Skip to comments.Good Guys Bring Down the Mega-D Botnet
Posted on 12/29/2009 8:58:34 PM PST by nickcarraway
Chalk up one for the defenders. Heres how a trio of security researchers used a three-step attack to defeat a 250,000-pronged botnet.
For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de fense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down.
Mushtaq and two FireEye colleagues went after Mega-D's command infrastructure. A botnet's first wave of attack uses e-mail attachments, Web-based offensives, and other distribution methods to infect huge numbers of PCs with malicious bot programs.
The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet's Achilles' heel: Isolate them, and the undirected bots will sit idle. Mega-D's controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn't reach its primary command server. So taking down Mega-D would require a carefully coordinated attack.
Synchronized Assault Mushtaq's team first contacted Internet service providers that unwittingly hosted Mega-D control servers; his research showed that most of the servers were based in the United States, with one in Turkey and another in Israel.
The FireEye group received positive responses except from the overseas ISPs. The domestic C&C servers went down.
Next, Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D's existing domain names to no where.
(Excerpt) Read more at pcworld.com ...
Give that man a medal!
too bad for the bad guys that Obama can’t surrender the domain name stuff to the UN.... heh... or can he?
“he suddenly switched from defense to offense”
Great success story, very interesting — thanks for posting it.
The best defense is an offense, as they say.
Go Tron, Go
Good guys ping.
That’s really nice work.
I hope these guys continue to shoot down botnets as they uncover them.
That’s slick as snot! These guys are geniuses, and they prove that the good guys aren’t always from the government!
To take down a botnet with that many infested clients is awesome, but it doesn’t account for 250,000 potentially infect-able clients still floating out there.
I don't think I get such stuff either.