Checking In With The Ozdok Sinkhole
If you’ve read our last couple blogs, you know that FireEye recently hijacked the Ozdok/Mega-D botnet. Smashing the Mega-d/Ozdok botnet in 24 hours
We registered some C&C backup domains and worked with registrars and hosting providers to have the primary domains and systems taken down. We directed the Ozdok bots to a sinkhole and watched the connections come pouring in. After about 5 days we saw 487,430 unique IP addresses connecting to us. It’s difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are.
Brazil is the number 1 infected country with 11.5% of the total infections, followed closely by India and Viet Nam. China came in at number 16 followed by the USA at 17, each with 1.6% of the total infections we saw. There were 214 countries represented, but after the top 3, total infections rapidly decreased.
So how big is this thing? Due to dynamic addressing, one infected system will have many real and advertized IP addresses over time. When researchers at UCSB hijacked the Torpig botnet, they were able to find a unique bot identifier in the communication to their sinkhole.
Your Botnet is My Botnet: Analysis of a Botnet Takeover

