Grum Botnet
   HOME

TheInfoList



Click Here for Items Related To - Grum Botnet
OR:
Grum Botnet on:   [Wikipedia]   [Google]   [Amazon]

The Grum botnet, also known by its alias Tedroo and Reddyb, was a
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic. Grum relies on two types of control servers for its operation. One type is used to push configuration updates to the infected computers, and the other is used to tell the botnet what spam emails to send. In July 2010, the Grum botnet consisted of an estimated 560,000–840,000 computers infected with the Grum
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
. The botnet alone delivered about 39.9 billion spam messages in March 2010, equating to approximately 26% of the total global spam volume, temporarily making it the world's then-largest botnet. Late in 2010, the botnet seemed to be growing, as its output increased roughly by 51% in comparison to its output in 2009 and early 2010. It used a panel written in
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group ...
to control the botnet.


Botnet takedown

In July 2012, a malware intelligence company published an analysis of the botnet's
command and control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or en ...
servers located in the Netherlands, Panama, and Russia. It was later reported that the Dutch Colo/ISP soon after seized two secondary servers responsible for sending spam instructions after their existence was made public. Within one day, the Panamanian ISP hosting one of Grum's primary servers followed suit and shut down their server. The cybercriminals behind Grum quickly responded by sending instructions through six newly established servers in Ukraine. FireEye connected with
Spamhaus The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name ''spamhaus'', a pseudo-German expression, was coined by Linf ...
, CERT-GIB, and an anonymous researcher to shut down the remaining six C&C servers, officially knocking down the botnet.


Grum botnet zombie clean-up

There was a
sinkhole A sinkhole is a depression or hole in the ground caused by some form of collapse of the surface layer. The term is sometimes used to refer to doline, enclosed depressions that are locally also known as ''vrtače'' and shakeholes, and to openi ...
running on some of the former IP addresses of the Grumbot C&C servers. A feed from the sinkhole was processed via both Shadowserver and abusix to inform the
Point of Contact A point of contact (POC) or single point of contact (SPOC) is a person or a department serving as the coordinator or focal point of information concerning an activity or program. A POC is used in many cases where information is time-sensitive and ...
at an ISP that has an infected IP addresses. ISP's are asked to contact their customers about the infections to have the malware cleaned up. Shadowserver.org will inform the users of their service once per day and Abusix sends out a X-ARF (extended version
Abuse Reporting Format The Abuse Reporting Format (ARF) also known as the Messaging Abuse Reporting Format (MARF) is a standard format for reporting spam via email. History A draft describing a standard format for feedback loop (FBL) reports was posted by Yakov Shafra ...
) report every hour.


See also

*
Botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
*
Malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
*
E-mail spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
*
Internet crime A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...
*
Internet security Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules a ...


References

{{Botnets Internet security Multi-agent systems Distributed computing projects Spamming Botnets