Forgot your password?
typodupeerror
Botnet Crime Security The Internet News

Dutch Police Takedown C&Cs Used By Grum Botnet 45

Posted by timothy
from the why-so-grum? dept.
wiredmikey writes "Dutch authorities have pulled the plug on two secondary servers used by the Grum botnet, a large botnet said to produce about 17% of the world's spam. According to researchers from FireEye, the backup C&C servers were located in the Netherlands, and once word of their existence was released, Dutch authorities quickly seized them. While any C&C server takedown is a win, the impact may be minimal, as the two primary servers are fully active, and the datacenters hosting them are unresponsive to fully documented abuse reports. That being said, FireEye's Atif Mushtaq noted that the botnet does has some weak spots, including the fact that Grum has no failback mechanism, has just a few IPs hardcoded into the binaries, and the botnet is divided into small segments, so even if some C&Cs are not taken down, part of botnet can still remain offline. The removal of the C&C servers shines light on how quickly some law enforcement agencies work, given that proof of their existence is just over a week old."
This discussion has been archived. No new comments can be posted.

Dutch Police Takedown C&Cs Used By Grum Botnet

Comments Filter:
  • I had to look up "C&C" (for those who don't know, it stands for "Command and Control"). It's easy for me to blame the editors, submitter, etc, for necessitating this, but then again, it took just seconds to look it up. Still, it's a nuisance, and honestly in the end I think it's an art on the part of the editors/submitter to know whether or not explaining them is necessary. So, for what it's worth, as far as I'm concerned: FAILURE!
    • I thought C&C was the game Command And Conqouer. Lost of Fun with that one

    • Had the title not included the word "botnet", I would agree.
    • by Anonymous Coward

      And I thought they were talking about C & C Music Factory.

    • by mcgrew (92797) *

      I had to look up "C&C"

      You must be new here.

      for those who don't know

      I think you'll find that few don't. Now, if you're talking about a cop here, don't say LEO because to us nerds, that's Low Earth Orbit. As someone else pointed out, the "botnet" part gives it away. Would we have to spell out IBM, RAM, or DoS? This is a specialized site. We're nerds. We don't need to spell out C&C for a botnet any more than a law enforcement publication would feel the need to explain what an LEO is, even though it wo

  • by swb (14022) on Tuesday July 17, 2012 @12:00PM (#40674643)

    I'm surprised there's not more voluntary cooperation among ISPs to blackhole unresponsive datacenters hosting botnet command infrasturcture.

    Is the money for hosting that kind of stuff that good, or is it one of those semi-political things where those data centers are in a country like Russia where the difference between organized crime and the government depends on what time of day it is?

    • by jpapon (1877296)
      It could also be that this is a net neutrality / common carrier type issue, or a contractual issue. Or they could just not give a damn, since they're making money. Spam doesn't really hurt them.
    • by Zocalo (252965)
      Exactly. Why not name and shame in circumstances like this? It's not like it's going to do any harm, unless there's going law enforcement involvement in their near future. The big carriers might not take any action, but if enough smaller operators blackhole the provider in question then the impact on their operations, legit or otherwise, might be enough to encourage reconsideration.

      Then again, it might not actually have much of an effect at all. I recall a similar "name and shame" exercise after a U
  • by wbr1 (2538558) on Tuesday July 17, 2012 @12:09PM (#40674737)
    The submitter's grammar 'does has' some weak spots.
    • by mcgrew (92797) *

      I can has chezeburger?

      Don't blame the submitter too much. He might not be a native speaker (I'm sure I sound like an idiot when speaking Thai or Spanish). All your base are belong to us.

      Blame the editor. Editors are supposed to be good at grammar, and I've had /. submissions completely rewritten on acceptance.

  • I see a plan: (Score:4, Interesting)

    by SuricouRaven (1897204) on Tuesday July 17, 2012 @12:23PM (#40674887)
    1. Announce the C&C server IPs to the world.
    2. Watch Anonymous DDoS them so hard the host will have to choice but to kick them to protect the rest of their datacenter.

    And the best part is that the operators of the servers have no legal recourse at all, because that would mean revealing their identities.
  • How do they respond to cruise missiles? Or a squad of SEALS with sachel charges? Or even just blackholing of all their IPs?

    • How do they respond to cruise missiles?

      Send some stealth tanks to find the source of the missiles, follow up with APCs and Tick Tanks.

      Or a squad of SEALS with sachel charges?

      Flame tanks.

      Or even just blackholing of all their IPs?

      Chemical missile.

    • How about sending a white bunny?
  • Now where am I going to get my hyperdestructive upgradeable weaponry!? There are no Gadgetron offices in this galaxy and I really don't want to be stuck using MegaCorp's crap for self defense and taking down supervillains. Their household products are more dangerous than their pathetic weaponry! What am I supposed to protect myself with, a used B20 Crotchitizer?

  • by SgtAaron (181674) <aaron@coinet.com> on Tuesday July 17, 2012 @05:22PM (#40678661)

    From the article:

    "In my opinion, taking down the top three spam botnets—Lethic, Cutwail, and Grum—is enough for a rapid and permanent decline in worldwide spam level," he said. "We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well."

    Very optimistic! There's too many colo/virtual host sites out there that simply don't give a rat's ass that large swaths of their
    bandwidth and IP space are being used by spammers. They're everywhere! And I've given up telling them. Even "legit" ISPs
    like Integra have routinely ignored my notices in the past, so I've simply given up, I haven't the time or inclination to help any
    more. They're using spammers to help pad their bottom line.

    Reduced, sure, but go away? And another big botnet will appear again in the future, I have no doubt at all.

The flow chart is a most thoroughly oversold piece of program documentation. -- Frederick Brooks, "The Mythical Man Month"

Working...