Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Grum Botnet Attempts a Comeback – Dies a Quick Death

Researchers at FireEye recently detected two new Grum command servers, as the botnet’s owners attempted to remain under the radar as they rebuilt it. The rebirth was short-lived, as the C&Cs (hosted in Turukey) were taken offline within hours.

Researchers at FireEye recently detected two new Grum command servers, as the botnet’s owners attempted to remain under the radar as they rebuilt it. The rebirth was short-lived, as the C&Cs (hosted in Turukey) were taken offline within hours.

In July, researchers from FireEye were part of a team that tookdown Grum, one of the world’s largest botnets. Within three days, the botnet fell from 120,000 IP addresses, to just over 20,000. Within a month, the botnet was dead in the water, its owners seeming to have given it up. 

“Apart from an unsuccessful recovery attempt made by the bot herders a few days after the takedown, we never noticed any movement from the opposite side. Apparently the Grum guys had given up their botnet. But the bot herders always had the option to take the risk and start rebuilding this botnet from scratch. This is precisely what they tried to do last week,” wrote FireEye’s Atif Mushtaq in a blog post.

While the two C&C servers were operational, the botnet owners didn’t use them to send spam, or do anything really, they just turned them on, likely due to the fact that the group wanted to “keep themselves under the radar,” Mushtaq speculated.

Either way, between FireEye and Spamhaus, Grum has been consistently monitored, so when the new servers became active, they were detected almost immediately.

“The good news is that both servers are dead at the moment, effectively killing this new segment of Grum,” he concluded.

When the Grum botnet was in normal operation, Symantec researchers estimated that it was responsible for about one-third of all spam being sent worldwide. The takedown led to an instant drop in global spam email volumes by as much as 15 to 20 percent, according to July’s Symantec Intelligence Report. But about a month later, spam levels came back up, showing that the takedown’s affect on global spam was actually minimal.

“There’s been minimal to no change in spam as a result of the Grum takedown, an Abuse Desk Analyst at Symantec, told SecurityWeek in August. 

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.