Mega-D botnet
Encyclopedia
The Mega-D, also known by its alias of Ozdok, is a botnet
that at its peak was responsible for sending between 30% and 35% of spam worldwide.
On October 14, 2008, the U.S Federal Trade Commission
, in cooperation with Marshal Software, tracked down the owners of the botnet and froze their assets.
On November 6, 2009, security company FireEye, Inc.
disabled the Mega-D botnet by disabling its command and control structure. This was akin to the Srizbi botnet takedown in late 2008. The Mega-D/Ozdok takedown involved coordination of dozens of Internet service provider
s, domain name registrar
s, and non-profit organizations like Shadowserver
. M86 Security
researchers estimated the take down had an immediate effect on the spam from the botnet. On November 9, 2009, the spam had stopped altogether, although there was a very small trickle over the weekend, directed to a couple of small UK-based domains that they monitored.
Since then the botnet bounced back, exceeding pre-takedown levels by Nov. 22, and constituting 17% of worldwide spam by Dec. 13
In July 2010, researchers from University of California, Berkeley
published a model of Mega-D's protocol state-machine, revealing the internals of the proprietary protocol for the first time . The protocol was obtained through automatic Reverse Engineering
technique developed by the Berkeley researchers. Among other contributions, their research paper reveals a flaw in the Mega-D protocol allowing template milking, i.e., unauthorized spam template downloading. Such a flaw could be used to acquire spam templates and train spam filters
before spam hits the network.
was arrested in Las Vegas, Nevada
by the Federal Bureau of Investigation
and charged with violations of the CAN-SPAM Act of 2003
. Nikolaenko is suspected of operating the Mega-D botnet to create a "zombie network" of as many as 500,000 infected computers.
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
that at its peak was responsible for sending between 30% and 35% of spam worldwide.
On October 14, 2008, the U.S Federal Trade Commission
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
, in cooperation with Marshal Software, tracked down the owners of the botnet and froze their assets.
On November 6, 2009, security company FireEye, Inc.
FireEye, Inc.
FireEye is a Milpitas, California-based network security company that provides dynamic malware protection and automated threat forensics. Its main product line is the Malware Protection System with versions for Web security, Email security, and Malware Analysis researchers.-History:FireEye was...
disabled the Mega-D botnet by disabling its command and control structure. This was akin to the Srizbi botnet takedown in late 2008. The Mega-D/Ozdok takedown involved coordination of dozens of Internet service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s, domain name registrar
Domain name registrar
A domain name registrar is an organization or commercial entity, accredited by both ICANN and generic top-level domain registry to sell gTLDs and/or by a country code top-level domain registry to sell ccTLDs; to manage the reservation of Internet domain names in accordance with the guidelines of...
s, and non-profit organizations like Shadowserver
Shadowserver
The Shadowserver Foundation is a volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and electronic fraud. It aims to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious...
. M86 Security
M86 Security
M86 Security is a privately-owned Internet threat protection company that specializes in Web and email security products and content filtering appliances...
researchers estimated the take down had an immediate effect on the spam from the botnet. On November 9, 2009, the spam had stopped altogether, although there was a very small trickle over the weekend, directed to a couple of small UK-based domains that they monitored.
Since then the botnet bounced back, exceeding pre-takedown levels by Nov. 22, and constituting 17% of worldwide spam by Dec. 13
In July 2010, researchers from University of California, Berkeley
University of California, Berkeley
The University of California, Berkeley , is a teaching and research university established in 1868 and located in Berkeley, California, USA...
published a model of Mega-D's protocol state-machine, revealing the internals of the proprietary protocol for the first time . The protocol was obtained through automatic Reverse Engineering
Reverse engineering
Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...
technique developed by the Berkeley researchers. Among other contributions, their research paper reveals a flaw in the Mega-D protocol allowing template milking, i.e., unauthorized spam template downloading. Such a flaw could be used to acquire spam templates and train spam filters
E-mail filtering
Email filtering is the processing of email to organize it according to specified criteria. Most often this refers to the automatic processing of incoming messages, but the term also applies to the intervention of human intelligence in addition to anti-spam techniques, and to outgoing emails as well...
before spam hits the network.
Arrest
In November 2010, Oleg NikolaenkoOleg Nikolaenko
Oleg Yegorovich Nikolaenko is a Russian national who has been charged in a U.S. federal court with violating the CAN-SPAM Act of 2003. Federal investigators believe his activities may have been responsible for as much as one third of the world's electronic spam. Nikolaenko is being held without...
was arrested in Las Vegas, Nevada
Las Vegas, Nevada
Las Vegas is the most populous city in the U.S. state of Nevada and is also the county seat of Clark County, Nevada. Las Vegas is an internationally renowned major resort city for gambling, shopping, and fine dining. The city bills itself as The Entertainment Capital of the World, and is famous...
by the Federal Bureau of Investigation
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
and charged with violations of the CAN-SPAM Act of 2003
CAN-SPAM Act of 2003
The CAN-SPAM Act of 2003 , signed into law by President George W. Bush on December 16, 2003, establishes the United States' first national standards for the sending of commercial e-mail and requires the Federal Trade Commission to enforce its provisions...
. Nikolaenko is suspected of operating the Mega-D botnet to create a "zombie network" of as many as 500,000 infected computers.
See also
- Storm botnetStorm botnetThe Storm botnet or Storm worm botnet is a remotely controlled network of "zombie" computers that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam...
- MPack malware kitMPack (software)In computer security, MPack is a PHP-based malware kit produced by Russian crackers. The first version was released in December 2006. Since then a new version is thought to have been released roughly every month. It is thought to have been used to infect up to 160,000 PCs with keylogging software...
- E-mail spamE-mail spamEmail spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
- Internet crime
- Internet securityInternet securityInternet security is a branch of computer security specifically related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud,...
- Operation: Bot RoastOperation: Bot RoastOperation: Bot Roast is an operation by the FBI to track down bot herders, crackers, or virus coders who install malicious software on computers through the Internet without the owners’ knowledge, which turns the computer into a zombie computer that then sends out spam to other computers from the...
- McColoMcColoMcColo was a San Jose-based web hosting service provider. In late 2008, the company was shut down by the two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.-History:McColo was formed by a...
- Srizbi