Smashing the Mega-d/Ozdok botnet in 24 hours
In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined effort involving third parties like ISPs, registries, registrars, etc.
Instead of playing a passive role, this time FireEye decided to come forward and start working with these groups to make this happen. The good news is that at the time of writing this article, all the major Ozdok command and control servers (as mentioned in my last post) have been taken down. As it turns out, no matter how many fallback mechanisms are in place, if they aren't all implemented properly, the botnet is vulnerable.
The first step was to prepare all the evidence against the rogue domains and hosts in the form of pcaps and actual Ozdok malware samples. Once the evidence package was ready, these were the steps taken by our research team:
1. Abuse notifications to all the ISPs involved.
So far except for 4 hosts all others were promptly taken down as a result of these abuse notifications (Thanks to ISPs involved). CnCs which are still up and running are as follows:
98.126.17.114
64.202.189.170
98.126.44.146
62.90.134.24
We hope that the relevant authorities will be investigating these IPs and we will get a positive reply from their side soon.
2. Working with registrars to take down all the registered CnC domains.
Here is the list of Ozdok's active CnC domains. Registrars were requested to take down these domains to cut the main command and control chain.
yokserezantia.net
billibonskanzas.com
yopilazankaza.net
foodcaters.info
gondolfrazrv3.com
pilimerkazana.biz
poelzmdayl.com
grezasadaf.info
zavaretalies.com
galileoboots.info
kuport.com
jamfzuyqyra.com
beztakrezt.info
mazerattikrak.info
pubdomainstr.com
cristymisty.info
So far we got confirmation that these domains listed below are taken down. We are very thankful to the authorities involved.
foodcaters.info
pilimerkazana.biz
zavaretalies.com
grezasadaf.info
beztakrezt.info
jamfzuyqyra.com
We'll keep this list updated once we confirm for other domains too..
3. Registration of all unused CnC domains.
Many domains in the Ozdok permanent CnC list were not registered due to some unknown reasons. FireEye registered all such domains to prevent the bot herders using them to regain control.
These are the CnC domains registered by FireEye yesterday:
ADMZJYDA.BIZ
AJZPLRAKZUI.ORG
ALFAHARPUN.ORG
BLAGOINC.INFO
DFCZNU9Q.BIZ
GREATPUNNETT.COM
HAKASIMQ.INFO
HARMZOAKE.INFO
HOTOPIKALAR.INFO
IZTEP14MRKDE.INFO
JOPITERAZANIA.NET
MAMAFOBIKE.ORG
MICRALOKP.BIZ
MILFIFEZABOQ.ORG
MIRAKLEGROUP.INFO
MIREXINT.BIZ
MKZYAJIUJOIQ.INFO
NAYZIELZP.BIZ
RAFFAELLOPAOLINO.NET
SKILOPER.NET
TYPIREW.ORG
UPOYANSA.COM
WIKIROCKSA.INFO
YANKDREAM.INFO
YOURWAYBASKETS.COM
ZMCBY6VG.BIZ
All of these domains are pointing to our sinkhole server now. What this means is that all the Ozdok zombies instead of connecting to their real CnCs are coming to this sinkhole server. Data collected from the sinkhole server logs will be used to identify the victim machines and help them recover their machines back to a normal state. So far we have seen 264,784 unique IPs connecting to our sinkhole server in a 24 hour time frame. This could be a rough estimate of the current size of Mega-d botnet.
4. Registration of all unused CnC domains.
As I explained in my last article, Ozdok is also capable of generating random CnC domains based on the current date and time. As these domains could also be used by the bot herder to regain control in case all the other domains become unavailable. FireEye has registered these auto-generated domains for the next 3 days..
These domains are
4th Nov 2009 = dfcznu9q.biz
5th Nov 2009 = q0hgbn4t4g5a.info
6th Nov 2009 = lpygopoytqd6mrak.org
It looks like everything went right according to plan. This combined effort has been quite successful in retaining this beast for the next couple of days. I just talked to Phil Hay from Marshal TRACE in order to find latest SPAM trends against Ozdok. In his words:
"The last spam message we saw from Ozdok today was some 7 hours ago, looks like you had an impact".
We are very relieved to see the amount of cooperation offered by most of the ISPs and registrars against our abuse notifications. It clearly shows that it's difficult but not impossible to take down some of the nastiest botnets of the world.
