Last Thursday I wrote about how the world’s third largest botnet, Grum, had been taken down. But of course that isn’t the end of the tale – some botnets just don’t seem to know when they are dead!
FireEye are now reporting that Grum came back to life for a short while on Monday which may or may not explain the amount of spam I received over the last 24 hours. FireEye’s blog post explains,
“Over the weekend we found that the Ukrainian ISP SteepHost removed the null route on three CnCs that were taken down last week.”
FireEye, who were of course partially responsible for getting the botnet taken down in the first place, then jumped in to save the day once again, –
“We immediately noticed this change and contacted SteepHost once again. After hours of negotiations, they eventually shut down these CnCs once more. During this time there was a short burst of spam sent by Grum, but it has disappeared as of this morning. “
Whether this latest takedown is effective remains to be seen as it relies upon the co-operation of ISPs, some of whom come across as being far more or less concerned about alleged botnet activity that gets flagged up to them. In the case of Steephost a complaint has been filed with their upstream provider and FireEye’s Atif Mushtaq even raised the notion of de-peering which is a pretty extreme measure aimed at the worst of offenders amongst hosting providers.
I wonder if this will now be the last we hear of the Grum botnet sending out spam?