Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Spam botnets: The fall of Grum and the rise of Festi

2012-08-16 09:31:32 GMT, by Thomas Morrison
Recent News Articles

Stop spammers from exploiting your webserver!

Second arrest in response to DDoS attack on Spamhaus

New IPv6 CIDR searching tools released: grepcidrs

Changes in Spamhaus DBL DNSBL return codes

Summer Break arrives early for Malware & Botnet Gang

Spamhaus launches CERT Insight Portal

The Spamhaus Policy Block List now covers One Billion IP addresses

Resilans Incident Report


Older News Articles:
Spamhaus News INDEX

In July 2012, FireEye in cooperation with other security organisations, such as Spamhaus, took down the Grum botnet. At that time Grum was the third largest spam-sending botnet. The event gained considerable media attention.

Spamhaus worked on the takedown of the botnet by contacting the responsible ISPs that were hosting the botnet controllers. These controllers (also known as command & control servers or C&C's) were being used by the botnet herder to control the botnet and coordinate the spam campaigns. After the command and control infrastructure of the Grum botnet had been shut down, the cybercriminals tried to re-establish their spam operation by setting up new botnet controllers. Fortunately, FireEye informed Spamhaus without any delay so that we could help shut down the new controllers quickly as well.

Since the takedowns, Spamhaus has continued to monitor the Grum botnet, which at present consists of only 150 to 500 active (spam sending) IP addresses per day. As they have no controllers, they are just operating in a true "zombie" manner. Hence, one month later we can consider the Grum botnet dead.

A few weeks before the Grum botnet was taken down, we observed a huge increase in spam activities from another spam botnet, called Festi or Spamnost by some Antivirus vendors. In June 2012, the number of active (spamming) IP addresses detected as Festi by the Spamhaus XBL was quite small compared to Grum. However, the threat landscape change rapidly by the end of June, when Festi began to show its real face. The chart below shows what had happened:

Festi vs Grum as seen by Spamhaus XBL

Since the beginning of July, the Spamhaus XBL has seen a huge increase in Festi spamming activities. At the peak, during one 24-hour period the XBL detected nearly 300,000 IP addresses that were infected with Festi, out of a total of 1-million that were infected with some sort of spam-sending bot. We noticed that the sheer volume of Festi spam even overwhelmed spam detection processe at some security organizations.

Since Festi started to send greater volumes of spam, it and Cutwail have been fighting for the #1 rank in the tally of the world's biggest spam botnets. The chart below compares Festi's spam activities to those of Cutwail:

Festi vs Cutwail as seen by Spamhaus XBL

The chart shows that Grum is quite dead, but Festi has already replaced the "missing" Grum spam.

As Spamhaus' mission is to protect internet users from spam email, we will continue to monitor spam sending botnets worldwide and will provide reliable protection against this threat with Spamhaus data. In addition, Spamhaus' BGP feed (BGPf) provides protection against many kinds of botnet controllers, including those used to send spam.


References:


Additional reading:



Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Spam botnets: The fall of Grum and the rise of Festi
http://www.spamhaus.org/news/article/685/spam-botnets-the-fall-of-grum-and-the-rise-of-festi

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy