Blog

Checking In With The Ozdok Sinkhole

If you’ve read our last couple blogs, you know that FireEye recently hijacked the Ozdok/Mega-D botnet.  Smashing the Mega-d/Ozdok botnet in 24 hours
 
We registered some C&C backup domains and worked with registrars and hosting providers to have the primary domains and systems taken down.   We directed the Ozdok bots to a sinkhole and watched the connections come pouring in.   After about 5 days we saw 487,430 unique IP addresses connecting to us.   It’s difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are.Ozdok_Countries

Brazil is the number 1 infected country with 11.5% of the total infections, followed closely by India and Viet Nam.  China came in at number 16 followed by the USA at 17, each with 1.6% of the total infections we saw.  There were 214 countries represented, but after the top 3, total infections rapidly decreased. 

 

So how big is this thing?  Due to dynamic addressing, one infected system will have many real and advertized IP addresses over time.   When researchers at UCSB hijacked the Torpig botnet, they were able to find a unique bot identifier in the communication to their sinkhole. 

Your Botnet is My Botnet: Analysis of a Botnet Takeover


Over 10 days, they saw 1,247,642 unique IPs and only 182,800 unique bots.  There are many factors that could affect this ratio and they didn’t make any statements about this being relevant to other botnets.   The Torpig bots checked in with the sinkhole every 20 minutes or so and the researchers did find that if they looked at traffic for any given hour, the number of unique IPs did closely match the number of unique bots.   A single infected system is likely to keep the same IP address for a given hour.  We found the Ozdok bots checked in about every 5 minutes so looking at 1 hour of traffic may at least give an indication of the infected systems that are live at a given time.  Here is a typical day in the life of the Ozdok bots.

  Ozdok_IPs_per_hour

The peak on this day occurred at 4am US Pacific time with 48,785 active Ozdok bots. To get another estimate on the size of the botnet, I dug up some data on Srizbi which FireEye was able to hijack and shutdown a year ago.   In that case, we were able to find a unique bot identifier in the communication.


Srizbi_uniques 

The above graph shows the total Srizbi IPs (in blue) and the total unique identifiers (in red) that we collected over an 8 day period.

  Srizbi_ratio 

This one shows the relationship between the IPs and unique identifiers.  As expected, when the connections first started coming in, every IP was a unique bot, but after 8 days, only 44% of the total IPs were found to be unique bots.  After 5 days (which is how much Ozdok data we are looking at), 51% of the IPs were unique bots.   If we apply that to Ozdok we see that 51% of 487,430 = 248,590.  Is this the size of the Ozdok botnet?  Any botnet size estimate should be taken with a grain of salt as they are notoriously hard to calculate and there is a lot of conflicting data out there.  There was also a lot of chaos going on when we captured the Srizbi data with McColo being shut down and bot masters in a mad scramble to keep control of their bots. 

We’ve been able to contain this botnet for a little over a week now and we'll continue to look through our logs for other interesting data.  We are also going to accept an offer by our friends at Shadowserver to take over management of the sinkholes.  They have established infrastructure, and relationships with CERTS, ISPs, etc.  that put them in a much better position to notify infected organizations.  We look forward to seeing what they can do.

Todd Rosenberry @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM

8 thoughts on “Checking In With The Ozdok Sinkhole

  1. Great article and retaliation against these spambots.
    Are these bots also used for forum spam, or is it a completely different story?
    I am a board moderator for a small forum, and there is not a single day without spam posted on one of our board.
    It’s like these spambots have special instructions on how to register, activate accounts, post in the “xxx” board or the first board they find, etc.
    Or maybe the registration/activation part is manual and the account information is then communicated to the spambots.
    Even using solutions like stopforumspam.com does not prevent this.
    I would really like to know more about how forum spam works.

  2. So is this botnet takeover permanent? My understanding is that you have had to register a bunch of domains in advance. Do you still have to do it to keep the control in your hands? Or will you cease the control at some point and the botnet operators will take the botnet back?
    Is it possible to “self-heal” the infected PCs remotely using the botnet functionality?

  3. May I just say what an excellent idea it is to coordinate with Shadowserver. :)
    Chimel: Forum spam is handled usually just by Xrumer software. If your are continuing to be the target of sustained auto-registrations, I can assist you further. Consider sending me a comment on my blog. I won’t publish it but I will reply directly. Mention your name (chimel) in the posting.
    Great work as usual, FireEye. Keep it up.
    SiL [whose forum is currently under a very sustained DDOS attack at the moment.]

  4. Well, instead of automatically healing the infected computers, perhaps a message of sorts can be sent to it or its registrars in order to notify them that they’re infected.

  5. For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients’ networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de fense to offense. And Mega-D–a powerful, resilient botnet that had forced 250,000 PCs to do its bidding–went down.
    WELL I am Happy people like you are out there.

  6. Thank you, folks, for your work. I run my own mail server, and while my anti-spam solution works remarkably well, my logs still show anywhere between 50,000 to 100,000 attack attempts every single day. You are doing a really good thing here.
    –TP

Comments are closed.