Grum and other botnets, 1 June 2012 – 19 July 2012,

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see much decrease in grum, except maybe on the last day shown. And we do see a huge decrease in lethic, which is the dark green line that plummets from almost 6,000,000 on 3 July to less than 121,000 on 19 July. And we see a big increase in festi, the bright green line that comes up from less than 832,000 on 28 June to almost 6,000,000 on 8 July, and then drops back to around 3,000,000. Compared to lethic and festi, nothing much has happened to grum yet.

Here’s a likely reason why:

Mr Mushtaq said more than 20,000 computers were still part of the botnet, but that without the active CnCs they would soon be rendered ineffective.

We will watch to see what happens.

Meanwhile, here’s another view. Grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs

Graph by John S. Quarterman for from CBL data.

The two ASNs found to be sending the most spam from grum do show curves very similar to that of grum itself (grum is the dark blue curve with no dots on it). The effect is less pronounced for the others, although they do all seem to turn down on that last day.

This will be quite interesting to watch.