Finally, Chalk One Up For The Good Guys!!!!

In this day and age, we seem to read everyday about how we are losing the battle against spam, malware, and fraud while using the internet. Like the FBI’s investigation regarding allegations that Citicorp’s system was hacked to the tune of tens of millions. Something that Citicorp denies. Or the hijacking of personal pages on social networking sites like Facebook that are resulting in identity theft, it is nice to finally read about a success story. Well here is one of those successes.

In November 2009, FireEye Inc. successfully shut down one of the most notorious and nefarious botnets on the internet to date. For more information regarding “Botnets”, press HERE. In it’s hayday, the Mega-D botnet (aka Ozdok) was responsible for up to 15% of the spam that infests our emails on a daily basis. This literally equates to millions upon millions of spam messages being sent daily by this botnet. Here is a blow by blow about how FireEye succeeded in the take down.

For 2 years, FireEye researcher Atif Mushtaq had been checking on new ways in order to keep malware from infecting networks. During this research, he obtained crucial information about how these botnet controllers , known as “Command & Control” (C&C) servers, actually functioned.  This was the turning point and in November, the defensive posture that was being implemented regarding these huge botnets, was suddenly changed to an offensive one.

With cooperation from Internet Service Providers (ISP’s) located in the U.S., who were unknowingly hosting the C&C servers that were being utilized for the “zombie” computers to connect and receive new commands, were able to redirect these connections and effectively point them to “no-where”. So when these “zombie” computers tried to connect to their master, they could not. Note that there were two ISP’s over-seas, one in Israel and one in Turkey who did not cooperate in the siege.

Next, FireEye contacted the domain registrars in order to obtain the IP addresses for these C&C servers. With this pertinent information, FireEye was then able to see any and all alternative addresses that were written into the code for the botnet. These alternative domains were set up, as a backup, should the zombie computers not be able to contact the C&C servers. Remember, the infected computers could no longer “phone home” due to the ISP’s cooperation. With these alternative domain names and IP addresses in hand, FireEye was then able to create, what is known as a “sinkhole”. Basically, they could then monitor the attempted incoming messages from the “zombie” computers without them actually contacting the C&C. By reviewing the log files from these transmissions, FireEye was able to determine that this botnet was an army of over 250,000 infected computers strong. With each zombie computer having the capability of sending up to 15,000 spam messages per hour. Mega-D certainly was most capable.

But not anymore. The day after Mega-D was brought down, it’s “market share” of total spam messages being sent, went from a staggering 15% to less than .5%, and this low number is probably because of the ISP’s that did not cooperate in crushing this botnet. Mega-D may try to reassert itself by registering new domains for it’s C&C servers, but with eyes now on them, it is more likely that the criminals responsible will simply move on and attempt to create a new botnet.

Even with that in mind, we now know how to bring these botnets down, however Mega-D was only the tip of the iceberg. Although a substantial threat, it was not the most aggressive, nor the largest. Finding the resources to knock these botnets off of the internet is the real challenge.

The “Good Guys” won this battle, but the war rages on……………

What are your thoughts??