×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Inside the Grum Botnet

Soulskill posted about a year and a half ago | from the creamy-nougat-filling dept.

Botnet 34

tsu doh nimh writes "An examination of a control server seized in the recent takedown of the Grum spam botnet shows the crime machine was far bigger than most experts had assumed. A PHP panel used to control the botnet shows it had just shy of 200,000 systems sending spam when it was dismantled in mid-July. Researchers also found dozens of huge email lists, totaling more than 2.3 billion addresses, as well evidence it was used for phishing and malware attacks in addition to mailing pharmacy spam. Just prior to its takedown, Grum was responsible for sending about one in six spams worldwide."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

34 comments

And suddenly (2)

ackthpt (218170) | about a year and a half ago | (#41074423)

200,000 voices were silenced.

Not particularly good voices, with anything worthwhile to say.

Re:And suddenly (3, Insightful)

PPH (736903) | about a year and a half ago | (#41074523)

Actually, 200,000 voices with only one mind.

Sort of like a political action committee

Re:And suddenly (1)

Krojack (575051) | about a year and a half ago | (#41074611)

Or the Borg?

Someone had to toss that in there...

Spams still coming (2)

Taco Cowboy (5327) | about a year and a half ago | (#41076085)

Even with the Grum Botnet taken offline, my email address is still getting all kinds of spam and scam, every single day

Like others, I set up spam filters save the clutters, but I do not know how many genuinely worthy messages my spam-filter had mistakenly deleted

Those goddamn spammers have ruined it

Re:Spams still coming (0)

Anonymous Coward | about a year and a half ago | (#41079257)

Those goddamn spammers have ruined it

No, you allowed it to be ruined through laziness.

Crete an e-mail alias for each contact.

Delete it if you receive any spam.

Problem solved.

Re:And suddenly (0)

Anonymous Coward | about a year and a half ago | (#41074717)

Wait, which OS did this malware run on?

Re:And suddenly (1)

Em Adespoton (792954) | about a year and a half ago | (#41075341)

Don't worry... the voices weren't silenced; they just were required to switch to another communications mechanism. Grum's gone, but the people using it are still around, and sending their spam via other means. You will still get your links to HGH pills, botnet infectors and fake AV software.

Re:And suddenly (-1)

Anonymous Coward | about a year and a half ago | (#41075407)

You mean 4chan is down?

Re:And suddenly (3, Insightful)

hairyfeet (841228) | about a year and a half ago | (#41076611)

The sad part? as someone who actually have to clean these machines it doesn't matter about UAC, or low rights mode, or any possible security you put in the OS because in the end it becomes another case of the dancing bunnies [codinghorror.com] and there is no tech cure for that short of sticking them in a walled garden ala Apple where they can't do a damned thing without the corporation's approval.

I've seen it a million times, all the malware writer has to do is offer them the right carrot, be it some celeb nekkid, some free porn, screensavers, hell I've seen people infect their machines for a chance to win an iPad. Offer them a cookie and all the security levels and permissions and AV software is worth jack and squat because they will disable it with a smile on their face.

In the end all you can do is educate those that will listen and be ready to clean up the mess like with TFA for those that don't.

Yay CAN SPAM! (0)

Anonymous Coward | about a year and a half ago | (#41074445)

More evidence that the law is working.

Re:Yay CAN SPAM! (2)

ackthpt (218170) | about a year and a half ago | (#41074801)

More evidence that the law is working.

Law? Try people actually working on it.

You can have all the laws you want, but until people set themselves to backtracking this junk, finding the servers and maybe even catching those behind them, the laws mean exactly nothing.

It is nice to see them working on it, but I think more work could be done a little faster.

Law enforcement jumped the gun here (5, Funny)

Anonymous Coward | about a year and a half ago | (#41074489)

One man's botnet is another man's beowulf cluster

Many people looked forward to these daily emails offering vital medications, herbal alternatives for male enhancement, and mortgage refinancing opportunities

Grum, you will be missed!

Re:Law enforcement jumped the gun here (0)

Anonymous Coward | about a year and a half ago | (#41078069)

Imb*cile.

Why am I still getting so much spam then? (1)

Anonymous Coward | about a year and a half ago | (#41074561)

Yet it seems like I am getting more and more spam every day. You would think shutting down a server responsible for about 16% of spam, I would see some drop.

Re:Why am I still getting so much spam then? (0)

Anonymous Coward | about a year and a half ago | (#41079529)

Not all the points in the sample are equal to the average.

Notify ISP's to Notify Infected Customers? (1)

Krojack (575051) | about a year and a half ago | (#41074691)

Why can't they get the IP's of most of the infected computer, send those IP's w/time stamps to ISP's and require those ISP's to send letters to the infected customers letting them know that they help assist in sending billions of email SPAM and to get their computer cleaned? Maybe it will scare some people that feel they aren't vulnerable into realizing they are.

