Mega-D Spam Botnet Disabled

« Cameroon Domains (.cm) Most Likely to Host Malware | Main | Trojan in So-Called Windows 7 Compatibility Checker »


Mega-D Spam Botnet Disabled

Kevin R. Smith

Score 1 for the good guys!

PCWorld bring news of how security company FireEye brought down the Mega-D Botnet, one of the most notorious spam spewing botnets to date.

Atif Mushtaq, a FireEye researcher, spent two years working to keep their clients' networks free of the dreaded malware, and in doing so,

"...he learned how its controllers operated it.

"Last June, he began publishing his findings online.

"In November, he suddenly switched from defense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down."

Obviously, taking on something of this scope isn't a small task, and according to the piece at PCWorld, Mushtaq and two colleagues began their efforts by going after the Mega-D command infrastructure in an effort to prevent the botnet from getting--or issuing--further instructions to the PCs that had been infected with their malware.

The story of how these guys took on Mega-D really is pretty incredible. They began by contacting the ISPs that hosted the botnet servers. It's easy for some to blame the ISPs hosting the servers, but the reality is that in large ISPs and datacenters, the datacenters know little about what happens on their servers. How can they?

As far as most datacenter owners are concerned, their customers are good customers, hosting legitimate websites. Setting up a legitimate website--or many--is easy cover for the malware operators: show the datacenter staff the legit sites and then secretly also host your bad stuff at the same place.

It's not rocket science.

So, having contacted the ISPs, which Mushtaq's research showed were mostly based in the United States, with one in Turkey and another in Israel.

For unknown reasons the foreign ISPs declined to take down the servers, but those in the U.S. complied.

Given the lack of cooperation from the foreign ISPs, they took another approach and contacted the domain registrars, which agreed to point Mega-D's existing domain names to nowhere.

Given that most registrars remain neutral in things like this, this was quite a win, and it meant,

"By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down."

The last part was getting the rest of the domains that Mega-D had queued to use, which the registrars then pointed to FireEye's servers so the good guys could then assume control of the botnet's last-ditch command-and-control efforts.

According to logs setup on the FireEye servers, they estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

As for what this all means in the big picture, it means a few things:

  1. Botnets aren't impervious to being taken down
  2. Cooperation from ISPs, and ultimately domain registrars, too, can be a critial component in shutting down these botnets
  3. Wresting control from the malware operators is a tough job, and even given their diligent efforts, it was a long, hard task to do
  4. In addition to keeping your PC and your software patched, there's no substitute for having the best antivirus firewall software installed and running, since Internet security suites can prevent many infections in the first place and clean-up your computer if you're already infected.

And, as for what it means to've taken down Mega-D,

"MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had 'consistently been in the top 10 spam bots' for the previous year (

"The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.

"Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says."

All-in-all, it's good news--and a good day--for those of us who hate spam and for those of us who're trying to keep our PCs free of viruses, trojans, worms, and any other malware.


You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.