Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Spamhaus declares Grum botnet dead, but Festi surges

Festi is now sending as many spam emails as the Cutwail botnet

A relatively new botnet has taken up the slack left by the shutdown in July of another major spamming botnet called Grum, according to the junk mail fighting organization Spamhaus.

The botnet, named Festi or Spamnost, has surged since the demise of Grum. Spamhaus counts at least 250,000 unique IP addresses showing signs of a Festi infection, up from around 20,000 unique IP addresses preceding Grum's takedown by security researchers.

"Since the beginning of July, the Spamhaus XBL [Exploit Block List] has seen a huge increase in Festi spamming activities," wrote Spamhaus' Thomas Morrison on the organizaton's blog on Thursday. "At the peak, during one 24-hour period the XBL detected nearly 300,000 IP addresses that were infected with Festi, out of a total of one million that were infected with some sort of spam-sending bot.

"The sheer volume of Festi spam overwhelmed spam detection processes at some security organizations," he wrote.

Spamhaus provides its XBL list to email service providers, which use it to block IP addresses that have been found to deliver malware or spam.

Festi, which Symantec detected in December 2011, is now competing with Cutwail to be the most prolific spamming botnet. Festi's rise follows a familiar pattern: As security researchers, vendors and law enforcement have notched more successes in technically interfering with botnets and taking their infrastructure offline, spammers quickly move to other botnets.

Grum, which was sending 18 billion spam messages daily, was the latest major botnet to be shut down. Spamhaus collaborated with security vendors FireEye and the Russian company Group-IB.

Grum's command-and-control servers in Panama and the Netherlands were taken offline. Grum operators quickly set up command-and-control servers in the Ukraine, suing one of the remaining servers in Russia to redirect the infection bots.

The hosting company for the Russian server did not respond to takedown requests, so its ISP dealt the final blow by halting traffic intended for the server.

Send news tips and comments to jeremy_kirk@idg.com

Related Articles

  1. CMO interview: Becoming a change agent

    CMO

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Accelerate Cloud and Composite Application Delivery
    Are your requirements the need for faster release cycles, you have reduced budgets required to run and manage a complex test environment, and you want to decrease your third party expenses? HP Service Virtualisation, designed to enable your teams to create, develop and test against virtual services that simulate real service behaviour with no constraints, available anytime.
    Learn more »
  • In Control at Layer 2: A Tectonic Shift in Network Security
    Network hacking and corporate espionage are on the rise and set to intensify. Information security risks remain commonplace, and most organisations need to increase vigilance. This paper has analyses the realistic threats to fibre optic Ethernet networks – both at the LAN and WAN level. Read now.
    Learn more »
  • Vodafone Ireland Implements World-Class Service Excellence with HP BSM
    Shane Gaffney, head of IT operations explain how HP Business Service Manager solutions have helped Vodafone to transform from a reactive to a proactive IT Operations function, and to align their priorities to match the business and drive business value, delivering 300% ROI in one year. Download today.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments