In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined effort involving third parties like ISPs, registries, registrars, etc.
Instead of playing a passive role, this time FireEye
decided to come forward and start working with these groups to
make this happen. The good news is that at the time of writing this
article, all the major Ozdok command and control servers (as mentioned
in my last post) have been taken down. As it turns out, no matter how
many fallback mechanisms are in place, if they aren't all implemented
properly, the botnet is vulnerable.
FireEye's formal effort to shutdown this botnet stared last night. The research team here worked in multiple directions simultaneously. The purpose was to work against all the fallback mechanisms so fast that bot herders wouldn't get a chance to counter react.
The first step was to prepare all the evidence against the rogue domains and hosts in the form of pcaps and actual Ozdok malware samples. Once the evidence package was ready, these were the steps taken by our research team:
1. Abuse notifications to all the ISPs involved.
So far except for 4 hosts all others were promptly taken down as a result of these abuse notifications (Thanks to ISPs involved). CnCs which are still up and running are as follows:
We hope that the relevant authorities will be investigating these IPs and we will get a positive reply from their side soon.
2. Working with registrars to take down all the registered CnC domains.
Here is the list of Ozdok's active CnC domains. Registrars were requested to take down these domains to cut the main command and control chain.
So far we got confirmation that these domains listed below are taken down. We are very thankful to the authorities involved.
We'll keep this list updated once we confirm for other domains too..
3. Registration of all unused CnC domains.
Many domains in the Ozdok permanent CnC list were not registered due to some unknown reasons. FireEye registered all such domains to prevent the bot herders using them to regain control.
These are the CnC domains registered by FireEye yesterday:
All of these domains are pointing to our sinkhole server now. What this means is that all the Ozdok zombies instead of connecting to their real CnCs are coming to this sinkhole server. Data collected from the sinkhole server logs will be used to identify the victim machines and help them recover their machines back to a normal state. So far we have seen 264,784 unique IPs connecting to our sinkhole server in a 24 hour time frame. This could be a rough estimate of the current size of Mega-d botnet.
4. Registration of all unused CnC domains.
As I explained in my last article, Ozdok is also capable of generating random CnC domains based on the current date and time. As these domains could also be used by the bot herder to regain control in case all the other domains become unavailable. FireEye has registered these auto-generated domains for the next 3 days..
These domains are
4th Nov 2009 = dfcznu9q.biz
5th Nov 2009 = q0hgbn4t4g5a.info
6th Nov 2009 = lpygopoytqd6mrak.org
It looks like everything went right according to plan. This combined effort has been quite successful in retaining this beast for the next couple of days. I just talked to Phil Hay from Marshal TRACE in order to find latest SPAM trends against Ozdok. In his words:
"The last spam message we saw from Ozdok today was some 7 hours ago, looks like you had an impact".
We are very relieved to see the amount of cooperation offered by most of the ISPs and registrars against our abuse notifications. It clearly shows that it's difficult but not impossible to take down some of the nastiest botnets of the world.
Note: We are currently unsure how long we can keep up with these future domains. We also looking closely how the bot herders will react to this situation. We'll keep you all informed.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Detailed Question/Comments : research SHIFT-2 fireeye DOT COM