Grum Botnet Shut Down

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Grum Botnet Shut Down

Postby HansTheBlueFrog » Thu Jul 19, 2012 3:33 pm

HansTheBlueFrog
Spam Investigator
 
Posts: 343
Joined: Wed Feb 04, 2009 3:23 pm

Re: Grum Botnet Shut Down

Postby spamislame » Thu Jul 19, 2012 6:07 pm

That story is definitely making the rounds. It's also pretty widely discussed by people on Facebook. Much more public than previous botnet takedown stories. I like that.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Grum Botnet Shut Down

Postby NotBuyingIt » Fri Jul 20, 2012 1:42 am

BBC: "A botnet which experts believe sent out 18% of the world's spam email has been shut down...."

CNN: "50% of worldwide spam is gone" (story)

I suppose the difference in the calculations has something to do with how differently in comma (,) and the point (.) are used in European and American numerics.
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: Grum Botnet Shut Down

Postby Red Dwarf » Fri Jul 20, 2012 7:42 am

It will be interesting to see if this continues for Grum and Lethic, or if there is a recovery after all.

The relative botnet sizes are well depicted in the graph at https://www.trustwave.com/support/labs/ ... istics.asp
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10485
Joined: Tue Jun 27, 2006 2:01 am

Re: Grum Botnet Shut Down

Postby randy67 » Thu Jul 26, 2012 1:44 pm

I don't know if a botnet was restored or a new one is online. I've been slammed with Viagra spams at over 40 an hour. At least 75% are from Saudi. The abuse address from Spamcop is abuse @ saudi.net.sa or something like that.
The same thing happened last week and the week before for a few days.
Last edited by randy67 on Thu Jul 26, 2012 7:43 pm, edited 1 time in total.
You yet did not try SPICE? Not the SPAM!!!
randy67
Spam Reporter
 
Posts: 125
Joined: Fri Aug 25, 2006 7:48 pm

Re: Grum Botnet Shut Down

Postby AlphaCentauri » Thu Jul 26, 2012 5:04 pm

Probably you were targeted by the "Spice" guys again, trying to joejob their competitors or anyone else they want to annoy. They're obviously using a botnet to do it. You may be able to find out which one by checking the originating IP in the headers, and then looking it up at CBL:

http://cbl.abuseat.org/lookup.cgi

I got a ton yesterday. I just looked up a couple and they were both from the festi botnet.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Grum Botnet Shut Down

Postby Red Dwarf » Thu Jul 26, 2012 5:26 pm

This week's graph at https://www.trustwave.com/support/labs/ ... istics.asp
shows Lethic went from the biggest spamming botnet on July 16 to zero activity July 22

Grum seems unaffected in its performance all of this year, being consistently up at number 2, formerly trailing Lethic but now trailing a resurgent Cutwail 1
Rumors of a Grum shurtdown are certainly premature at this time.

TechCrunch gives a more realistic view of the status:
Ref: http://techcrunch.com/2012/07/19/sound- ... m-network/
Although the Russian and Ukrainian servers are still running, the group reduced total spam output from 120,000+ IPs to 21,000, reducing the overall spam load. It’s not over yet, but it’s a dent in the overall feed.


The definitive report to date is at FireEye
http://blog.fireeye.com/research/2012/0 ... avens.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10485
Joined: Tue Jun 27, 2006 2:01 am

Re: Grum Botnet Shut Down

Postby Red Dwarf » Thu Jul 26, 2012 6:09 pm

AlphaCentauri wrote:Probably you were targeted by the "Spice" guys again, trying to joejob their competitors or anyone else they want to annoy. They're obviously using a botnet to do it. You may be able to find out which one by checking the originating IP in the headers, and then looking it up at CBL:

http://cbl.abuseat.org/lookup.cgi

I got a ton yesterday. I just looked up a couple and they were both from the festi botnet.


Likewise. Following your example I also found the FESTI botnet responsible
CBL wrote:IP Address 82.222.190.194 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-07-26 07:00 GMT (+/- 30 minutes), approximately 15 hours ago.
This IP is infected (or NATting for a computer that is infected) with the festi spambot.

IP Address 119.226.173.35 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-07-25 14:00 GMT (+/- 30 minutes), approximately 1 days, 7 hours, 59 minutes ago.
This IP is infected (or NATting for a computer that is infected) with the festi spambot.

IP Address 92.45.88.206 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-07-25 16:00 GMT (+/- 30 minutes), approximately 1 days, 5 hours, 30 minutes ago.
This IP is infected (or NATting for a computer that is infected) with the festi spambot.

IP Address 123.201.147.34 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-07-26 06:00 GMT (+/- 30 minutes), approximately 16 hours, 30 minutes ago.
This IP is infected (or NATting for a computer that is infected) with the festi spambot.


These were originating IPs for the rash of spams on July 11 in the form:

New RX Shop http://viagra-shop.com.ua/
New RX Shop http://misterjoy.ru/
New RX Shop http://cialisbuy.com.ua/
New RX Shop http://www.poppers-rush.ru/
New RX Shop http://goodviagra.ru/
New RX Shop http://va-ua.com/
New RX Shop http://cialis.donetsk.ua/
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10485
Joined: Tue Jun 27, 2006 2:01 am


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron