Mega-D/Ozdok Botnet Take Down
Widgets & RSS FeedsAt the time the McColo ISP went down a year ago, Ozdok a.k.a. Mega-D became the biggest of the spam botnets, and ever since has remained in the top 10 of spam bots. Earlier this month, researchers at FireEye, Inc. decided to attempt a take down of Mega-D.
“Our research team researched this particular botnet and after weeks of data analysis, on November 3 they came out with the information on the command and control locations, the IP addresses, and all the background detail,” explains Phillip Lin, director of marketing for FireEye. Armed with the data and encouraged by the success of its role in the take down of the Srizbi botnet and shut down of McColo, the FireEye researchers reached out into the messaging community.
“We did what we considered to be the right thing,” continues Lin. “Which was to submit it to the abuse departments of various organizations saying, ‘Hey, if you didn’t know, you’re hosting some bad stuff.’ As it turned out, probably because of the coverage we received last year from the Srizbi bot and McColo, the abuse departments responded fairly quickly and made it a more coordinated effort.”
Those actions included taking down domain names, cutting off the command and control servers, and hosting providers actually shutting off machines. “What effectively ended up happening was, as of the 6th, the botnet was turned off.”
According to Lin, FireEye estimates there was about 246,000+ live/active bots in Mega-D. He notes that, “Many bots stay dormant if the cybercriminal operator doesn’t light them up. Based on our stats, the top Geo breakdowns of where the bots were located were Brazil with 11.5 percent; India with 11.0 percent; Viet Nam with 10.9 percent; Russian Federation with 5.2 percent; and Mexico with 3.6 percent.”
In its blog, MessageLabs Intelligence commends FireEye’s work, stating: “It seems their actions have been very successful indeed, as our monitoring shows a huge decline in this previously prolific botnet’s activity.” The MessageLabs blog also offers a graph showing a dramatic plummet of Mega-D unique IP addresses on the 4th and the days that follow.
Lin says that FireEye was pleased with the response to their research and to work with others to confirm its findings, “We felt like the community is finally getting to the point where they understand the scale of the problem, and can see the effectiveness of doing a coordinated shut down of a botnet.” Lin also felt it was acknowledged that “FireEye is a reputable player, and that you can trust our data. We have been working back and forth and hopefully we will have an even quicker process in the future, but it takes weeks of research to dig up all the different pieces.”
The latest news on the take down comes from a blog by Todd Rosenberry, FireEye Malware Intelligence Lab, where he writes that the botnet has been contained for over a week, and that moving forward Shadowserver, the all volunteer watchdog group, will take over monitoring the botnet.
To follow the adventures of the FireEye team and learn more, read the researchers’ account.
