Another take down of the world third largest botnet (after Cutwail and Lethic), called GRUM and this time roughly 18 percent of global spam, or 18 billion spam messages a day was reported on Wednesday, 18 July 2012, according to NY Times. The C&C servers pointing to IP addresses 18.104.22.168 and 22.214.171.124 have identified by FireEye researchers with the help of Dutch authorities and these IP addresses are Russian and Panama IP addresses, respectively. GRUM botnet has been around since 2008 according to FireEye security researcher. When the 2 servers was taken down by the Dutch authorities, the bot herders quickly move their C&C servers to Ukraine and the Panama servers were removed immediately by the bot herders. Even tough we have successfully taken down GRUM but the world has not yet free from SPAM and worst, one botnet died, 3 more botnet sprang up. At the end, we need to catch those coders and put them behind bars, as quoted by Jose Nazario, a senior security researcher from Arbor Networks.
First, it was Waledac (code name “Operation b49”), then Rustock (code name “Operation b107”), now Kelihos botnet is the latest take down action by Microsoft. Kelihos, with the code name “Operation b79”, was taken down using the same techniques used in the previous cases (Waledac and Rustock). The approach Microsoft took is unique, in which Microsoft knew that the bot creator is using spam to sell counterfeit drugs and infect the user’s computers using bot software to send more spam to more users. Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for the Eastern District of Virginia against Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22. With this TRO, Microsoft with its partner to shutdown the servers that used as command and control (C&C) and these servers are hosted using subdomains (not registered under their original owner names). Even tough only 41,000 computers infected with Kelihos botnet, these computers are capable sending 3.8 billion SPAM emails per day. Videos are available to explain how botnet works and Microsoft approaches in attacking these botnets. More detail explanation and tools to tackle botnet can be obtained here. Microsoft is not alone in taking down botnets, other take down using different approaches against Mariposa (11 million computers infected) and Pushdo/Cutwail are also available for further reading. The U.S. Federal Government has issued a notice to public to request public comments on detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment. So, as more take down progress, keep your computer safe from these botnets, by updating your Windows OS with the latest patch and your anti-virus software with the latest update.