Good Guys Bring Down the Mega-D Botnet

[InfoSec News <alerts () infosecnews org>]

http://www.pcworld.com/article/185122/good_guys_bring_down_the_megad_botnet.html

By Erik Larkin
PC World
Dec 27, 2009

For two years as a researcher with security company FireEye, Atif 
Mushtaq worked to keep Mega-D bot malware from infecting clients' 
networks. In the process, he learned how its controllers operated it. 
Last June, he began publishing his findings online. In November, he 
suddenly switched from defense to offense. And Mega-D -- a powerful, 
resilient botnet that had forced 250,000 PCs to do its bidding -- went 
down.


Targeting Controllers

Mushtaq and two FireEye colleagues went after Mega-D's command 
infrastructure. A botnet's first wave of attack uses e-mail attachments, 
Web-based offensives, and other distribution methods to infect huge 
numbers of PCs with malicious bot programs.

The bots receive marching orders from online command and control (C&C) 
servers, but those servers are the botnet's Achilles' heel: Isolate 
them, and the undirected bots will sit idle. Mega-D's controllers used a 
far-flung array of C&C servers, however, and every bot in its army had 
been assigned a list of additional destinations to try if it couldn't 
reach its primary command server. So taking down Mega-D would require a 
carefully coordinated attack.


Synchronized Assault

Mushtaq's team first contacted Internet service providers that 
unwittingly hosted Mega-D control servers; his research showed that most 
of the servers were based in the United States, with one in Turkey and 
another in Israel.

The FireEye group received positive responses except from the overseas 
ISPs. The domestic C&C servers went down.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org