Network of Mega-D Botnet Shutdown

As per the news published in INQUIRER on December 29, 2009, Atif Mushtaq (a security researcher) claimed he had found a method of destroying the Mega-D botnet.

While working for FireEye, Mushtaq had been trying to defend the computers of his organization's clients from Mega-D for two years (2008 and 2009).

PC World reports that the researcher executed a plan consisting of three stages to attack the botnet and disable all its 250,000 infected PCs.

Mushtaq targeted the command-and-control (C&C) servers of the botnet, which instructed the PCs to execute the spam campaigns on behalf of Mega-D's owners, according to PC World.

Moreover, during the attack, Mushtaq was able to collect information which threw light on the servers' whereabouts. He found that majority of the bots were based in the USA, while one each located in Israel and Turkey.

Following this, Mushtaq along with his organization got in touch with domain-name registrars which had the records of Mega-D C&C servers' domain names. This was done to isolate the domain name group so that different infected PCs failed to connect with the servers affiliated to Mega-D. Incidentally, the foreign ISPs hosting the servers rejected taking them down.

The end result of isolation was quite astonishing. There was a frantic rush to register the earlier unregistered URL addresses, which Mega-D's controllers had listed. The same approach was used for overcoming and controlling the Conficker virus during March 2009.

The logic, according to Mushtaq and his organization, was that they would collect the domain names and eventually sink them.

MessageLabs stated that Mega-D had made to the Top Ten Spam Bots List in 2008.

According to the company, Mega-D was responsible for 11.8% of total spam on November 1, 2009. Subsequently, Mushtaq's efforts enabled to reduce Mega-D's spam to 0.1% or even less.

Info Security comments that although Mega-D's defeat has led to a substantial fall in the global junk e-mails, still cyber criminals will fast resume their operations although in different format. According to the firm, the Rustock botnet, which the malicious ISP McColo formerly hosted, continues to be largely prevalent.

Related article: Notorious Russian ISP RBN Hacked Bank of India Website

» SPAMfighter News - 1/5/2010