Blog        Forum        Spam        Check & Secure                      
Articles > The Grum Botnet

The Grum Botnet

Overview

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2007.

At the time of its shutdown in July 2012, Grum was reportedly the world's 3rd largest botnet, responsible for 18% of worldwide spam traffic. Grum relies on two types of control servers for its operation. One type is used to push configuration updates to the infected computers, and the other is used to tell the botnet what spam emails to send.

Impact

In July 2010, the Grum botnet consisted of an estimated 560,000–840,000 computers infected with the Grum rootkit. The botnet alone delivered about 39.9 billion spam messages in March 2010, equating to approximately 26% of the total global spam volume, temporarily making it the world's then-largest botnet.

As of late 2010, the botnet seemed to be growing, as its output increased roughly by 51% in comparison to its output in 2009 and early 2010. It used a panel written in PHP to control the botnet.

Vectors of infection

Internet users began receiving emails from admin@microsoft.com with the subject line “Internet Explorer 7 Downloads.” A click later and they were at a bright splash page purporting to offer a fresh download of the latest Microsoft web browser, Internet Explorer 7.

The download was a dud. Clicking on the link brought nothing but a small file called ie7.0.exe. Running it revealed nothing – just a little gibbering in the hard drive and then silence. Users could click all they want – IE 7.0 wouldn’t appear.

To many, this was just another bum link on the Internet. But inside their computers, something was happening. The skittering meant something had been installed on the hard drive, within a temporary Windows directory.

The file was winlogin.exe, an innocuous enough name that might have been familiar to slightly savvy PC users. In less than a second, however, the program burrowed its way into the computer’s registry – a database of information about the machine – and added itself to the list of programs run when the computer begins to boot.

Eventually, the program was identified as the Grum-A aka Tedroo and Reddyb.

Takedown

In July 2012, malware intelligence company FireEye published an analysis of the botnet's command and control servers located in the Netherlands, Panama, and Russia. One week following their initial analysis, FireEye researchers reported that the Dutch Colo/ISP soon after seized two secondary servers responsible for sending spam instructions after their existence was made public. Within one day, the Panamanian ISP hosting one of Grum's primary servers followed suit and shut down their server.

With the shutdown of the Panamanian server, a complete segment was dead forever. This good news was soon followed by some bad news. After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine.

FireEye connected with Spamhaus, CERT-GIB, and an anonymous researcher to shut down the remaining six C&C servers and the Russian one, officially knocking down the botnet as of July 19, 2012.According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505.

References

Regarding the security of your computer please consider the following basic rules:

  1. Check your computer for infection.
  2. Install current Service Packs and Security Updates for your system. Activate automatic updates.
  3. Check your internet browser and the embedded plugins (e.g. Java, Flash, Shockwave, Quicktime) regularly for Actuality.
  4. Install a virus scanner and update it regularly.
  5. Use a Firewall e.g. Windows built-in Firewall or a Router.

Good to know

Inform
Find out what botnets are, the damage they cause, and how they threaten the data on your computer.

Clean
Here you can find small programs and tutorials which enable you to remove a botnet infection from your computer.

Protect
In this section you will find many tips on how to protect your computer from infection.

Copyright © 2014-2015 CERT-RO. All rights reserved.