Shadowserver to take over as Mega-D botnet herder

After seizing control of a spam-spewing botnet, FireEye hands the keys to the botnet gurus

An effort is underway to clean up tens of thousands of computers infected with malicious software known for churning out thousands of spam messages per hour.

The infected computers are part of a botnet called Ozdok or Mega-D, which at one time was sending out around 4 percent of the world's spam messages.

Last week, security vendor FireEyelaunched a drive to dismantle the botnet. The infected computers receive instructions and information for new spam campaigns through command-and-control servers. FireEye contacted network providers which hosted those servers, and most were shut down.

That meant that the people controlling the hacked PCs, known as botnet herders, couldn't contact most of their bots anymore. Spam from Mega-D almost stopped entirely. FireEye also cut off a second redundancy mechanism the herders programmed into Mega-D.

If the infected machines can't contact a command-and-control server, they're programmed with an algorithm that will generate a random domain name and try to contact that domain daily. The herders know what this domain will be and can upload new instructions there.

If those infected machines get new instructions, it likely means FireEye will lose control and have to start over again to try and shut Mega-D down. FireEye has been registering those domains to prevent the botnet herders from regaining control.

But FireEye has now handed control of those bots over to Shadowserver, a volunteer-run organization that tracks botnets.

Shadowserver has taken over the administration of a "sinkhole," or a computer running custom software that acts as a command-and-control server that the Mega-D bots will call on, said Andre' M. DiMino, Shadowserver's co-founder.

Shadowserver is now in the process of identifying individual computers infected with Mega-D and then contacting the service providers for those infected hosts. The goal is to have those service providers contact the owners of those computers and ask them to run an antivirus scan in order to remove the infection and eradicate Mega-D.

"It's certainly a challenge for the ISPs to work down to the subscriber level, and we understand that," DiMino said. "The best we do at this point is get as granular in identification as we can for the ISP to help them. Ideally the goal is to clean up the infected machine."

Shadowserver regularly sends out a free list of infected machines to service providers, but identifying machines isn't easy. Corporate networks often only show one external IP (Internet protocol) address for hundreds of users, and ISPs will assign different IP addresses to PCs as users turn on and off their computers, DiMino said.

Fixing those computers could be a slow process, as it's estimated that up to 500,000 computers around the world are infected with Mega-D, and it's not by any means the largest botnet. Conficker, for example, is estimated to have infected up to 7 million machines.

Brazil has 11.5 percent of the total Mega-D infections, followed by India and Vietnam, according to FireEye's blog. DiMino said Shadowserver has strong ties with the Computer Emergency Response Teams around the world, including Brazil's, which can help work with network providers.

Even if Mega-D can't be completely killed off, "sometimes disruption is more realistic," DiMino said.

"We'll see what the effect is," he said. "The jury is still out."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags botnetsmega-d

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?