weekend we found that the Ukrainian internet service provider (ISP) SteepHost removed the null route on three [command and control servers] that were taken down last week," wrote FireEye researcher Atif Mushtaq in a blog post.

"We immediately noticed this change and contacted SteepHost once again. After hours of negotiations, they eventually shut down these CnCs once more. During this time there was a short burst of spam sent by Grum, but it has disappeared as of this morning."

FireEye originally took down Grum on 19 July following a joint operation with spam-tracking service SpamHaus and local ISPs.

Grum is believed to have been the world's third largest botnet, with researchers estimating it was spitting out 18 billion spam messages a day at its peak.

Mushtaq warned that the botnet's operators may make a similar attempt to reactivate Grum in the near future, claiming the success of the operation would depend on ISPs.

"What are the odds that something like this will happen again? It's hard to predict at this time. Carel Van Straten of SpamHaus had a conversation with a SteepHost representative this morning. SteepHost assured him that something like this will not happen again," wrote Mushtaq.

"Interestingly, their excuses for letting these servers go online were break-ins and security-related issues. Funny, isn't it? They even claimed that this time they wiped out the CnC servers' hard drives. Wow, virtually destroying all of the evidence?"

Prior to Mushtaq's claim, Microsoft Trustworthy Computing director Tim Rains had issued a warning that Europe's cyber crime business is booming.

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Law
• spam
• Botnets
• cyber-crime
• ISP