PC World chronicles how analysts at the a California-based security company FireEye executed a plan to shut down the Mega-D (or Ozdok) botnet in early November 2009. At one point the Mega-D botnet reportedly accounted for 32 percent of all spam. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.
According to the article, the botnet’s command infrastructure was its weak-point. The Mega-D owned bots infesting PC’s were directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of destinations to try if it couldn’t reach its primary command server. Taking down Mega-D would need a carefully coordinated attack.
To coordinate the attach the FireEye team contacted the Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research showed that most of the Mega-D C&C servers were based in the United States, with others in Turkey and Israel. The FireEye team received cooperation for the U.S. based IPS’s but not the overseas ISPs. The FireEye team took down the U.S. based C&C servers.
Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to nowhere. This cut off the botnet’s pool of domain names that the bots would use to reach the overseas ISP based Mega-D C&C servers.
As a last step, PC World says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.
MessageLabs reports that Mega-D had “consistently been in the top 10 spam bots” for the earlier year. The botnet’s output fluctuated from day-to-day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days after FireEye’s operation, Mega-D’s share of Internet spam to less than 0.1 percent, MessageLabs states.
Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks in the PC World article, “The question is, will it have a long-term impact?”
Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”
The take down of Mega-D by FireEye has had a noted decrease in the level of SPAM I observed. During the 10 months before the Mega-D take down, the daily average of SPAM messages (DASM) received 49. After the November 2009 Take down, DASM rate dropped to 33. A step down in to the numbers reveals that the November 2009 DASM was 35 and the December DASM was 29.
The overall DASM trend line for 2009 was down. In order to keep the trend going down, firms should investigate the Shadowserver – ASN & Netblock Alerting & Reporting Service. This free reporting service is designed for organizations that directly own or control network space. The service provides reports detailing detected malicious activity to aid in their detection and mitigation program. Shadowserver has provided this service for over two years, and now generate over 4,000 reports nightly. The reporting service monitors and alerts the following activity:
- Detected Botnet Command and Control servers
- Infected systems (drones)
- DDoS attacks (source and victim)
- Compromised hosts
- Spam relays
- Malicious software droppers and other related information.
Detected malicious activity on a subscriber’s network is flagged and included in daily summary reports detailing the previous 24 hours of activity. These customized reports are made freely available to the responsible network operators as a subscription service.