The cybersecurity community received a rare bit of good news earlier in the month as authorities were able to corral Grum, the world's third-largest botnet. But if recent history is any indicator, the short-term excitement could be overstating the long-term impact.
A triumph of international collaboration
Security specialists from FireEye were at the helm of the Grum takedown plot, aided by key contributions from SpamHaus, CERT-GIB and local Internet service providers (ISPs) across multiple continents. Authorities estimated that at the peak of its powers, the four-year-old botnet was delivering approximately 18 million spam messages each day. Experts believe that figure may have represented between 18 and 35 percent of all global spam.
The strike began when FireEye teamed with a Dutch ISP to identify and shut down Grum's command and control servers. After gaining the upper hand, authorities in Panama and Russia were tasked with dismantling separate supporting infrastructure based in their countries.
In a last-ditch effort to save their illicit network, cybercriminals attempted to migrate their operations to Ukraine. But once again local ISPs were able to thwart these plans with the intelligence provided by FireEye.
"Because of how the malware was written for Grum, when the master servers were killed, the infected machines could no longer send spam or communicate with a new server," FireEye CEO Ashar Aziz explained. "Botnet herders would have to start from scratch and infect hundreds of thousands of new machines to get something like Grum started again."
What's more, the Grum takedown seems to have struck fear into the hearts of several cybercrime networks, with spam volume from the Lethic botnet plunging almost overnight as hackers likely decided to constrict their operations and go deeper underground. As a result, some were suggesting that the sting had effectively reduced global spam by 50 percent in one fell swoop.
A long road to success
The end result notwithstanding, there were a number of encouraging takeaways from the dismantling of the Grum botnet. According to TechTarget, Internet security veterans were particularly impressed with how collaborators managed all of the moving parts. The full roster of those responsible for the takedown operation included private firms from the United States and Russia, an anonymous independent researcher and ISPs and law enforcement agencies across the Netherlands, Russia, Ukraine and Panama.
According to ZDNet, these close relationships were instrumental in thwarting the brief resurrection attempt staged by cybercriminals in the days following Grum's initial destruction. The hackers intended to pay Ukrainian ISP SteepHost to essentially clear the path to the old command and control servers, but authorities quickly intervened with a list of proposed sanctions against the firm.
"A strong warning has been given to SteepHost that if something like this happens again, a complaint will be filed with their upstream provider which might de-peer them off the Internet," FireEye officials stated. "Alternatively their whole subnet can be blacklisted, which could cause some serious damage to their business."
But if history is any indicator, it is unlikely that this will be the final chapter in the Grum saga. According to TechTarget, Microsoft's dismantling of the Rustock, Kelihos and Waledac botnets in recent years all garnered the same initial praise as FireEye has in this instance. But in reality, these allegedly decisive blows only had a "minimal, short-term impact" on global spam levels.
Considering the fact that Grum servers, not their operators, were identified, the cybercriminals responsible are unlikely to find themselves standing before a judge. More likely they will lay low for a brief period of time before approaching their end goals from a new angle.
Security News from SimplySecurity.com by Trend Micro