Botnet C&C Servers Unplugged

Wednesday, July 18, 2012 @ 03:07 PM gHale

Two of the command-and-control (C&C) servers for one of the top spam-producing botnets, Grum, are now unplugged, Dutch authorities said.

The action was not a complete knockout though, as there are still two other C&C servers at work, but researchers are optimistic the volume of spam will drop as a result.

Oil Companies Hacked
Tough Weak at Yahoo: Botnet, Breach
Virtual Environments Not Secure
VMware Cloud Security Issue

Researchers at FireEye had been watching the Grum botnet for a while and had pinpointed the four C&C servers used to control it. Two of the servers were in the Netherlands, one is in Russia and the other in Panama. In the last few days, officials in the Netherlands pulled the plug on the two servers in their country, severing half of the Grum botnet’s command infrastructure.

“These two CnC servers were responsible for pumping spam instructions to their zombies,” said Atif Mushtaq of FireEye in a blog post. “With these two servers offline, the spam template inside Grum’s memory will soon time out and the zombies will try to fetch new instructions but will not able to find them. Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world’s third largest spam botnet will have a significant impact on the global volume.”

Mushtaq said the company had been in touch with the hosting providers in Russia and Panama where the two remaining C&C servers are, but have had no luck getting them to respond.

“The ISP/Colos involved were contacted but they ignored the abuse notifications sent to them, even though they contained clear and complete evidence of bad behavior. This means that using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side,” he said.

Researchers and law enforcement agencies worldwide have been targeting major botnets with a variety of techniques for several years, with varying degrees of success. Botnets such as Mariposa, Kelihos, Rustock, and Zeus have been the subject of various takedown attempts. In some cases, they’ve been quite successful, and have had an effect on the level of spam or other criminal activity. In other cases, the botnets have morphed or bounced back in new forms.

But researchers have been honing their techniques, as well, and the involvement of big companies such as Microsoft, with a lot of legal and financial resources behind them, has made life more difficult for botnet providers.

Leave a Reply

You must be logged in to post a comment.