Spamhaus: Grum Dead, Festi Alive and Well

homerIn July, the Grum botnet was shuttered thanks to the hard work of security firm FireEye, along with help from other organizations. The story garnered a lot of attention, and even a little confusion over exactly how big Grum was. Most agreed that Grum was responsible for a third of the world’s email spam and that the number was around 17 percent, and the world’s inboxes had a little bit of reprieve for a time.

Spamhaus participated in Grum’s demise by contacting the ISPs that were hosting Grum’s command and control servers. As the C&C servers came down, Grum’s operators attempted to re-establish new ones, but FireEye and Spamhaus were able to take these down too, and Grum was all but expired. This from Spamhaus: “Since the takedowns Spamhaus has continued to monitor the Grum botnet, which at present consists of only 150 to 500 active (spam sending) IP addresses per day. Hence, one month later we can consider the Grum botnet dead.”

Maybe even more notable than the timely death of Grum, Atif Mushtaq, a senior scientist at FireEye made some bold statements about the future of spam, stating that taking down a few more botnets would be “enough for a rapid and permanent decline in worldwide spam level[s].” Nobody can blame Mr. Mushtaq for his enthusiasm and optimism, especially after he just ended a spate of emails pushing fake Viagra; but his statements were also the stuff that eyebrow raising is made of.

A month later, it seems that his optimism was a tad premature, because Spamhaus has reported that while Grum is dead for good, another misbehaved little child has taken its place in the sandbox. A few weeks before the action on Grum, Spamhaus noticed “a huge increase in spam activities from another spam botnet, called Festi or Spamnost by some Antivirus vendors.” In June, the number of spamming IP addresses identified as Festi was still relatively small, compared to Grum. But that changed quickly, and by the end of June Spamhaus saw a dramatic increase in this new botnet’s activity.

“Since July,” Spamhaus reports, “the Spamhaus XBL has seen a huge increase in Festi spamming activities. At the peak, during one 24-hour period the XBL detected nearly 300,000 IP addresses that were infected with Festi, out of a total of 1 million that were infected with some sort of spam-sending bot. The sheer volume of Festi spam overwhelmed spam detection [processes] at some security organizations.” (See the chart above)

In fact, Festi is now competing with Cutwail, the world’s number one spamming botnet, for supremacy. The numbers recorded by Spamhaus suggest that, as of August 13, Festi has overtaken Cutwail slightly, with both botnets controlling more than a quarter of a million active spamming IP addresses.

Takeaways

Hoo-ray. Often, a coup d’état is nothing more than an attempt at taking down a dictator so another can take his place, and the rise of this new botnet seems to illustrate this adage. The hard work of FireEye, Spamhaus and others are laudable and they should be recognized for their tireless efforts. But if we’ve learned anything about cybercrooks, it is that they are tenacious, they don’t like being poked with a sharp stick, and they adapt far quicker than the good guys.

The dream of a spam-free world is a noble one, and Mr. Atif Mushtaq of FireEye should be applauded for daring to dream. But spam isn’t going anywhere. In fact, it’s spreading, to webmail, social media, mobile phones and tablets, and anywhere else that cybercriminals see an opportunity to make a buck. It’s even found its way to our landlines. Hell, one cannot blink today without facing the threat of financial ruination, data compromise, and all-out embarrassment.

No, spam’s not going away. It’s here to stay, and as long as people are naive enough to click a link that promises unimaginable wealth and success, it’s something we have to deal with. So where does that leave us?

Exactly where we started. With vigilance, education, anti-spam technologies and a modicum of common sense. Does it mean that we should stop taking down botnets? Of course not. Look, it’s a bit of a conundrum, but even though we cannot seem to gain an inch, it doesn’t mean we should lie down and take it. So hats off to FireEye, Spamhaus, and all the other vigilant heroes who fight this stuff every day.

And now, back to getting that pesky spam out of our inboxes.

Leave a Reply