Mega-D (aka Ozdok) crippled

This post is made on behalf of my colleague Mathew Nisbet, Malware Data Analyst

Researchers at the Fireeye intelligence lab recently decided to attempt to take down the Mega-D botnet after doing detailed analysis of its inner workings. It seems their actions have been very successful indeed, as our monitoring shows a huge decline in this previously prolific botnet’s activity.

Mega-D was the botnet that took the biggest advantage of the takedown of the McColo ISP in November 2008, becoming the biggest of all the spam botnets. Since then, others (such as Rustock, Bagle, Grum, and Cutwail) have gained strength, but Mega-D has consistently been in the top 10 spam bots. Or at least it was, until the 4th of November, when it was hit, and hit hard.

This shows the number of unique IP’s seen on our systems on a daily basis for the Mega-D botnet. Normally between 600 and 1600 IP’s are seen each day, but you can see quite clearly that after the 4th that it plummeted down to less than 50.

Competition for Spam ‘market share’ has always been fierce among the top botnets, with the top spammer often changing hourly, but there are a few usual suspects which are always in the top 10. Consistent with the above chart, this shows how Mega-D’s ‘market share’ has now dropped to a mere fraction of a percent. It now barely registers as existing, with only a few spam seen each day, rather than thousands.

It is unlikely that the botnet will ever be completely wiped out, but the efforts of the Fireeye team have crippled Mega-D to the point where it will be a long time (if indeed, ever) before it is able to regain its former standing.