Shadowserver to Take Over as Mega-D Botnet Herder
An effort is underway to clean up tens of thousands of computers infected with malicious software known for churning out thousands of spam messages per hour.
The infected computers are part of a botnet called Ozdok or Mega-D, which at one time was sending out around 4 percent of the world's spam messages.
Last week, security vendor FireEyelaunched a drive to dismantle the botnet. The infected computers receive instructions and information for new spam campaigns through command-and-control servers. FireEye contacted network providers which hosted those servers, and most were shut down.
That meant that the people controlling the hacked PCs, known as botnet herders, couldn't contact most of their bots anymore. Spam from Mega-D almost stopped entirely. FireEye also cut off a second redundancy mechanism the herders programmed into Mega-D.
If the infected machines can't contact a command-and-control server, they're programmed with an algorithm that will generate a random domain name and try to contact that domain daily. The herders know what this domain will be and can upload new instructions there.
If those infected machines get new instructions, it likely means FireEye will lose control and have to start over again to try and shut Mega-D down. FireEye has been registering those domains to prevent the botnet herders from regaining control.
But FireEye has now handed control of those bots over to Shadowserver, a volunteer-run organization that tracks botnets.
Shadowserver has taken over the administration of a "sinkhole," or a computer running custom software that acts as a command-and-control server that the Mega-D bots will call on, said Andre' M. DiMino, Shadowserver's co-founder.
Shadowserver is now in the process of identifying individual computers infected with Mega-D and then contacting the service providers for those infected hosts. The goal is to have those service providers contact the owners of those computers and ask them to run an antivirus scan in order to remove the infection and eradicate Mega-D.
"It's certainly a challenge for the ISPs to work down to the subscriber level, and we understand that," DiMino said. "The best we do at this point is get as granular in identification as we can for the ISP to help them. Ideally the goal is to clean up the infected machine."
Shadowserver regularly sends out a free list of infected machines to service providers, but identifying machines isn't easy. Corporate networks often only show one external IP (Internet protocol) address for hundreds of users, and ISPs will assign different IP addresses to PCs as users turn on and off their computers, DiMino said.
Fixing those computers could be a slow process, as it's estimated that up to 500,000 computers around the world are infected with Mega-D, and it's not by any means the largest botnet. Conficker, for example, is estimated to have infected up to 7 million machines.
Brazil has 11.5 percent of the total Mega-D infections, followed by India and Vietnam, according to FireEye's blog. DiMino said Shadowserver has strong ties with the Computer Emergency Response Teams around the world, including Brazil's, which can help work with network providers.
Even if Mega-D can't be completely killed off, "sometimes disruption is more realistic," DiMino said.
"We'll see what the effect is," he said. "The jury is still out."