Shadowserver to take over as Mega-D botnet herder

After seizing control of a spam-spewing botnet, FireEye hands the keys to the botnet gurus

An effort is underway to clean up tens of thousands of computers infected with malicious software known for churning out thousands of spam messages per hour.

The infected computers are part of a botnet called Ozdok or Mega-D, which at one time was sending out around 4 percent of the world's spam messages.

Last week, security vendor FireEyelaunched a drive to dismantle the botnet. The infected computers receive instructions and information for new spam campaigns through command-and-control servers. FireEye contacted network providers which hosted those servers, and most were shut down.

That meant that the people controlling the hacked PCs, known as botnet herders, couldn't contact most of their bots anymore. Spam from Mega-D almost stopped entirely. FireEye also cut off a second redundancy mechanism the herders programmed into Mega-D.

If the infected machines can't contact a command-and-control server, they're programmed with an algorithm that will generate a random domain name and try to contact that domain daily. The herders know what this domain will be and can upload new instructions there.

If those infected machines get new instructions, it likely means FireEye will lose control and have to start over again to try and shut Mega-D down. FireEye has been registering those domains to prevent the botnet herders from regaining control.

But FireEye has now handed control of those bots over to Shadowserver, a volunteer-run organization that tracks botnets.

Shadowserver has taken over the administration of a "sinkhole," or a computer running custom software that acts as a command-and-control server that the Mega-D bots will call on, said Andre' M. DiMino, Shadowserver's co-founder.

Shadowserver is now in the process of identifying individual computers infected with Mega-D and then contacting the service providers for those infected hosts. The goal is to have those service providers contact the owners of those computers and ask them to run an antivirus scan in order to remove the infection and eradicate Mega-D.

"It's certainly a challenge for the ISPs to work down to the subscriber level, and we understand that," DiMino said. "The best we do at this point is get as granular in identification as we can for the ISP to help them. Ideally the goal is to clean up the infected machine."

Shadowserver regularly sends out a free list of infected machines to service providers, but identifying machines isn't easy. Corporate networks often only show one external IP (Internet protocol) address for hundreds of users, and ISPs will assign different IP addresses to PCs as users turn on and off their computers, DiMino said.

Fixing those computers could be a slow process, as it's estimated that up to 500,000 computers around the world are infected with Mega-D, and it's not by any means the largest botnet. Conficker, for example, is estimated to have infected up to 7 million machines.

Brazil has 11.5 percent of the total Mega-D infections, followed by India and Vietnam, according to FireEye's blog. DiMino said Shadowserver has strong ties with the Computer Emergency Response Teams around the world, including Brazil's, which can help work with network providers.

Even if Mega-D can't be completely killed off, "sometimes disruption is more realistic," DiMino said.

"We'll see what the effect is," he said. "The jury is still out."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags mega-dbotnets

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?