Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42862
  • Total Topics: 16071
  • Online Today: 1171
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Good Guys Bring Down the Mega-D Botnet  (Read 4427 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Good Guys Bring Down the Mega-D Botnet
« on: 28. December 2009., 07:36:25 »


Chalk up one for the defenders. Here’s how a trio of security researchers used a three-step attack to defeat a 250,000-pronged botnet.

For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online: http://blog.fireeye.com/research/2009/06/killing-the-beast.html
In November, he suddenly switched from de­­fense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down.

Targeting Controllers

Mushtaq and two FireEye colleagues went after Mega-D's command infrastructure. A botnet's first wave of attack uses e-mail attachments, Web-based offensives, and other distribution methods to infect huge numbers of PCs with malicious bot programs.

The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet's Achilles' heel: Isolate them, and the undirected bots will sit idle. Mega-D's controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn't reach its primary command server. So taking down Mega-D would require a carefully coordinated attack.

Synchronized Assault

Mushtaq's team first contacted Internet service providers that unwittingly hosted Mega-D control servers; his research showed that most of the servers were based in the United States, with one in Turkey and another in Israel: http://blog.fireeye.com/research/2009/11/killing-the-beastpart-4.html

The FireEye group received positive responses except from the overseas ISPs. The domestic C&C servers went down.

Next, Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D's existing domain names to no­­where. By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down.

Finally, FireEye and the registrars worked to claim spare domain names that Mega-D's controllers listed in the bots' programming. The controllers intended to register and use one or more of the spare do­­mains if the existing domains went down--so FireEye picked them up and pointed them to "sinkholes" (servers it had set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers: http://blog.fireeye.com/research/2009/11/checking-in-with-the-ozdok-sinkhole.html

Down Goes Mega-D

MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had "consistently been in the top 10 spam bots" for the previous year: http://www.symantec.com/connect/blogs/mega-d-aka-ozdok-crippled
The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.
Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says.

FireEye plans to hand off the anti-Mega-D effort to ShadowServer.org, a volunteer group that will track the IP addresses of infected machines and contact affected ISPs and businesses. Business network or ISP administrators can register for the free notification service: http://www.mail-archive.com/nanog@nanog.org/msg09215.html

Continuing the Battle

Mushtaq recognizes that FireEye's successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive.

"FireEye did have a major victory," says Joe Stewart, director of malware research with SecureWorks. "The question is, will it have a long-term impact?"

Like FireEye, Stewart's security company protects client networks from botnets and other threats; and like Mushtaq, Stewart has spent years combating criminal enterprises. In 2009, Stewart outlined a proposal to create volunteer groups dedicated to making botnets unprofitable to run. But few security professionals could commit to such a time-consuming volunteer activity.

"It takes time and resources and money to do this day after day," Stewart says. Other, under-the-radar strikes at various botnets and criminal organizations have occurred, he says, but these laudable efforts are "not going to stop the business model of the spammer."

Mushtaq, Stewart, and other security pros agree that federal law enforcement needs to step in with full-time coordination efforts. According to Stewart, regulators haven't begun drawing up serious plans to make that happen, but Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he's hopeful.

Until that happens, "we're definitely looking to do this again," Mushtaq says. "We want to show the bad guys that we're not sleeping."

(PCW)

Samker's Computer Forum - SCforum.info

Good Guys Bring Down the Mega-D Botnet
« on: 28. December 2009., 07:36:25 »

haz

  • SCF Advanced Member
  • ***
  • Posts: 117
  • KARMA: 26
  • Gender: Male
Re: Good Guys Bring Down the Mega-D Botnet
« Reply #1 on: 30. December 2009., 11:46:03 »
Bravo ! Thanks for the great news :)

hazedaze

  • SCF VIP Member
  • *****
  • Posts: 85
  • KARMA: 19
  • Gender: Male
Re: Good Guys Bring Down the Mega-D Botnet
« Reply #2 on: 31. December 2009., 10:46:47 »
Nice Nice guys, I wanna see more of this, I hate spam and spamers!!! ;D

fireballgonzales

  • SCF Member
  • **
  • Posts: 24
  • KARMA: 7
Re: Good Guys Bring Down the Mega-D Botnet
« Reply #3 on: 05. January 2010., 15:27:53 »
And the good guys chalk one up against the Bots :)

stellamary

  • SCF Newbie
  • *
  • Posts: 1
  • KARMA: 0
Re: Good Guys Bring Down the Mega-D Botnet
« Reply #4 on: 06. January 2010., 07:32:35 »
I am a beginner for this thread....But I like this post.I hope will learn as possible as by your post also from mine.  :thumbsup:


Interactive Web Design Company

Samker's Computer Forum - SCforum.info

Re: Good Guys Bring Down the Mega-D Botnet
« Reply #4 on: 06. January 2010., 07:32:35 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising