The Mega-D Botnet Bites the Dust – Sort Of!

BOTNET. The name sounds as if it belongs in a Sci Fi flick, in which it’s used to describe a robotic zombie army up to no good; bent on committing general mayhem.

Take the Sci Fi movie out of the equation and you’ve got the right idea. A botnet is a zombie army; but an army of individually owned, Internet connected computers, surreptitiously controlled by a so called “command and control center” – read, the “Bad Guys”.

Unknown to the owner of these individual computers, his or her machine is acting as a source of transmission, a relay point if you like, spreading spam, and in some cases infectious malware, including ads pushers, rogue AV installers, data stealers, and web search hijackers, to other Internet users’. Most of the spam you receive on a daily basis, for example, is a product of these zombies; both large (in some cases very large), and small.

It’s not surprising then, that various groups, or individual companies, within the Internet security community, monitor the formation and demise of botnets and wherever possible, attempt to take them down.

The following email I received from Symantec’s MessageLabs Intelligence, which I’d like to share with you, indicates the great efforts Internet security organizations make, in attempting to keep the Internet safe for all users.

Email from MessageLabs Intelligence:

Researchers at the Fireeye intelligence lab recently decided to attempt to take down the Mega-D botnet after doing detailed analysis of its inner workings. It seems their actions have been very successful indeed, as our monitoring shows a huge decline in this previously prolific botnet’s activity.

Mega-D was the botnet that took the biggest advantage of the takedown of the McColo ISP in November 2008, becoming the biggest of all the spam botnets. Since then, others (such as Rustock, Bagle, Grum, and Cutwail) have gained strength, but Mega-D has consistently been in the top 10 spam bots. Or at least it was, until the 4th of November, when it was hit, and hit hard.

This shows the number of unique IP’s seen on our systems on a daily basis for the Mega-D botnet. Normally between 600 and 1600 IP’s are seen each day, but you can see quite clearly that after the 4th that it plummeted down to less than 50.

 

 

It is unlikely that the botnet will ever be completely wiped out, but the efforts of the Fireeye team have crippled Mega-D to the point where it will be a long time (if indeed, ever) before it is able to regain its former standing.

To see the original news posting on MessageLabs Intelligence Blog, please follow this link.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

150 BILLION Daily Spams – Who’s Responsible?

Symantec’s latest MessageLabs Intelligence Report – unveiled today – describes in detail who’s responsible for such unprecedented levels of spam.

Over 150 BILLION unsolicited e-mail messages are being distributed by compromised computers every day, which means that botnets are responsible for approximately 88 percent of all spam out there today.

Recent closures of rogue Internet Service Providers McColo, PriceWert and Real Host have significantly hurt the two biggest botnets of 2009: Cutwail and Srizbi, which at their peak where each responsible for 45.6 percent and 50 percent of all global spam, respectively. Since then, Cutwail has been bumped to the third most powerful botnet and Srizbi has disappeared.

Here’s a look at how some of the newest botnets stack up:

Grum – the most active botnet, responsible for over 23 percent of global spam. Since June, Grum has increased its output per bot massively, pushing it to the top of the current “worst offenders”.

Bobax – has overtaken Cutwail as a top botnet, and is responsible for 15.7 percent of spam. Previously one of the smaller, less active botnets, Bobax has now quadrupled in size and its output per bot per minute is now the highest MessageLabs has ever seen.

Rustock – the largest botnet of all, with an estimated 1.3 to 1.9 million compromised computers in its control. Rustock has roughly doubled in size since June, but doesn’t have a high output. What sets this botnet apart from the rest is its highly automated cycle of spamming activity: spam from this botnet accelerates from 3am EST, peaks around 7am EST and dies down by 7pm EST.

Mega D – has been losing bots quite rapidly. It is now only one tenth the size it was in June. However, it’s now working its bots harder than ever, 2nd only to the output of Bobax in spam per bot per minute!

Maazben – meet the newest botnet, and one to watch in the future. Currently focused on sending out casino-spam, Maazben first appeared in May and has been growing the number of bots rapidly in recent weeks while keeping its output low.

What else can we expect from these powerful machines and how can businesses safeguard against their threats? You can find additional information on this and other online threats here.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

MessageLabs Reports on the Battle of the Botnets

Competition in the cyber-criminal game? You bet – read what MessageLabs Intelligence has to say about competition in the botnet spam business.

Courtesy MessageLabs Intelligence:

The battle of the botnets is on with Donbot, Cutwail and Mega-D all vying for the top spot and sending up to 21 billion spam messages each day, according to MessageLabs Intelligence.

With all three botnets each responsible for distributing 15-20% of all spam globally, the battle was neck and neck.

However, Cutwail was taken out completely for a brief time last weekend (1 August and 2 August) when Latvian ISP Real Host was taken offline while Donbot ramped up its efforts. Cutwail then restored itself to its previous levels overnight and was back in the race by Monday (3 August).

Continuing to focus on spam runs with shortened URLs, first reported by MessageLabs Intelligence in early July, Donbot was responsible for three additional recent spam runs. One of these runs accounted for as much as 9.25 percent of all spam in a single day (28 July).

According to Symantec, spam volumes for that day were 108 billion, so Donbot’s shortened URL spam for that day could have been up to 10 billion spam mails. The email spam subjects indicate that Donbot is focused on pharmacy spam for discount meds.

“Shortened URLs are being seen continuously in spam,” said MessageLabs Intelligence Senior Analyst, Paul Wood. “And at the same time, shortened URL sites are being forced out of business as they get abused to death by spammers. Even sites that are known for using short URLs are taking measures to phase them out or prevent users from posting malicious links generated from these sites.”

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.