Authorities down servers of third-largest spam botnet
'It's a dogfight between the research community and the bot herders,' researcher says
By Antone Gonsalves
July 18, 2012 — CSO — Authorities in three countries have taken down a half-dozen command-and-control servers for the Grum botnet, crippling the world's third-largest spam-spewing network.
A total of five servers in Panama and the Ukraine were taken down Tuesday, while the plug was pulled on two servers in the Netherlands over the last few days, Atif Mushtaq, a researcher at FireEye's security lab, said.
FireEye, the Russian Computer Security Incident Response Team and the Spamhaus Project have been playing a cat-and-mouse game with the spammers, who have launched new servers when others are taken down.
"It's a dogfight between the research community and the bot herders," Mushtaq said. Bot herders refer to the operators of the network of malware-infected, commandeered computers in the botnet.
Grum is responsible for more than 17 percent of the world's spam, according to Mushtaq. Most of the spam sells fake Rolex watches and Viagra.
As of late Tuesday, the master server and one command-and-control server were operating in Russia, where Mushtaq believes the spammers are headquartered.
FireEye has watched Grum since 2008, when it was only the seventh or eighth largest spam botnet. Since then, larger botnets, such as Kelihos, Rustock and Zeus, have been taken down, so Grum has climbed up the charts.
Over the last few years, the tech industry has become more aggressive in battling botnets. In March, Microsoft won court permission to seize the servers of the Zeus botnet, which cybercriminals used to steal $100 million over five years.
Most of the money came through stealing online banking and e-commerce credentials. Microsoft also was involved in the takedown of servers in the Kelihos, Rustock and Waledac botnets.
The amount of spam flowing into people's inboxes has fallen at least 60 percent since the peak in 2008, Mushtaq said. Many ex-spammers have switched from running huge botnets that attract the attention of authorities to operating small networks aimed more at infecting computers with information-stealing malware.
"These guys have learned they need to fly under the radar," Mushtaq said. "Making one huge botnet will make them very visible."
Spammers also are turning from PCs to Android devices in building botnets for sending pharmacy, penny stock and e-card spam emails. Microsoft reported this month seeing spam sent from Android devices spewing from Yahoo email servers. The infected devices were located in Ukraine, Russia, Chile, Argentina, Venezuela, Indonesia, Thailand, Philippines, Lebanon, Oman and Saudi Arabia.
The consequence of sending spam from a mobile device is a higher wireless bill for the owner. Thousands of spam messages flowing from a device means a big jump in data traffic, which can lead to additional charges when volume surpasses a person's data plan.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.