{"id":1693,"date":"2010-08-16T22:44:39","date_gmt":"2010-08-17T02:44:39","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/?p=1693"},"modified":"2022-12-30T15:28:09","modified_gmt":"2022-12-30T20:28:09","slug":"2009-spam-results","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/2009-spam-results\/","title":{"rendered":"2009 SPAM results"},"content":{"rendered":"

\"2009 PC World<\/em><\/a> chronicles<\/a> how analysts at the a California-based security company FireEye<\/a> executed a plan to shut down the Mega-D (or Ozdok) botnet in early November 2009. At one point the Mega-D botnet<\/a> reportedly<\/a> accounted for 32 percent of all spam. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.<\/p>\n

\"\"<\/a>According to the article, the botnet’s command infrastructure was its weak point. The Mega-D owned bots infesting PCs were directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of destinations to try if it couldn’t reach its primary command server.\u00a0 Taking down Mega-D would need a carefully coordinated attack.<\/p>\n

To coordinate the attach the FireEye team contacted the Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research<\/a> showed that most of the Mega-D C&C servers were based in the United States, with others in Turkey and Israel. The FireEye team received cooperation for the U.S.-based IPS’s but not the overseas ISPs. The FireEye team took down the U.S.-based C&C servers.<\/p>\n

Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to no\u00ad\u00adwhere. This cut off the botnet’s pool of domain names that the bots would use to reach the overseas ISP-based Mega-D C&C servers.<\/p>\n

As the last step, PC World<\/em> says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check-in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.<\/p>\n

MessageLabs<\/a> reports<\/a> that Mega-D had “consistently been in the top 10 spam bots” for the earlier year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days after FireEye’s operation, Mega-D’s share of Internet spam to less than 0.1 percent, MessageLabs states.<\/p>\n

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks<\/a> in the PC World<\/em> article, “The question is, will it have a long-term impact?”<\/p>\n

Mushtaq says that FireEye is sharing its method with domestic and international law enforcement,\u00a0 “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”<\/p>\n

rb-<\/em><\/strong><\/p>\n

The takedown of Mega-D by FireEye has had a noted decrease in the level of SPAM I observed. During the 10 months before the Mega-D takedown, the daily average of SPAM messages (DASM) received 49. After the November 2009 takedown, the DASM rate dropped to 33. A step down into the numbers reveals that the November 2009 DASM was 35 and the December DASM was 29.<\/em><\/p>\n

\"\"
\n<\/em><\/p>\n

\"\"<\/a>The overall DASM trend line for 2009 was down. In order to keep the trend going down, firms should investigate the Shadowserver<\/a> – ASN & Netblock Alerting & Reporting Service<\/a>. This free reporting service is designed for organizations that directly own or control network space. The service provides reports detailing detected malicious activity to aid in their detection and mitigation program.\u00a0 Shadowserver has provided this service for over two years and now generates over 4,000 reports nightly.\u00a0 The reporting service monitors and alerts the following activity:<\/em><\/p>\n