If you’ve read our last couple blogs, you know that FireEye recently hijacked the Ozdok/Mega-D botnet.  Smashing the Mega-d/Ozdok botnet in 24 hours   We registered some C&C backup domains and worked with registrars and hosting providers to have the primary domains and systems taken down.   We directed the Ozdok bots to a sinkhole and watched the connections come pouring in.   After about 5 days we saw 487,430 unique IP addresses connecting to us.   It’s difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are.

So how big is this thing?  Due to dynamic addressing, one infected system will have many real and advertized IP addresses over time.   When researchers at UCSB hijacked the Torpig botnet, they were able to find a unique bot identifier in the communication to their sinkhole. 

Your Botnet is My Botnet: Analysis of a Botnet Takeover

In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined effort involving third parties like ISPs, registries, registrars, etc. 

Instead of playing a passive role, this time FireEye decided to come forward and start working with these groups to make this happen.  The good news is that at the time of writing this article, all the major Ozdok command and control servers (as mentioned in my last post) have been taken down.  As it turns out, no matter how many fallback mechanisms are in place, if they aren't all implemented properly, the botnet is vulnerable.

Note: Updates are available at the bottom of this article.

Ozdok a.k.a Mega-d is one of those botnets that has been very successful flying under the radar over the past few years. Recent stats by Marshal TRACE show Ozdok is currently responsible for about 4.2% of the world's overall SPAM.  The question that arises again is who are the guys controlling this botnet, and more importantly from where?  I recently conducted a detailed study of Ozdok's active command and control servers.  There are two main things I took away from this study.

1. The USA is still a first choice for bad guys when it comes to hosting CnC servers.

2. After the McColo experience, these guys are no longer relying on a single net block for hosting their CnCs.  To further ensure their safety, most botnets today are equipped with a fallback mechanism.  As a matter of fact, in the case of Ozdok, there is more than one fallback mechanism involved.  These come into play once the primary command and control structures fall apart.  How?  I'll explain that shortly.