[PHOTO - Security researchers estimate that 50% of worldwide spam has been killed off by the Grum strike]

NEW YORK, JULY 21, 2012 (@CNN MONEY TECH) By Stacy Cowley - Good news for your email inbox: You'll be seeing less spam in it now, thanks to a global takedown effort that knocked one of the world's biggest spammers offline this week.

"About 50% of the worldwide spam is gone," says FireEye senior scientist Atif Mushtaq, who participated in the demolition.

The dramatic decrease is the result of a coordinated attack by security firms and Internet service providers around the globe that took down a network of infected computers known as "the Grum botnet." Grum, one of the world's most prolific spammers, generated around 18 billion emails a day, by FireEye's estimates.

A botnet is a collective of computers infected with malware -- typically without the computer owner's knowledge -- and taken over by an outside attacker. Criminals who gain control of botnets use them for malicious activities like pumping out massive volumes of spam or launching denial-of-service attacks on targeted websites. The bigger the botnet, the more firepower the cybercrimal has at their fingertips.


Grum was an especially vast and nasty spammer. First detected in early 2008, its malware infected several hundred thousand computers around the world and churned out huge amounts of pharmaceutical spam advertising cheap drugs.

At its peak, Grum was the world's most prolific spam machine, though researchers recently dropped it to the number three spot on their ever-changing list of the world's largest botnets.

The tale of its demise reads like a high-tech thriller.

The brain of a botnet is what's known as a "command and control" server. Grum had several of those servers scattered around the globe in countries including Russia, Panama, and the Netherlands. But it also had a fatal weakness: The network had no recovery mechanism if all of its command servers were simultaneously knocked offline.

A Dutch Internet service provider yanked the plug Tuesday on two of Grum's primary command servers. A Panamanian server went down next, leaving just one main server -- in Russia -- coordinating the entire Grum swarm.

But when the botnet's operators realized their network was under attack, they launched their evasive actions, shifting their traffic to a fresh set of backup servers in Ukraine.

"Right in front of my eyes, the bot herders started pointing their botnet to new destinations," Mushtaq wrote in a blog post about the takedown. "For a moment, I was stunned."


Mushtaq alerted collaborators around the global, including a cybersecurity team in Russia that quickly went after the new servers' Internet providers. Within a few hours, they persuaded key providers to cut the connection. By 2 p.m. ET on Wednesday, the entire system was dead.

"We are confident that it can't recover," Mushtaq told CNNMoney on Thursday morning. "I've been monitoring Grum for four years. Right from the start we knew that it doesn't have any fallback mechanism."

Grum was responsible for 35% of the Internet's spam volume last week, according to monitoring statistics from security firm Trustwave.

Tracking botnet spam is tricky, and other firms have different estimates. Spam tracker Spamhaus estimates that 15% to 17% of the world's spam was coming from Grum as of early this week.

Its demise is having ripple effects. The spam volume from another major botnet, Lethic, plunged overnight, Mushtaq said. He thinks the operators of that botnet have "gone underground."

Cumulatively, killing Grum and wounding Lethic has instantly cut the worldwide spam volume in half, FireEye estimates.

Grum recently averaged 120,000 infected computers a day generating spam, but immediately after the takedown, that number dropped to 21,505, Spamhaus reported.

On Thursday, Spamhaus's latest data showed zero infected machines sending messages.

Spam had already declined dramatically in recent years thanks to coordinated global efforts. Mushtaq thinks the goal of a junk-free inbox is in reach.

"One last final blow and I think we can make a rapid and permanent decline in worldwide spam," he said. First Published: July 19, 2012: 1:09 PM ET


The Grum botnet, also known by its alias Tedroo, was a botnet mostly involved in sending pharmaceutical spam e-mails.

Once the world's largest botnet, Grum can be traced back to as early as 2008. Grum was reportedly responsible for 18% of worldwide spam traffic when it was shut down on July 19, 2012.

Grum relies on two types of control servers for its operation. One type is used to push configuration updates to the infected computers, and the other is used to tell the botnet what spam emails to send.

In July 2010, the Grum botnet consisted of an estimated 560,000-840,000 computers infected with the Grum rootkit.

The botnet alone delivered about 39.9 billion spam messages in March 2010, equating to approximately 26% of the total global spam volume, temporarily making it the world's then-largest botnet.

As of late 2010, the botnet seemed to be growing, as its output increased roughly by 51% in comparison to its output in 2009 and early 2010.

Botnet Takedown

In July 2012, malware intelligence company FireEye published an analysis of the botnet's command and control servers located in the Netherlands, Panama, and Russia.

One week following their initial analysis, FireEye researchers reported that the Dutch Colo/ISP soon after seized two secondary servers responsible for sending spam instructions after their existence was made public.

Within one day, the Panamanian ISP hosting one of Grum's primary servers followed suit and shut down the server. The cybercriminals behind Grum quickly responded by sending instructions through six newly established servers in the Ukraine.

FireEye connected with Spamhaus, CERT-GIB, and an anonymous researcher to shut down the remaining six C&C servers, officially knocking down the botnet as of July 18, 2012.

Chief News Editor: Sol Jose Vanzi

All rights reserved