{"id":1875,"date":"2010-01-21T21:13:12","date_gmt":"2010-01-22T02:13:12","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/?p=1875"},"modified":"2022-12-30T12:39:21","modified_gmt":"2022-12-30T17:39:21","slug":"spam-decline","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/spam-decline\/","title":{"rendered":"SPAM Decline?"},"content":{"rendered":"

\"SPAM\u00a0PC World<\/a><\/em> chronicles<\/a> how analysts at the California-based security company FireEye<\/a><\/strong> executed a plan to shut down the Mega-D botnet<\/strong> in early November 2009. At one point the Mega-D botnet reportedly<\/a> accounted for 32 percent of all spam<\/strong>. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.<\/p>\n

\"\"<\/a>According to the article, the botnet’s command infrastructure was its weak point. The Mega-D malware infecting PCs was directed from online command and control (C&C) servers<\/strong> throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of other destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would need a carefully coordinated attack.<\/strong><\/p>\n

To set up the coordinated attack the FireEye team first contacted Internet Service Providers (ISP’s) that hosted Mega-D control servers.<\/strong> Mushtaq’s research<\/a> showed that most of the Mega-D C&C servers were based in the United States, with one in Turkey and another in Israel. The FireEye team received cooperation for the U.S.-based IPS’s but not the overseas ISPs. The Mushtaq team took down the U.S.-based C&C servers.<\/p>\n

Since the ISP’s in Israel and Turkey refused to cooperate, PC World<\/em> reports that Mushtaq and company contacted domain-name registrars<\/strong> holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to nowhere<\/strong>. This cut off the botnet’s pool of domain names that bots would use to reach Mega-D-affiliated C&C servers overseas ISPs.<\/p>\n

As the last step, PC World<\/em> says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes”<\/strong> (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check-in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.<\/p>\n

\"\"MessageLabs<\/a> reports<\/a> that Mega-D had “consistently been in the top 10 spam bots” for the previous year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. After, FireEye’s action Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.<\/p>\n

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware<\/strong>. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory<\/em>,” says Joe Stewart, director of malware research with SecureWorks<\/a> in the PC World<\/em> article, “The question is, will it have a long-term impact?<\/em>”<\/p>\n

Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful. Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”<\/p>\n

Rb-<\/em><\/strong><\/p>\n

The Daily Average SPAM Received (DASR) index reached an all-time low in December 2009. The DASR for December 2009 was 29.4. The trend was on the decline since its all-time high in May 2008 of 77.5, but this seems different.<\/em><\/p>\n

The impacts of the Fire-Eye operations seem longer lasting. The DASR stayed down through December and into the New Year. The month-to-date DASR index for January 2010 is a paltry 15. <\/em><\/p>\n

\"\"<\/p>\n

Even after the McColo takedown<\/a> in November 2008, the DASR never reached this low level.\u00a0 Hopefully, Spammers have seen the error in their ways, repented, and found something else to do, but more likely is they have reloaded with new ammo as they exploit social networks<\/a>, Adobe, IE<\/a>, and Google<\/a>.<\/em><\/p>\n

Related articles<\/h6>\n