Due to the efforts of a small security start-up

Nov 10, 2009 13:12 GMT  ·  By

One of the Internet's most notorious spam botnets, Mega-D, was severely crippled by researchers from a small security company. The blow was delivered late last week and the millions of junk emails spewed out by the botnet every hour instantly stopped.

Mega-D, also known as Ozdok, is a botnet primarily used for spam. At the height of its existence, this botnet was credited with being responsible for one third of the daily spam traffic. Spam analysts from M86 Security note that an individual Mega-D bot is capable of sending as much as 15,000 junk emails per hour.

At the beginning of the month, a start-up security company called FireEye, based in Milpitas, CA, published an in-depth analysis of Mega-D and its command and control infrastructure. At the time, FireEye security researchers explained that the botnet had several fallback mechanisms in place in case their primary command and control servers went down.

Some of them were probably added by its creators after the botnet was seriously affected by the depeering of a rogue hosting company called McColo last year. However, the FireEye analysis revealed some loopholes in the implementation of these safety protocols, prompting researchers to try and exploit them.

According to Atif Mushtaq, a security researcher with the company, this was done in a coordinated manner. "The research team here worked in multiple directions simultaneously. The purpose was to work against all the fallback mechanisms so fast that bot herders wouldn't get a chance to counter react," he explains.

The effort involved sending abuse notifications to ISPs that were unknowingly hosting the botnet's command and control servers, contacting the registrars of the offending domains used and getting them suspended, as well as registering the domain names generated by algorithms hardcoded into the malware in advance. It seems that their plan paid off and the Mega-D authors took quite a beating.

"The take down had an immediate effect on the spam from the botnet. Today the spam has stopped altogether, although there was a very small trickle over the weekend, directed to a couple of small UK-based domains that we monitor," Web and messaging security vendor, M86 Security, announced on Monday.

Meanwhile, FireEye monitored the activity on the domains it registered in advance and which were supposed to be used as command and control servers for the botnet. The company reports that 264,784 unique IPs have hit their sinkhole servers over a 24-hour period, giving an idea of the botnet's size. Based on this figure, Phil Hay from M86 roughly estimates that Mega-D was sending over 15 billion spam emails on a daily basis.

It is worth noting that FireEye has fought similar battles with bot herders before. After McColo's demise back in 2008, the company temporarily prevented the resurrection of the Srizbi botnet through similar tactics.

Ultimately, all these successful takedowns raise a pertinent question. If the actions of a small company with limited resources can make such a difference, then why don't big security vendors take a more pro-active stance against these threats, instead of just offering defensive solutions, which at times even prove inefficient?