Shadowserver to take over as Mega-D botnet herder

After seizing control of a spam-spewing botnet, FireEye hands the keys to the botnet gurus

An effort is underway to clean up tens of thousands of computers infected with malicious software known for churning out thousands of spam messages per hour.

The infected computers are part of a botnet called Ozdok or Mega-D, which at one time was sending out around 4 percent of the world's spam messages.

Last week, security vendor FireEyelaunched a drive to dismantle the botnet. The infected computers receive instructions and information for new spam campaigns through command-and-control servers. FireEye contacted network providers which hosted those servers, and most were shut down.

That meant that the people controlling the hacked PCs, known as botnet herders, couldn't contact most of their bots anymore. Spam from Mega-D almost stopped entirely. FireEye also cut off a second redundancy mechanism the herders programmed into Mega-D.

If the infected machines can't contact a command-and-control server, they're programmed with an algorithm that will generate a random domain name and try to contact that domain daily. The herders know what this domain will be and can upload new instructions there.

If those infected machines get new instructions, it likely means FireEye will lose control and have to start over again to try and shut Mega-D down. FireEye has been registering those domains to prevent the botnet herders from regaining control.

But FireEye has now handed control of those bots over to Shadowserver, a volunteer-run organization that tracks botnets.

Shadowserver has taken over the administration of a "sinkhole," or a computer running custom software that acts as a command-and-control server that the Mega-D bots will call on, said Andre' M. DiMino, Shadowserver's co-founder.

Shadowserver is now in the process of identifying individual computers infected with Mega-D and then contacting the service providers for those infected hosts. The goal is to have those service providers contact the owners of those computers and ask them to run an antivirus scan in order to remove the infection and eradicate Mega-D.

"It's certainly a challenge for the ISPs to work down to the subscriber level, and we understand that," DiMino said. "The best we do at this point is get as granular in identification as we can for the ISP to help them. Ideally the goal is to clean up the infected machine."

Shadowserver regularly sends out a free list of infected machines to service providers, but identifying machines isn't easy. Corporate networks often only show one external IP (Internet protocol) address for hundreds of users, and ISPs will assign different IP addresses to PCs as users turn on and off their computers, DiMino said.

Fixing those computers could be a slow process, as it's estimated that up to 500,000 computers around the world are infected with Mega-D, and it's not by any means the largest botnet. Conficker, for example, is estimated to have infected up to 7 million machines.

Brazil has 11.5 percent of the total Mega-D infections, followed by India and Vietnam, according to FireEye's blog. DiMino said Shadowserver has strong ties with the Computer Emergency Response Teams around the world, including Brazil's, which can help work with network providers.

Even if Mega-D can't be completely killed off, "sometimes disruption is more realistic," DiMino said.

"We'll see what the effect is," he said. "The jury is still out."

Tags botnetsmega-d

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?