Last November, researchers at FireEye coordinated a takedown of Mega-D's control infrastructure, which gained a lot of press at the time. But it didn't take too long for the spamming to resume. Over the last few week, Mega-D has accounted for around 20% of the spam hitting our spam trap network, as you can see in our spam by spam botnet chart below:
We recently got hold of an updated Mega-D bot (thanks to Joe Stewart at SecureWorks) and analyzed it. The bot's behavior is still very similar to what we have published on Mega-D before, here and here. It performed a DNS lookup on the varikausliks.biz domain and obtained the control server's IP address 72.52.210.130. Thereafter it maintained communications on port 443:
Shortly after, the bot sent a test email, in classic Mega-D fashion, to a mail server hosted at 69.197.151.234, which answers 250 msn.com ESMTP dreefJom using the host@abc.tld recipient email address:
The spam emitted from Mega-D is a simple, very consistent HTML-only message which hasn't really changed in over two months. The spam itself links through to Canadian Pharmacy, a major spam affiliate program:
While the spam is consistent, the subject lines vary widely, here are today's lot:
Confirmation Mail
Confirmation ref # [636596]
Deal of the Day
Electronic Discount Code 71% for [email address removed]
Important notice: Google
Important notice: Google Apps browser support
Must-Know Rules Of Better Shopping
New Year Sales
New Private Message for [email address removed]
News on myspace
Please Read
Sales Event get 76% off
Special Code for 78% for [email address removed]
Special Discount 79% for [email address removed]
Special Ticket Receipt
You have a new personal message
You Must Know About This Promotion
Your Discount Code on Amazon for [email address removed]
Your Future Order with 72% off retail
Its not first time that Mega-D has come back from the dead. We have reported its revival twice before, here and here. It shows that while taking down these botnets may be relatively easy — keeping the force behind them down is another matter altogether.