If you’ve read our last couple blogs, you know that FireEye recently hijacked the Ozdok/Mega-D botnet. Smashing the Mega-d/Ozdok botnet in 24 hours
We registered some C&C backup domains and worked with registrars and hosting providers to have the primary domains and systems taken down. We directed the Ozdok bots to a sinkhole and watched the connections come pouring in. After about 5 days we saw 487,430 unique IP addresses connecting to us. It’s difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are.
Brazil is the number 1 infected country with 11.5% of the total infections, followed closely by India and Viet Nam. China came in at number 16 followed by the USA at 17, each with 1.6% of the total infections we saw. There were 214 countries represented, but after the top 3, total infections rapidly decreased.
So how big is this thing? Due to dynamic addressing, one infected system will have many real and advertized IP addresses over time. When researchers at UCSB hijacked the Torpig botnet, they were able to find a unique bot identifier in the communication to their sinkhole.
Your Botnet is My Botnet: Analysis of a Botnet Takeover
The peak on this day occurred at 4am US Pacific time with 48,785 active Ozdok bots.
The above graph shows the total Srizbi IPs (in blue) and the total unique identifiers (in red) that we collected over an 8 day period.
This one shows the relationship between the IPs and unique identifiers. As expected, when the connections first started coming in, every IP was a unique bot, but after 8 days, only 44% of the total IPs were found to be unique bots. After 5 days (which is how much Ozdok data we are looking at), 51% of the IPs were unique bots. If we apply that to Ozdok we see that 51% of 487,430 = 248,590. Is this the size of the Ozdok botnet? Any botnet size estimate should be taken with a grain of salt as they are notoriously hard to calculate and there is a lot of conflicting data out there. There was also a lot of chaos going on when we captured the Srizbi data with McColo being shut down and bot masters in a mad scramble to keep control of their bots.
We’ve been able to contain this botnet for a little over a week now and we'll continue to look through our logs for other interesting data. We are also going to accept an offer by our friends at Shadowserver to take over management of the sinkholes. They have established infrastructure, and relationships with CERTS, ISPs, etc. that put them in a much better position to notify infected organizations. We look forward to seeing what they can do.
Todd Rosenberry @ FireEye Malware Intelligence Lab
Detailed Question/Comments : research SHIFT-2 fireeye DOT COM
Thank you, folks, for your work. I run my own mail server, and while my anti-spam solution works remarkably well, my logs still show anywhere between 50,000 to 100,000 attack attempts every single day. You are doing a really good thing here.
--TP
Posted by: Terrell Prude' Jr. | 2009.12.30 at 01:13 PM
For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de fense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down.
WELL I am Happy people like you are out there.
Posted by: Prabhu | 2009.12.28 at 08:54 AM
so what is next for fireeye since ozdok has been handed off to another group?
Posted by: joeblow | 2009.12.05 at 01:14 PM
Well, instead of automatically healing the infected computers, perhaps a message of sorts can be sent to it or its registrars in order to notify them that they're infected.
Posted by: DaVince | 2009.11.19 at 03:50 PM
@figvam - In theory it would be possible to clean the PCs using the botnet C&C infrastructure. Unfortunately it's also illegal to do so.
Posted by: Todd Rosenberry | 2009.11.17 at 09:32 AM
May I just say what an excellent idea it is to coordinate with Shadowserver. :)
Chimel: Forum spam is handled usually just by Xrumer software. If your are continuing to be the target of sustained auto-registrations, I can assist you further. Consider sending me a comment on my blog. I won't publish it but I will reply directly. Mention your name (chimel) in the posting.
Great work as usual, FireEye. Keep it up.
SiL [whose forum is currently under a very sustained DDOS attack at the moment.]
Posted by: spamislame | 2009.11.17 at 06:40 AM
So is this botnet takeover permanent? My understanding is that you have had to register a bunch of domains in advance. Do you still have to do it to keep the control in your hands? Or will you cease the control at some point and the botnet operators will take the botnet back?
Is it possible to "self-heal" the infected PCs remotely using the botnet functionality?
Posted by: figvam | 2009.11.16 at 01:38 PM
Great article and retaliation against these spambots.
Are these bots also used for forum spam, or is it a completely different story?
I am a board moderator for a small forum, and there is not a single day without spam posted on one of our board.
It's like these spambots have special instructions on how to register, activate accounts, post in the "xxx" board or the first board they find, etc.
Or maybe the registration/activation part is manual and the account information is then communicated to the spambots.
Even using solutions like stopforumspam.com does not prevent this.
I would really like to know more about how forum spam works.
Posted by: Chimel | 2009.11.16 at 12:14 PM