Information Assurance

Brian Miller


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

RISKS Analysis

Media Analysis - Fire Eye Security

Mega-D Botnet (Temporarily Shut Down)

back to bugtraq analyses page

Mega-D Botnet: (Temporarily) Shut Down

About the Mega-D botnet

  • Allegedly responsible for 32% of the world's spam
    • More recently, by another source, estimated at 4.2% 1
  • Estimated to consist of around 35,000 infected machines.
  • Could feasibly infect 10 billion e-mail messages per day 2

How it works

  • Machines infected with malware from the Ozdok family typically via trojans.
  • When run, the malware starts an instance of Windows' svchost.exe and injects its code into that process.
  • The software then attempts to connect to servers via a set of obscure domain names via port 80, but using a non-standard algorithm (does not use HTTP or SSL).
  • Upon successful connection, the bot software will download a spam template and a list of email addresses, and begin spamming
  • Note McColo host shutdown (Nov. 2008)
    • Large portion of C&C servers for Srizbi botnet was housed with this San Jose company (limited IP block).
    • Once McColo was pinned to Srizbi, they shut it down and the botnet quickly lost most of its capacity, with global spam levels dropping off 75%
      • (hardcoded with a list of servers)
    • Eventually somewhat recovered with servers relocated to Estonia, but still far from the level it was at pre-shutdown.
  • Thus, Ozdok malware is very robust and has multiple fallback methods:
    • Uses domain names (could move shut down command servers to another net block)
    • Tries domain names on hard-coded list
      • First by host configured DNS servers
      • Second by hard-coded list of name servers (if registrars shut down domains, custom DNS servers will come into play)
    • If all else fails, it can generate a custom domain every day based on the current date and time. (Unless every one of those domains is registered by the "good guys", bot herders could just register those domains to reclaim control).

How it was disabled 3

  1. Abuse notifications to ISPs: shut down several IP blocks where command servers were located (only 4 left, which are pending investigation/shutdown)
  2. Worked with registrars to shut down registered domains on the list
  3. Registered domains on the list that weren't already reserved.
    • Pointed them to their own sinkhole server, which saw 264,784 unique IPs connect in a 24-hour timeframe. Could be rough estimate of the size of Mega-D botnet.
    • 487,430 unique IPs over 5 days -- can't really estimate size but can estimate location.
  4. Registration of some of the anticipated random domains.

Result

  • At least temporarily disabled: spam coming from this botnet has nearly stopped altogether
  • But registering daily domains is unsustainable.
    • Thus, bot herders could reclaim control as soon as they can register one of the daily domains.

Other notes

  • Is there a self-destruction mechanism in the Ozdok code?
    • None found yet
    • Would be illegal to act on any, even if it were found.
  • Bots change IPs frequently so there is definitely not a 1:1 mapping of unique IPs to infected machines.

References

  1. http://blog.fireeye.com/research/2009/11/killing-the-beastpart-4.html
  2. http://www.nytimes.com/2008/10/15/technology/internet/15spam.html?ex=1381809600&en=6c3fc6aa91109527&ei=5124&partner=digg&exprod=digg
  3. http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html