If you’ve read our last couple blogs, you know that FireEye recently hijacked the Ozdok/Mega-D botnet. Smashing the Mega-d/Ozdok botnet in 24 hours
We registered some C&C backup domains and worked with registrars and hosting providers to have the primary domains and systems taken down. We directed the Ozdok bots to a sinkhole and watched the connections come pouring in. After about 5 days we saw 487,430 unique IP addresses connecting to us. It’s difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are.
Brazil is the number 1 infected country with 11.5% of the total infections, followed closely by India and Viet Nam. China came in at number 16 followed by the USA at 17, each with 1.6% of the total infections we saw. There were 214 countries represented, but after the top 3, total infections rapidly decreased.
So how big is this thing? Due to dynamic addressing, one infected system will have many real and advertized IP addresses over time. When researchers at UCSB hijacked the Torpig botnet, they were able to find a unique bot identifier in the communication to their sinkhole.
Over 10 days, they saw 1,247,642 unique IPs and only 182,800 unique bots. There are many factors that could affect this ratio and they didn’t make any statements about this being relevant to other botnets. The Torpig bots checked in with the sinkhole every 20 minutes or so and the researchers did find that if they looked at traffic for any given hour, the number of unique IPs did closely match the number of unique bots. A single infected system is likely to keep the same IP address for a given hour. We found the Ozdok bots checked in about every 5 minutes so looking at 1 hour of traffic may at least give an indication of the infected systems that are live at a given time. Here is a typical day in the life of the Ozdok bots.
The peak on this day occurred at 4am US Pacific time with 48,785 active Ozdok bots.
The above graph shows the total Srizbi IPs (in blue) and the total unique identifiers (in red) that we collected over an 8 day period.
This one shows the relationship between the IPs and unique identifiers. As expected, when the connections first started coming in, every IP was a unique bot, but after 8 days, only 44% of the total IPs were found to be unique bots. After 5 days (which is how much Ozdok data we are looking at), 51% of the IPs were unique bots. If we apply that to Ozdok we see that 51% of 487,430 = 248,590. Is this the size of the Ozdok botnet? Any botnet size estimate should be taken with a grain of salt as they are notoriously hard to calculate and there is a lot of conflicting data out there. There was also a lot of chaos going on when we captured the Srizbi data with McColo being shut down and bot masters in a mad scramble to keep control of their bots.
We’ve been able to contain this botnet for a little over a week now and we'll continue to look through our logs for other interesting data. We are also going to accept an offer by our friends at Shadowserver to take over management of the sinkholes. They have established infrastructure, and relationships with CERTS, ISPs, etc. that put them in a much better position to notify infected organizations. We look forward to seeing what they can do.
Todd Rosenberry @ FireEye Malware Intelligence Lab
Detailed Question/Comments : research SHIFT-2 fireeye DOT COM