Security experts at Trustwave Spider Labs published a new report stating that authors of the biggest botnet in the world – Grum – brought it back to life.
Researchers claimed they found five new C&C servers connected to the botnet: 188.93.233.2, 185.4.227.170, 198.144.156.187, 80.86.253.3 and 84.22.104.163.
Experts also unveiled a set of commands executed when port 80 is connected to Grum:
· GET /spm/s_get_host.php?ver=[bot version]
s_get_host.php - gets the infected machine’s IP address and hostname
· GET /spm/s_alive.php?id=[bot machineid]&tick=[system tick]&ver=[bot version]&smtp=[ok|bad]
· s_alive.php - reports back to the control server that the bot is alive. The data includes bot id, system tick, bot version and smtp status to control server
· GET /spm/s_task.php?id=[bot machine id]&tid=xxxxx
s_task.php - gets task and spam templates.
· GET /spm/s_report.php?task=[task id]&id=[bot machine id]&errors[xxx]=xx
s_report.php – reports back errors to the command and control server.
According to the researchers, the title of spam letters was usually pharmaceutics. Messages contained links leading to sites that sell illegal drugs. The researchers also published a list of Russian domains connected with spamming campaign.
Grum is the third largest botnet in the world, about 30% of all spam correspondence was sent through this botnet. Grum was neutralized in July last year.