I donno, it's a thought. I'm sure something could be improved upon that.

Re:Notify ISP's to Notify Infected Customers? (3, Insightful)

Zocalo (252965) | about a year and a half ago | (#41074981)

Based on the experiences of the DNS Changer Working Group trying to get ISPs to notify their infected users of the imminent demise of the substitute DNS Changer DNS servers, I'd say it is unlikely to work. The sad fact is that many ISPs (and there would be a *lot* of ISPs with hosts on a typical botnet) simply don't give a crap at the best of times, let alone when suggesting they take a course of action that would entail costs - postage of letters, support calls, setting up a sandbox for infected users, etc.

Money (2)

John Bokma (834313) | about a year and a half ago | (#41075233)

For the same reason a lot of ISPs [b]do nothing about spam[/b]. It's paying customers versus angry nerds...

Re:Notify ISP's to Notify Infected Customers? (1)

TheGoodNamesWereGone (1844118) | about a year and a half ago | (#41080177)

It's a nice idea and a nice fantasy, but the sad fact is even if the ISPs sent someone out to clean off those zombie boxen free of charge they'd be infected worse than a transvestite hooker on Bourbon St again in no time flat. PEBKAC.

200,00 X 6 = 1,200,000 (1)

John Hasler (414242) | about a year and a half ago | (#41074763)

This implies that there are about 1.2 million bots worldwide. Seems low.

Re:200,00 X 6 = 1,200,000 (2)

ackthpt (218170) | about a year and a half ago | (#41074811)

This implies that there are about 1.2 million bots worldwide. Seems low.

True.

Perhaps the others are all at work managing sock-puppets on facebook.

Re:200,00 X 6 = 1,200,000 (1)

Anonymous Coward | about a year and a half ago | (#41075127)

This implies that there are about 1.2 million bots worldwide. Seems low.

True.

Perhaps the others are all at work managing sock-puppets on Slashdot.

There. FTFY. Courtesy of your friendly neighborhood sock puppet. :)

Re:200,00 X 6 = 1,200,000 (1)

KhabaLox (1906148) | about a year and a half ago | (#41074953)

That assumes other botnets send the same number of spam emails per bot as Grum. Given it is the largest, and probably has the largest address list, it probably sends more spam per bot than other botnets. TFA says it had the capability of sending 18b spam message per day, which is about 90k messages per bot. Other botnets might be only sending 50k or 10k per bot per day.

Re:200,00 X 6 = 1,200,000 (0)

Anonymous Coward | about a year and a half ago | (#41075015)

"one in six spams worldwide" is not necessarily the same as one in six bots.

Re:200,00 X 6 = 1,200,000 (2)

Ziggitz (2637281) | about a year and a half ago | (#41075421)

Sounds about right. I imagine many many times that number get infected every year though. To remain infected and a functioning part of the botnet you need it to stay on the internet, not have it's antivirus updated, not have security updates for the OS, not fall into disuse, not taken in for service and still work without the owner's knowledge that it is infected.

What kind of person would allow those conditions to occur? Grandma probably does, somebody probably set up the computer for her, she doesn't know how fast it should be, doesn't update the OS or antivirus, probably doesn't know how to and since it will still connect to facebook and let her play bejeweled, she doesn't do anything about it.

So take the number of primary personal computing devices in the first world, take only the very tech incompetent but frequent users, from those take the ones with out of date operating systems, then keep only the ones that stay connected to the internet all the time and then only the ones that will not take those computers to be fixed. The low hanging fruit disappear very quickly. While there are way way more than 1.2 million people who will get a device infected each year, chances are they don't leave them infected for very long, so the retention rate for the botnet is probably only around 1% per year if not less.

Re:200,00 X 6 = 1,200,000 (1)

tqk (413719) | about a year and a half ago | (#41084631)

What kind of person would allow those conditions to occur?

You're ignoring all the Chinese, Indians, Pakistanis, Indonesians, ... all running pirated versions of Windows, possibly with the malware pre-installed with the pirated OS. Add poorly secured, or ancient and not updated, Linux and *BSD installs. These needn't even be home users. Whole companies in these countries have been known to rely on pirated OSs.

Re:200,00 X 6 = 1,200,000 (1)

CSMoran (1577071) | about a year and a half ago | (#41079547)

This implies that there are about 1.2 million bots worldwide. Seems low.

Grum was responsible for 1/6 of spam volume, not 1/6 of world botnet size.

Yes (0)

kamapuaa (555446) | about a year and a half ago | (#41075509)

Drawings of Natalie Portman, naked and petrified? Sign me up, as it is now I have to browse Deviantart profiles and it takes forever.

Microsoft Spambot (tm) (0)

Anonymous Coward | about a year and a half ago | (#41077059)

I wonder if the Grum spamhouse developers are paying Microsoft for the use of their intellectual property.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...