Grum botnet that dispatched 18% of world spam

FireEye experts claim to have discovered and disabled the Grum spam botnet command servers. Servers were located in the Netherlands, Panama, Russia and Ukraine. On Monday, one of the Dutch servers was closed. On Tuesday, Panamanian servers were taken out of control of the bot drivers, however, spammers managed to raise two new command nodes in Ukraine. Despite this, they managed to finish off the botnet on Wednesday morning thanks to the assistance of specialists from SpamHouse , CERT-GIB and an anonymous hacker under the nickname Nova7, who, through their contacts in Russia and Ukraine, quickly transferred all the necessary information to the providers in whose networks the team servers were located.

The Grum botnet has been operating since 2008. According to SpamHouse, at the time of closure, the botnet was actively sending spam from 120,000 IP addresses. After blocking the command servers, there are just over 20,000 of them. The remains of the botnet perform the last tasks received before the lock, and their activity will soon come to naught. According to Atif Mushtak, a FireEye employee, the Grum virus is designed so that zombie computers that have lost contact with one command server cannot connect to another. So spammers will not be able to quickly restore a botnet, as has often happened with other networks.

See the FireEye blog for details .