PC World chronicles how analysts at the a California-based security company FireEye executed a plan to shut down the Mega-D (or Ozdok) botnet in early November 2009. At one point the Mega-D botnet reportedly accounted for 32 percent of all spam. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.
According to the article, the botnet’s command infrastructure was its weak point. The Mega-D owned bots infesting PCs were directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of destinations to try if it couldn’t reach its primary command server. Taking down Mega-D would need a carefully coordinated attack.
To coordinate the attach the FireEye team contacted the Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research showed that most of the Mega-D C&C servers were based in the United States, with others in Turkey and Israel. The FireEye team received cooperation for the U.S.-based IPS’s but not the overseas ISPs. The FireEye team took down the U.S.-based C&C servers.
Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to nowhere. This cut off the botnet’s pool of domain names that the bots would use to reach the overseas ISP-based Mega-D C&C servers.
As the last step, PC World says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check-in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.
MessageLabs reports that Mega-D had “consistently been in the top 10 spam bots” for the earlier year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days after FireEye’s operation, Mega-D’s share of Internet spam to less than 0.1 percent, MessageLabs states.
Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks in the PC World article, “The question is, will it have a long-term impact?”
Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”
rb-
The takedown of Mega-D by FireEye has had a noted decrease in the level of SPAM I observed. During the 10 months before the Mega-D takedown, the daily average of SPAM messages (DASM) received 49. After the November 2009 takedown, the DASM rate dropped to 33. A step down into the numbers reveals that the November 2009 DASM was 35 and the December DASM was 29.
The overall DASM trend line for 2009 was down. In order to keep the trend going down, firms should investigate the Shadowserver – ASN & Netblock Alerting & Reporting Service. This free reporting service is designed for organizations that directly own or control network space. The service provides reports detailing detected malicious activity to aid in their detection and mitigation program. Shadowserver has provided this service for over two years and now generates over 4,000 reports nightly. The reporting service monitors and alerts the following activity:
- Detected Botnet Command and Control servers
- Infected systems (drones)
- DDoS attacks (source and victim)
- Scans
- Clickfraud
- Compromised hosts
- Proxies
- Spam relays
- Malicious software droppers and other related information.
Detected malicious activity on a subscriber’s network is flagged and included in daily summary reports detailing the previous 24 hours of activity. These customized reports are made freely available to the responsible network operators as a subscription service.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Web servers, FTP servers, and even SSL servers are becoming prime targets for botnets. They are targets, not as command and control servers says Mikko Hypponen, chief research officer at 
“FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots,” says Hypponen. Botnets often use stolen FTP credentials to break into other parts of the system, says Bill Ho, vice president of Internet products for 
Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,” Hypponen explains.