[LINK] Botnet Responsible for 1/3 of Worlds Spam Shut Down

Kim Holburn kim at holburn.net
Wed Nov 11 01:13:03 AEDT 2009 

http://www.theregister.co.uk/2009/11/10/fireeye_takes_out_ozdok/
> A botnet that was once responsible for an estimated third of the  
> world's spam has been knocked out of commission thanks to  
> researchers from security firm FireEye.
>
> After carefully analyzing the machinations of the massive botnet,  
> alternately known as Mega-D and Ozdok, the FireEye employees last  
> week launched a coordinated blitz on dozens of its command and  
> control channels. The channels were used to send new spamming  
> instructions to the legions of zombie machines that make up the  
> network.
>

http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html

> Smashing the Mega-d/Ozdok botnet in 24 hours
> In my previous article, I talked about the Ozdok command and control  
> architecture and its fallback mechanisms in great detail. That  
> article was an attempt to highlight different approaches to take  
> down this botnet theoretically. But when it comes to the actual  
> shutdown, it's far more complex than just finding out the command  
> and control server coordinates and fallback mechanisms. An actual  
> shut down attempt requires someone to take the initiative and start  
> a combined effort involving third parties like ISPs, registries,  
> registrars, etc.
>
> Instead of playing a passive role, this time FireEye decided to come  
> forward and start working with these groups to make this happen.   
> The good news is that at the time of writing this article, all the  
> major Ozdok command and control servers (as mentioned in my last  
> post) have been taken down.  As it turns out, no matter how many  
> fallback mechanisms are in place, if they aren't all implemented  
> properly, the botnet is vulnerable.
>
>
> FireEye's formal effort to shutdown this botnet stared last night.  
> The research team here worked in multiple directions simultaneously.  
> The purpose was to work against all the fallback mechanisms so fast  
> that bot herders wouldn't get a chance to counter react.

....

> "The last spam message we saw from Ozdok today was some 7 hours ago,  
> looks like you had an impact".
>
> We are very relieved to see the amount of cooperation offered by  
> most of the ISPs and registrars against our abuse notifications. It  
> clearly shows that it's difficult but not impossible to take down  
> some of the nastiest botnets of the world.
>
> Note: We are currently unsure how long we can keep up with these  
> future domains. We also looking closely how the bot herders will  
> react to this situation. We'll keep you all informed.
>



-- 
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list