Back in July the command and control (C&C) servers utilized by Grum, a spam botnet that was the world’s third largest at the time, ended up shut down by Spamhaus, FireEye and CERT-GIB.
Just a few short months later, FireEye researchers found the botnet’s masters started reinstating its C&C servers . At the time, since there were only a couple of new servers, no major spam-related activities were coming out.
However, now, researchers from Trustwave’s Spider Labs found the volume of spam from Grum is constantly increasing.
So far, the spam volume is small compared to what it had been before the takedown, but it’s a clear sign that Grum is making a comeback. Grum’s main payload is to send out pharmaceutical spam.
“Perhaps bot herders behind Grum botnet are slowly rebuilding it again,” said Rodel Mendrez of SpiderLabs. “We’ve been involved in helping various botnet takedowns before, but most of the time, the effect is temporary. It seems this botnet is deeply rooted, that you couldn’t take it down by its branch and fruit, but by its roots.”