The Grum botnet that sent 18% of global spam has been disrupted

FireEye specialists claim to have found and disconnected the command servers of the spam botnet Grum. Servers were located in the Netherlands, Panama, Russia and Ukraine. On Monday, one of the Dutch servers was closed. On Tuesday, the Panamanian servers were taken out of control by the botanists, but the spammers managed to raise two new command nodes in Ukraine. Despite this, the botnet managed to finish Wednesday morning thanks to the assistance of SpamHouse , CERT-GIB specialists and an anonymous hacker under the nickname Nova7, who through their contacts in Russia and Ukraine promptly transferred all the necessary information to providers that had command servers.

Botnet Grum has been working since 2008. According to SpamHouse, at the time of closing, the botnet was actively sending spam from 120,000 IP addresses. After blocking the command servers, there are just over 20,000 left. The remains of the botnet perform the last tasks received before the blocking, and their activity should soon come to naught. According to FireEye employee Atif Mushtak, the Grum virus is designed so that zombie computers that have lost contact with one command server cannot connect to another. So the botnet can not be restored quickly, as it often happened with other networks, spammers cannot.

Details are in the FireEye blog .