Botnets are, without any shadow of a doubt, one of the biggest scourges of IT security today. From sending spam to launching DDoS attacks and distributing malware, botnets can be found at the centre of most of the security problems facing computer users right now.
So wouldn't it be fun if you could take down, knock over and destroy a botnet? The good news is that it seems you can, with a little determination and a lot of inside knowledge.
Researchers at the FireEye Malware Intelligence Lab have been working hard at gathering the necessary knowledge with regards to one Botnet, known as Ozdok or perhaps more commonly Mega-D. Having got to grips with the command and control architecture, along with the fallback mechanisms used to keep the botnet alive should they come under attack, FireEye decided the time was right to strike. This meant moving out of the lab and the purely theoretical realm of botnet takedown and into the real world, which involves getting various agencies working together with an intent to destroy a botnet. So FireEye contacted ISPs, registries and registrars and set about the task in hand.
Atif Mushtaq writes that "all the major Ozdok command and control servers... have been taken down. As it turns out, no matter how many fallback mechanisms are in place, if they aren't all implemented properly, the botnet is vulnerable".
It wasn't easy, but within a 24 hour period it would appear that it is possible to shutdown a botnet by working against all the fallback mechanisms that have been identified, and doing so with such speed that the botnet herders are unable to mount any kind of defence strategy to keep running.
FireEye approached the challenge methodically, by first preparing enough evidence of botnet activity (including those domains and hosts responsible) to allow ISPs to take the abuse notifications that followed seriously. Apparently this initial work paid off with only 4 hosts not being taken down promptly as a result, and those have been reported to relevant authorities to try and get them investigated and removed. Registrars were also contacted to request domain were suspended so as to break the primary command and control chain. Some of these were successful, although many appear to be still up and running. So not so much success there, although FireEye has managed to reroute Mega-D zombies to a sinkhole server rather than the real Command and Control centres.
In itself this is good news as it means FireEye can collect data about those zombies and identify victims, who can then be given help to clean their machines. In the first 24 hours of this determined takedown effort FireEye has seen 264,784 unique IPs connect to the sinkhole server.
According to Mathew Nisbet, Malware Data Analyst with MessageLabs, the effort has been worthwhile. Nisbet says "our monitoring shows a huge decline in this previously prolific botnet’s activity" continuing "normally between 600 and 1600 IP’s are seen each day" but after the takedown attempt it "plummeted down to less than 50".
Sure, Mega-D was not obliterated by this attack and it is still spewing out a handful of spams every day. It should be remembered that Mega-D has been taken down before and bounced back. However, this time it has been effectively crippled and that's important given how fiercely competitive the botnet market is. Clients will move elsewhere and it is doubtful if Mega-D will be able to recover to anything like the position it previously held in the underground botnet for hire league tables.