Researchers at FireEye recently detected two new Grum command servers, as the botnet’s owners attempted to remain under the radar as they rebuilt it. The rebirth was short-lived, as the C&Cs (hosted in Turukey) were taken offline within hours.
In July, researchers from FireEye were part of a team that tookdown Grum, one of the world’s largest botnets. Within three days, the botnet fell from 120,000 IP addresses, to just over 20,000. Within a month, the botnet was dead in the water, its owners seeming to have given it up.
“Apart from an unsuccessful recovery attempt made by the bot herders a few days after the takedown, we never noticed any movement from the opposite side. Apparently the Grum guys had given up their botnet. But the bot herders always had the option to take the risk and start rebuilding this botnet from scratch. This is precisely what they tried to do last week,” wrote FireEye’s Atif Mushtaq in a blog post.
While the two C&C servers were operational, the botnet owners didn’t use them to send spam, or do anything really, they just turned them on, likely due to the fact that the group wanted to “keep themselves under the radar,” Mushtaq speculated.
Either way, between FireEye and Spamhaus, Grum has been consistently monitored, so when the new servers became active, they were detected almost immediately.
“The good news is that both servers are dead at the moment, effectively killing this new segment of Grum,” he concluded.
When the Grum botnet was in normal operation, Symantec researchers estimated that it was responsible for about one-third of all spam being sent worldwide. The takedown led to an instant drop in global spam email volumes by as much as 15 to 20 percent, according to July's Symantec Intelligence Report. But about a month later, spam levels came back up, showing that the takedown’s affect on global spam was actually minimal.
“There's been minimal to no change in spam as a result of the Grum takedown, an Abuse Desk Analyst at Symantec, told SecurityWeek in August.