Here is the promised followup to our look at the Grum botnet takedown, in which we have good news and not so good news.

A week ago we didn’t see much effect. As we noted, that was possibly because the takedown took down the command and control nodes, presumably leaving the bots still spewing whatever spam campaign they had already queued up.

Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs
Graph by John S. Quarterman for SpamRankings.net.

The updated Top 10 Botnets graph has good news and bad news:

Top 10 Botnets
Graph by John S. Quarterman for SpamRankings.net.

Indeed, Grum has dropped its spamming from millions to tens of thousands of messages seen by CBL. But look at the other line rocketing up to the right. That’s festi botnet.

So, congratulations, FireEye, for another good botnet takedown, like the one you did of Ozdok (aka MegaD) 5-6 November 2009!

Unfortunately, and this is not meant to take away from the very real accomplishment of FireEye and its collaborators, botnet takedowns don’t solve the spam problem, because some other botnet just takes up the slack. Even more, they don’t solve the underlying vulnerabilities that botnets and other malware and miscreants exploit. Other methods are also needed.

-jsq