Note: We are currently unsure how long we can keep up with these future domains. We also looking closely how the bot herders will react to this situation. We'll keep you all informed.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Detailed Question/Comments : research SHIFT-2 fireeye DOT COM
Recent Comments
This is excellent work. Spam received by our Barracuda firewall has reduced from over 80K per day (95% of all email received) to under 45K (91% of email). If only some kind of organised international alliance could be formed to systematically work on this issue of botnets. Decimating botnets consistently could eventually make illegal control of PCs and phishing spam campaigns unprofitable. This could bring PCs to the same low level of security risk as Apple Macs. Of course, other measures will also be required such as efficiently apprehending malware authors from all jurisdictions (whether based in Nigeria, Ukraine or US).
I'm concerned that the larger firms (Microsoft, Symantec) may have a conflict of interest and might be less aggressive than they could be towards botnets so that they can sell security solutions (and "Genuine Windows") to their customers. I sincerely hope this isn't the case.
Robert on Smashing the Mega-d/Ozdok botnet in 24 hoursWow, this is one hell of a PR stunt.
Iwe never herd of u guys until now so it's one hell of a way to put the company on the map.
Btw i usaly get around 20 spam mail a day and the last cupple of days iwe only gotten around 2-6 spam mails :)
The Big Bad Wolf on Smashing the Mega-d/Ozdok botnet in 24 hoursInteresting... Great effort, and nice job.
Sajid on Smashing the Mega-d/Ozdok botnet in 24 hoursQ2: How was my experience while interacting with ISPs/Hosting providers.
Overall it was a great experience.
1. There were some ISPs who never replied to our abuse notifications but pulled the plug silently.
2. There were some ISPs who promptly replied to our abuse notifications and asked for more evidence. After seeing the evidence they pulled the plug and replied with a Thanks.
3. There were some ISPs who did not respond to our notifications at all (mostly non US ). Result is that those servers are still up. Luckily it looks that bot herders simply abandoned those servers, as I am no more seeing any response coming out of these servers.
One thing which was common in all the replies, was something like this:
"We have notified our client about this problem and it looks that these servers were compromised and are now being re-imaged by the our clients".
It looks that ISPs are not convinced that these server might actually be owned by the bot herders. So It doesn't matter what I personally think of this 'owned vs compromised' theory, it is what we have to believe in too..
Atif Mushtaq on Smashing the Mega-d/Ozdok botnet in 24 hoursThere are many questions which are being asked by our readers, I would like this opportunity to answer most of these frequently asked questions one by one.
Q1: Killing the zombies machines or killing the malware itself by sending a specially crafted packet.
There are two main points to be noted here..
1.Is there any self destruction mechanism hidden in the code to force Ozdok for killing itself? So far we are unable to find any such mechanism. Our investigation for the Ozdok as a malware is still going on. I'll let you guys know in case we come across any such mechanism.
2. Even if there is any such mechanism, it will be completely illegal to do so, US and international laws do not permit any such activity even if the intention behind is good. So there is no chance that FireEye will involve itself in any such activity now and in future. It is sad but it is how it goes....
Atif Mushtaq on Smashing the Mega-d/Ozdok botnet in 24 hoursIt's looking as if bounceback is starting to happen - is this because you can't afford to keep buying domains in front of yourself, or are the herders routing around the damage?
At our location on Nov 7-8 we saw about 50% less spam than normal for a weekend, which is pretty remarkable. The trend is reversing, with the 9th running around 60% of normal and the 10th ~80% of normal spam volume (all "days" are PST, not GMT, sorry.)
Great work on showing what can be done with coordination and an understanding of command and control channels, though!
paul b on Smashing the Mega-d/Ozdok botnet in 24 hoursYou guys are making the Internet a better place for everyone, I wish more companies would do this sort of thing. As an email server and network administrator, I thank you from the bottom of my heart.
Patrick M on Smashing the Mega-d/Ozdok botnet in 24 hoursInspiring work! Its terrifying how big these things get.
J on Smashing the Mega-d/Ozdok botnet in 24 hoursFantastic! Another one bites the dust. Good work, guys :)
Ross Thomas on Smashing the Mega-d/Ozdok botnet in 24 hoursHave you considered trying to establish your own c&c facility to instruct infected machines to clean themselves?
anon on Smashing the Mega-d/Ozdok botnet in 24 hours