The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time its shutdown in July 2012, Grum was reportedly the world's 3rd largest botnet, responsible for 18% of worldwide spam traffic.
Grum relies on two types of control servers for its operation. One type is used to push configuration updates to the infected computers, and the other is used to tell the botnet what spam emails to send.
In July 2010, the Grum botnet consisted of an estimated 560,000–840,000 computers infected with the Grum rootkit. The botnet alone delivered about 39.9 billion spam messages in March 2010, equating to approximately 26% of the total global spam volume, temporarily making it the world's then-largest botnet. As of late 2010, the botnet seemed to be growing, as its output increased roughly by 51% in comparison to its output in 2009 and early 2010. 
In July 2012, malware intelligence company FireEye published an analysis of the botnet's command and control servers located in the Netherlands, Panama, and Russia. One week following their initial analysis, FireEye researchers reported that the Dutch Colo/ISP soon after seized two secondary servers responsible for sending spam instructions after their existence was made public. Within one day, the Panamanian ISP hosting one of Grum's primary servers followed suit and shut down their server. The cybercriminals behind Grum quickly responded by sending instructions through six newly established servers in Ukraine. FireEye connected with Spamhaus, CERT-GIB, and an anonymous researcher to shut down the remaining six C&C servers, officially knocking down the botnet as of July 19, 2012.
Grum botnet zombie clean-up
Currently there is a sinkhole running on some of the former IP addresses of the Grumbot C&C servers. The feed from the sinkhole is processed via both Shadowserver and abusix to inform the Point of Contact of the still infected IP addresses. ISP's are asked to contact their customers about the infections to have the malware cleaned up. Shadowserver.org will inform the users of their service once per day and Abusix sends out a X-ARF report very hour. X-ARF is the extented version of the Abuse Reporting Format
- "Grum". M86 Security. 2009-04-20. Retrieved 2010-07-30.
- Atif Mushtaq (2012-07-09). "Killing the Beast - Part 5". FireEye. Retrieved 2012-07-11.
- "Huge spam botnet Grum is taken out by security researchers". BBC News. 19 July 2012.
- "Researchers Say They Took Down World’s Third-Largest Botnet". New York Times. 2012-07-18. Retrieved 2012-07-18.
- "One of the world's largest spam botnets still alive after suffering significant blow". IDG. 2012-07-17. Retrieved 2012-07-17.
- "Research: Small DIY botnets prevalent in enterprise networks". ZDNet. Retrieved 2010-07-30.
- "MessageLabs Blog - Evaluating Botnet Capacity". Messagelabs.com.sg. Retrieved 2010-07-30.
- "Which Botnet Is Worst? Report Offers New Perspective On Spam Growth - botnets/Security". DarkReading. Retrieved 2010-07-30.
- "Grum and Rustock botnets drive spam to new levels". Securecomputing.net.au. 2010-03-02. Retrieved 2010-07-30.
- Whitney, Lance (2010-03-02). "Botnets cause surge in February spam | Security - CNET News". News.cnet.com. Retrieved 2010-07-30.
- James Wray and Ulf Stabe (2010-03-01). "Spam volumes surge thanks Grum and Rustock botnets - Security". Thetechherald.com. Retrieved 2010-07-30.
- "MessageLabs: Botnets a threat to email marketing - Email Marketing". BizReport. 2009-09-30. Retrieved 2010-07-30.
- Brian Krebs (2012-08-20). "Inside the Grum botnet".
- Steve Ragan (2012-07-17). "Dutch Police Takedown C&Cs Used by Grum Botnet". Security Week. Retrieved 2012-07-17.
- Alex Fitzgerald (2012-07-19). "Botnet Responsible for 18% of World’s Spam Knocked Offline". Mashable. Retrieved 2012-07-19.
- Atif Mushtaq (2012-07-19). "Grum, World's Third-Largest Botnet, Knocked Down". FireEye. Retrieved 2012-07-19.