Grum botnet is staging a comeback

Remember the apparently successful Grum botnet takedown? Well, Grum is staging a comeback. Sure, a few tens of thousands of spam messages in August 2012 doesn’t seem like much compared to the millions in Grum’s heyday in July 2012, yet those new numbers are clearly increasing.

July, August 2012 Grum botnet top 10 ASNs

Let’s compare the July 2012 Grum botnet top 10 ASNs to the August 2012 top 10. Still spewing spam from Grum in August were India’s AS 9829 BSNL-NIB – National Internet Backbone Korea’s AS 4766 KIXS-AS-KR – Korea Telecom and Vietnam’s AS 7643 VNPT-AS-VN – Vietnam Posts and Telecommunications (VNPT). Is there a pattern there? National government-sponsored Internet backbones don’t clean up their spam-spewing botnet act well?

Congratulations to those ASNs missing from the new top 10, which are

July 2012 Grum botnet top 10 ASNs

  • India’s AS 24560 AIRTELBROADBAND-AS-AP – Bharti Airtel Ltd. and AS 18101 IL-IDC – Reliance Infocom Ltd Internet Data Centre,
  • Vietnam’s AS 7552 VIETEL-AS-AP – Vietel Corporation and AS 18403 FPT-AS-AP – The Corporation for Financing & Promoting Technology,
  • Pakistan’s AS 17557 PKTELECOM-AS-PK – Pakistan Telecommunication Company Limited
  • Belarus’ AS 6697 BELPAK-AS,
  • Indonesia’s AS 17974 TELKOMNET-AS2-AP – PT Telekomunikasi Indonesia.

August 2012 Grum botnet top 10 ASNs

Graphs by John S. Quarterman for

New in the top 10 for August were Israel’s AS 8551 BEZEQ-INTERNATIONAL-AS – Bezeqint Internet Backbone, Korea’s AS 3786 LGDACOM – LG DACOM Corporation and AS 17858 POWERVIS-AS-KR – LG Uplus (two ASNs by the same corporation?), China’s AS 4134 CHINANET-BACKBONE – Chinanet backbone, Kazakhstan’s AS 9198 KAZTELECOM-AS – JSC Kazakhtelecom, U.K.’s AS 5089 NTL – NTL Group Limited, and Peru’s AS 6147 SAA – Telefonica del Peru S.A.A.

How many of these Grum-infested ASNs will show up at the top of the world rankings or of their country rankings? Not so much because of Grum, as because the same vulnerabilities that let in Grum let in Festi or something else?