Mega-D Spam Botnet Disabled

Score 1 for the good guys!

PCWorld bring news of how security company FireEye brought down the Mega-D Botnet, one of the most notorious spam spewing botnets to date.

Atif Mushtaq, a FireEye researcher, spent two years working to keep their clients' networks free of the dreaded malware, and in doing so,

"...he learned how its controllers operated it.

"Last June, he began publishing his findings online.

"In November, he suddenly switched from defense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down."

Obviously, taking on something of this scope isn't a small task, and according to the piece at PCWorld, Mushtaq and two colleagues began their efforts by going after the Mega-D command infrastructure in an effort to prevent the botnet from getting--or issuing--further instructions to the PCs that had been infected with their malware.

The story of how these guys took on Mega-D really is pretty incredible. They began by contacting the ISPs that hosted the botnet servers. It's easy for some to blame the ISPs hosting the servers, but the reality is that in large ISPs and datacenters, the datacenters know little about what happens on their servers. How can they?

As far as most datacenter owners are concerned, their customers are good customers, hosting legitimate websites. Setting up a legitimate website--or many--is easy cover for the malware operators: show the datacenter staff the legit sites and then secretly also host your bad stuff at the same place.

It's not rocket science.

So, having contacted the ISPs, which Mushtaq's research showed were mostly based in the United States, with one in Turkey and another in Israel.

For unknown reasons the foreign ISPs declined to take down the servers, but those in the U.S. complied.

Given the lack of cooperation from the foreign ISPs, they took another approach and contacted the domain registrars, which agreed to point Mega-D's existing domain names to nowhere.

Given that most registrars remain neutral in things like this, this was quite a win, and it meant,

"By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down."

The last part was getting the rest of the domains that Mega-D had queued to use, which the registrars then pointed to FireEye's servers so the good guys could then assume control of the botnet's last-ditch command-and-control efforts.

According to logs setup on the FireEye servers, they estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

As for what this all means in the big picture, it means a few things:

  1. Botnets aren't impervious to being taken down
  2. Cooperation from ISPs, and ultimately domain registrars, too, can be a critial component in shutting down these botnets
  3. Wresting control from the malware operators is a tough job, and even given their diligent efforts, it was a long, hard task to do
  4. In addition to keeping your PC and your software patched, there's no substitute for having the best antivirus firewall software installed and running, since Internet security suites can prevent many infections in the first place and clean-up your computer if you're already infected.

And, as for what it means to've taken down Mega-D,

"MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had 'consistently been in the top 10 spam bots' for the previous year (find.pcworld.com/64165).

"The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.

"Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says."

All-in-all, it's good news--and a good day--for those of us who hate spam and for those of us who're trying to keep our PCs free of viruses, trojans, worms, and any other malware.


Cameroon Domains (.cm) Most Likely to Host Malware

An interesting post yesterday on malware statistics at The Register caught my eye: more than one in three (36.7 per cent) of domains registered in the West African country hosting viruses or malicious code.

Cameroon domains are those that end in .cm and are easily arrived at as keyboard typos.

Imagine you've just meant to go to: www.example.com

Instead though, you've just typed: www.example.cm

That missing 'o' in .com in millions of domain names will take you to a different site than what you intended, and in this case, the .cm domain extension belongs to domains that are supposed to be site in and of Cameroon.

This little typo, according to a report called, "Mapping the Mal Web, The World's Riskiest Domains," [.pdf] by McAfee, Inc., makers of McAfee Antivirus,

"may explain why cybercriminals have set up fake typo-squatting sites that lead to malicious downloads or spyware under the country's domain."

It doesn't take a rocket scientist to figure this one out. With such an easy typo and a country not known for Internet security is all it takes to ensnare many unsuspecting computer users.

By setting up a bogus site at domains ending in .cm, the malware and virus writers are easily able to get people to visit their servers that host scripts that can automatically infect your computer with a virus, trojan, keylogger, or other malware.

Unless you're highly technically competent and can setup your own DNS server, the only practical solutions for most consumers is to do all of the following:

1. Keep your computer patched.
A PC with the latest Microsoft Windows updates is significantly harder to infect than an unpatched computer.

2. Don't run as Administrator (or with Administrator privileges.)
By running with a user account with lower permissions, it makes it harder for some viruses and malware to infect your machine.

In contrast, when you run with Admin privileges, you're giving the edge to the viruses, as your account has all the permissions they need to infect your machine, hide themselves, and become even harder to remove.

3. Check your web browser's security settings.
Sometimes, regardless of if you're running Internet Explorer, Firefox, or Opera, when you're web surfing, the default permissions can get in the way of you doing what you need to.

Because of this, you may have altered the default permissions to looser ones than can make it easier--or even enable--these types of malware attacks.

4. Run antivirus firewall software.
Internet security software, including a firewall, antivirus software, and antispyware can help prevent the malware scripts from infecting your machine.

The piece did have some positive news... it looks like Hong Kong is taking things seriously on the virus and malware front:

"Hong Kong (.hk) websites have successfully managed to purge themselves of malware threats – droppings from the most risky domain last year, to a mid-table (34th) position next year.

"This year only 1.1 per cent of .hk sites pose a risk, compared to one in five .hk Web sites setting off warning bells in McAfee's equivalent report last year.

"McAfee credits 'aggressive measures' from .hk’s domain managers in clamping down on dodgy registrations for the drop."

Hats off to the domain registrars in Hong Kong.

Top 10 Riskiest Top Level Domain Extensions1
Rank Country / Name Extension
1 Cameroon .cm
2 Commerical .com
3 China .cn
4 Samoa .ws
5 Information .info
6 Phillipines .ph
7 Network .net
8 Former Soviet Union .su
9 Russia .ru
10 Singapore .sg
1 Data originally published in McAfee's "Mapping the Mal Web, The World's Riskiest Domains," [.pdf]