The takedown of the Grum botnet this week will only provide a short-lived reprieve from spam, experts said. But despite anticipating only a minimal impact from the action, they lauded the coordination it took to take out the aging botnet.
The collaboration between the different countries was an amazing feat.
director of security research and development, nCircle
The Grum botnet was the third largest botnet in the world at the time of its takedown, which was completed July 18. It took several days to shut down command-and-control centers (C&Cs) in the Netherlands, Panama, Russia and Ukraine.
"I think it's good to do these [takedowns], but often it's a case of whack-a-mole," said Graham Cluley, senior technology consultant at U.K.-based security vendor Sophos.
The cybercriminals are likely already re-gathering, Cluley said. Gunter Ollmann, vice president of research at Atlanta-based Damballa Inc., agreed, saying that while the servers have been decommissioned, the actual operators have not. The cybercriminals are not facing prosecution and will be able to develop a new botnet in a short amount of time, Ollmann said.
"They'll come up with another way to do it again," said Lamar Bailey, director of security research and development at San Francisco-based vulnerability management vendor, nCircle.
In the short term, however, Bailey said email users should see a decline in the pharmaceutical spam that Grum specialized in.
Experts draw their caution from previous experience. In the past few years, several botnets have been taken down, including Rustock, Kelihos and Waledac, all targeted by Microsoft. While experts lauded their success, they did not put an end to botnets and had a minimal, short-term impact on spam levels.
The Grum takedown was unique from previous operations because it represented a new strategy that was executed well, Cluley said. The effort required cooperation between several different countries and security firms. U.S.-based security firm FireEye worked with Russian computer security incident response team CERT-GIB, international spam researcher Spamhaus, and an anonymous researcher, sharing information and reaching out to contacts in the countries where the command-and-control servers were located.
Grum was not eliminated all at once. According to FireEye, Dutch authorities disabled two C&C servers in early July. The Panama server was taken out on July 17. Once the three were offline, the cybercriminals behind Grum tried to regroup, opening six new servers in Ukraine. These servers, along with one in Russia, were taken down on July 18, leading FireEye to declare them dead.
"The collaboration between the different countries was an amazing feat," Bailey said. Bailey emphasized that collaboration is especially difficult when countries like Russia and Ukraine, notorious safe havens for cybercriminals, are involved.
Ollmann also spoke about the logistical difficulties of Grum. He said the locations of some of the Grum C&Cs allowed the botnet to survive, but also pointed out that it was through friends and connections that the botnet was shut down, and not by law enforcement, citing that as an area where takedowns need to improve.
Ollmann also said Grum had been in a steady decline for the last year and a half. In existence since early 2008, Grum was an old botnet with old malware and was not well-maintained, according to Ollmann. According to M86Security, however, despite its age and decline, Grum was still responsible for 17.4% of the world's spam.
What the experts do agree on is that while taking down botnets is a good exercise, the ability to do so successfully does not signal the end of spam.
"We will have periods where spam gets lighter," Bailey said. "But cybercriminals will find a way around it."