Late last week, the Mega-D botnet (aka Ozdok) suffered as its major control servers were taken out of action. The folks over at FireEye analyzed the botnet’s control structure and fallback mechanisms. They then set about disabling Mega-D by contacting various ISPs to disable control servers, de-registering current control domains, and registering unused fallback domains.
As seen in the chart below, which indicates the relative movements in the volume of spam received by Mega-D by our spam traps, the take down had an immediate effect on the spam from the botnet.
Today the spam has stopped altogether, although there was a very small trickle over the weekend, directed to a couple of small UK-based domains that we monitor.
Mega-D is a well established spamming botnet. We first drew attention to it in early 2008 when it was responsible for a third of the spam we were seeing at the time. The botnet has had its ups and downs. Its control servers have been disabled once before, and it was also affected by the McColo take down a year ago. Lately it has been a 2nd-tier spammer as shown by our spam by botnet statistics.
According to FireEye, Mega-D's orphaned zombies are now pointing to sinkhole servers where over 250,000 IP addresses have been counted, giving an indication of the size of the botnet. We have seen individual Mega-D bots spam at 15,000 messages per hour. Doing the math gives a theoretical maximum of 30 billion spam messages per day from the botnet – although the actual figure is probably at least half that because not all zombies computers are on, all day, spamming.
The other interesting thing highlighted by FireEye’s analysis of Mega-D is the advanced fallback mechanisms should a control server be disrupted. Mega-D bots:
- Use a list of domains, if one fails it moves to the next one.
- Have hard-coded DNS servers
- Use domain generation algorithms in case everything else fails.
These fallback mechanisms are more evidence that the botnet operators have learned from the McColo event of a year ago and made their systems that much more resilient. It remains to be seen whether Mega-D can recover from this one – it's too soon to say it's completely dead yet.
Anyway, kudos to FireEye for their analysis and action on this botnet. It is important to keep the pressure on these bot herders so their lives don’t become too easy. Anyone want to tackle Rustock next?