[LINK] Botnet Responsible for 1/3 of Worlds Spam Shut Down
Kim Holburn
kim at holburn.net
Wed Nov 11 01:13:03 AEDT 2009
http://www.theregister.co.uk/2009/11/10/fireeye_takes_out_ozdok/
> A botnet that was once responsible for an estimated third of the
> world's spam has been knocked out of commission thanks to
> researchers from security firm FireEye.
>
> After carefully analyzing the machinations of the massive botnet,
> alternately known as Mega-D and Ozdok, the FireEye employees last
> week launched a coordinated blitz on dozens of its command and
> control channels. The channels were used to send new spamming
> instructions to the legions of zombie machines that make up the
> network.
>
http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html
> Smashing the Mega-d/Ozdok botnet in 24 hours
> In my previous article, I talked about the Ozdok command and control
> architecture and its fallback mechanisms in great detail. That
> article was an attempt to highlight different approaches to take
> down this botnet theoretically. But when it comes to the actual
> shutdown, it's far more complex than just finding out the command
> and control server coordinates and fallback mechanisms. An actual
> shut down attempt requires someone to take the initiative and start
> a combined effort involving third parties like ISPs, registries,
> registrars, etc.
>
> Instead of playing a passive role, this time FireEye decided to come
> forward and start working with these groups to make this happen.
> The good news is that at the time of writing this article, all the
> major Ozdok command and control servers (as mentioned in my last
> post) have been taken down. As it turns out, no matter how many
> fallback mechanisms are in place, if they aren't all implemented
> properly, the botnet is vulnerable.
>
>
> FireEye's formal effort to shutdown this botnet stared last night.
> The research team here worked in multiple directions simultaneously.
> The purpose was to work against all the fallback mechanisms so fast
> that bot herders wouldn't get a chance to counter react.
....
> "The last spam message we saw from Ozdok today was some 7 hours ago,
> looks like you had an impact".
>
> We are very relieved to see the amount of cooperation offered by
> most of the ISPs and registrars against our abuse notifications. It
> clearly shows that it's difficult but not impossible to take down
> some of the nastiest botnets of the world.
>
> Note: We are currently unsure how long we can keep up with these
> future domains. We also looking closely how the bot herders will
> react to this situation. We'll keep you all informed.
>
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link
mailing list