Grum botnet

Last updated

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. [1] Once the world's largest botnet, Grum can be traced back to as early as 2008. [2] At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, [3] responsible for 18% of worldwide spam traffic. [4] [5]

Contents

Grum relies on two types of control servers for its operation. One type is used to push configuration updates to the infected computers, and the other is used to tell the botnet what spam emails to send. [6]

In July 2010, the Grum botnet consisted of an estimated 560,000–840,000 computers infected with the Grum rootkit. [7] [8] The botnet alone delivered about 39.9 billion [9] spam messages in March 2010, equating to approximately 26% of the total global spam volume, temporarily making it the world's then-largest botnet. [10] [11] Late in 2010, the botnet seemed to be growing, as its output increased roughly by 51% in comparison to its output in 2009 and early 2010. [12] [13]

It used a panel written in PHP to control the botnet. [14]

Botnet takedown

In July 2012, a malware intelligence company published an analysis of the botnet's command and control servers located in the Netherlands, Panama, and Russia. It was later reported that the Dutch Colo/ISP soon after seized two secondary servers responsible for sending spam instructions after their existence was made public. [15] Within one day, the Panamanian ISP hosting one of Grum's primary servers followed suit and shut down their server. [16] The cybercriminals behind Grum quickly responded by sending instructions through six newly established servers in Ukraine. [17] FireEye connected with Spamhaus, CERT-GIB, and an anonymous researcher to shut down the remaining six C&C servers, officially knocking down the botnet. [17]

Grum botnet zombie clean-up

There was a sinkhole running on some of the former IP addresses of the Grumbot C&C servers. A feed from the sinkhole was processed via both Shadowserver and abusix to inform the Point of Contact at an ISP that has an infected IP addresses. ISP's are asked to contact their customers about the infections to have the malware cleaned up. Shadowserver.org will inform the users of their service once per day and Abusix sends out a X-ARF (extended version Abuse Reporting Format) report every hour.

See also

Related Research Articles

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by email

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">The Spamhaus Project</span> Organization targetting email spammers

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The Kraken botnet is a network hacking spyware program that attacks Microsoft Windows and Apple Macintosh systems through email and World Wide Web sites such as social networking sites. It was the world's largest botnet as of April 2008.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

<span class="mw-page-title-main">McColo</span> Defunct web hosting provider used for cybercrime

McColo was a US-based web hosting service provider that was, for a long time, the source of the majority of spam-sending activities for the entire world. In late 2008, the company was shut down by two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The Lethic Botnet is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam.

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

Festi is a rootkit and a botnet also known by its alias of Spamnost, and is mostly involved in email spam and denial of service attacks. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

References

  1. "Grum". M86 Security. 2009-04-20. Retrieved 2010-07-30.
  2. Atif Mushtaq (2012-07-09). "Killing the Beast - Part 5". FireEye . Retrieved 2012-07-11.
  3. Mushtaq, Atif (2012-07-18). "Grum, World's Third-Largest Botnet, Knocked Down | FireEye Blog". Fireeye.com. Archived from the original on 2014-01-17. Retrieved 2014-01-09.
  4. "Huge spam botnet Grum is taken out by security researchers". BBC News. 19 July 2012.
  5. "Researchers Say They Took Down World's Third-Largest Botnet". New York Times. 2012-07-18. Retrieved 2012-07-18.
  6. "One of the world's largest spam botnets still alive after suffering significant blow". IDG. 2012-07-17. Archived from the original on 2018-11-30. Retrieved 2012-07-17.
  7. "Research: Small DIY botnets prevalent in enterprise networks". ZDNet. Retrieved 2010-07-30.
  8. "MessageLabs Blog - Evaluating Botnet Capacity". Messagelabs.com.sg. Archived from the original on April 18, 2013. Retrieved 2010-07-30.
  9. "Which Botnet Is Worst? Report Offers New Perspective On Spam Growth - botnets/Security". DarkReading. 30 September 2009. Retrieved 2010-07-30.
  10. "Grum and Rustock botnets drive spam to new levels". Securecomputing.net.au. 2010-03-02. Archived from the original on 2010-12-07. Retrieved 2010-07-30.
  11. Whitney, Lance (2010-03-02). "Botnets cause surge in February spam | Security - CNET News". News.cnet.com. Retrieved 2010-07-30.
  12. James Wray and Ulf Stabe (2010-03-01). "Spam volumes surge thanks Grum and Rustock botnets - Security". Thetechherald.com. Archived from the original on 2010-07-21. Retrieved 2010-07-30.
  13. "MessageLabs: Botnets a threat to email marketing - Email Marketing". BizReport. 2009-09-30. Retrieved 2010-07-30.
  14. Brian Krebs (2012-08-20). "Inside the Grum botnet".
  15. Steve Ragan (2012-07-17). "Dutch Police Takedown C&Cs Used by Grum Botnet". Security Week. Retrieved 2012-07-17.
  16. Alex Fitzgerald (2012-07-19). "Botnet Responsible for 18% of World's Spam Knocked Offline". Mashable . Retrieved 2012-07-19.
  17. 1 2 Atif Mushtaq (2012-07-19). "Grum, World's Third-Largest Botnet, Knocked Down". FireEye . Retrieved 2012-07-19.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.