Global Botnet Summary Report

Above taken after Grup Spam Botnet taken down by FireEye,

 The world's third-largest spam-generating network was knocked offline on Wednesday, according to a security researcher who was directly involved with the takedown of the once formidable Grum botnet's infrastructure in three countries.

Until this week, Grum's servers based in Russia, Panama, and the Netherlands were estimated to control at least 100,000 infected "zombie" PCs, or bots, responsible for as much as 18 per cent of the world's spam. Immediately before the takedown, Grum ranked behind only the Cutwail and Lethic spam botnets in size, though as recently as January of this year Grum was considered the world's most active spam generator.

FireEye, working with Russian CERT-GIB and Spamhaus, found each of these new CnC servers, took a heavy-handed approach in working with Russian ISPs and domain registrars, and took them down as of 11am PT this morning, signaling the full shut down of the botnet.

According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has been reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well.

Botnet are collections of compromised hosts that attackers remotely control for their own nefarious purposes.
Once installed and running, a malicious bot will attempt to connect to a remote server to receive instructions on what actions to take. The most common command and control (C&C) protocol used for this is Internet Relay Chat (IRC). While a legitimate protocol for online chat, IRC is often used by attackers due to the relative simplicity of the protocol along with the ready availability of bot software written to use it. After connecting, a bot-controlled host can be controlled by an attacker and commanded to conduct malicious actions such as sending spam, scanning the Internet for other potentially controllable hosts, or launching DoS attacks.

• Port Summary   (Past 24 hours)

  Server Port	Number of Servers	Percentage
  6667	1019	38.9%
  1234	90	3.4%
  81	68	2.6%
  7000	66	2.5%
  2345	48	1.8%
  6668	47	1.8%
  80	43	1.6%
  6567	38	1.5%
  51987	35	1.3%
  4244	34	1.3%
  other	1130	43.2%

• C&C Servers   (Past 24 hours)

  By Country

  Country	Number of servers	Percentage
  US (United States)	1023	39.1%
  DE (Germany)	210	8.0%
  NL (Netherlands)	150	5.7%
  GB (Great Britain)	142	5.4%
  FR (France)	132	5.0%
  CA (Canada)	99	3.8%
  RU (Russian Federation)	89	3.4%
  TR (Turkey)	78	3.0%
  CN (China)	63	2.4%
  UA (Ukraine)	48	1.8%
  Other	584	22.3%

  By ASN

  ASN	Number of servers	Percentage
  AS25761 (STAMINUS-COMM)	93	3.6%
  AS23352 (SERVERCENTRAL)	86	3.3%
  AS16276 (OVH)	72	2.8%
  AS46844 (ST-BGP)	69	2.6%
  AS28753 (LEASEWEB-DE)	68	2.6%
  AS30058 (FDCSERVERS)	62	2.4%
  AS24940 (HETZNER-AS)	53	2.0%
  AS17048 (AWKNET)	52	2.0%
  AS29182 (ISPSYSTEM-AS)	46	1.8%
  AS29169 (GANDI-AS)	45	1.7%
  Other	1972	75.3%

  By Host

  Host	Number of servers	Percentage
  255.255.255.255	10	0.4%
  94.23.225.225 (ns306891.ovh.net)	7	0.3%
  69.42.218.70	5	0.2%
  98.126.176.146	4	0.2%
  95.154.242.89	4	0.2%
  94.23.212.116 (ks304464.kimsufi.com)	4	0.2%
  85.31.187.144 (yp00.megarespect.com)	4	0.2%
  85.12.60.130	4	0.2%
  83.140.172.212	4	0.2%
  83.140.172.211	4	0.2%
  Other	2568	98.1%