Back in 2009, I started writing a series of articles called "Killing the Beast." These articles were primarily focused on the command and control (CnC) coordinates of popular spam botnets. These articles not only provided readers greater visibility into these spam botnets, but also served as the basis for two botnet takedowns. So far, four articles under this series have been published. After a long time, I have decided to write the fifth one.
For a refresher, older posts can be accessed using the links shown below:
Part 1, Part 2, Part 3, and Part 4.
In recent years, we have seen the fall of many spam botnets including Srizbi, Rustock, Mega-D, Pushdo.A, Storm, and Waledac. But one botnet that has kept itself well under the radar is the Grum botnet. When I look into my Botnet Lab logs, I can see traces of Grum's earlier versions recorded around February 2008. That means that, as of today, this botnet is more than four years old. Readers who have been following the evolution of different botnets would agree that keeping a botnet active and alive for this many years is an achievement in itself.
Based on the latest statistics from M86Security, Grum is currently responsible for 17.4% of worldwide spam traffic, making it the world's third most active spam botnet after Cutwail and Lethic. Interestingly, Grum, which was once the world's number one spam botnet around January 2012 (at that time, Grum was responsible for 33.3% of worldwide spam), is already on its decline after losing its position to the Cutwail botnet.
