Smashing the Mega-d/Ozdok botnet in 24 hours

In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined effort involving third parties like ISPs, registries, registrars, etc. 

Instead of playing a passive role, this time FireEye

decided to come forward and start working with these groups to

make this happen.  The good news is that at the time of writing this

article, all the major Ozdok command and control servers (as mentioned

in my last post) have been taken down.  As it turns out, no matter how

many fallback mechanisms are in place, if they aren't all implemented

properly, the botnet is vulnerable.

FireEye's formal effort to shutdown this botnet stared last night. The research team here worked in multiple directions simultaneously. The purpose was to work against all the fallback mechanisms so fast that bot herders wouldn't get a chance to counter react. 

The first step was to prepare all the evidence against the rogue domains and hosts in the form of pcaps and actual Ozdok malware samples. Once the evidence package was ready, these were the steps taken by our research team:

1. Abuse notifications to all the ISPs involved.

So far except for 4 hosts all others were promptly taken down as a result of these abuse notifications (Thanks to ISPs involved). CnCs which are still up and running are as follows: 

98.126.17.114
64.202.189.170
98.126.44.146
62.90.134.24

We hope that the relevant authorities will be investigating these IPs and we will get a positive reply from their side soon.

2. Working with registrars to take down all the registered CnC domains.

Here is the list of Ozdok's active CnC domains. Registrars were requested to take down these domains to cut the main command and control chain.

yokserezantia.net

billibonskanzas.com

yopilazankaza.net

foodcaters.info

gondolfrazrv3.com

pilimerkazana.biz

poelzmdayl.com

grezasadaf.info

zavaretalies.com

galileoboots.info

kuport.com

jamfzuyqyra.com

beztakrezt.info

mazerattikrak.info

pubdomainstr.com

cristymisty.info

So far we got confirmation that these domains listed below are taken down. We are very thankful to the authorities involved.

foodcaters.info

pilimerkazana.biz

zavaretalies.com

grezasadaf.info

beztakrezt.info

jamfzuyqyra.com

We'll keep this list updated once we confirm for other domains too..

3. Registration of all unused CnC domains.

Many domains in the Ozdok permanent CnC list were not registered due to some unknown reasons. FireEye registered all such domains to prevent the bot herders using them to regain control.

These are the CnC domains registered by FireEye yesterday:

ADMZJYDA.BIZ
AJZPLRAKZUI.ORG
ALFAHARPUN.ORG
BLAGOINC.INFO
DFCZNU9Q.BIZ
GREATPUNNETT.COM
HAKASIMQ.INFO
HARMZOAKE.INFO
HOTOPIKALAR.INFO
IZTEP14MRKDE.INFO
JOPITERAZANIA.NET
MAMAFOBIKE.ORG
MICRALOKP.BIZ
MILFIFEZABOQ.ORG
MIRAKLEGROUP.INFO
MIREXINT.BIZ
MKZYAJIUJOIQ.INFO
NAYZIELZP.BIZ
RAFFAELLOPAOLINO.NET
SKILOPER.NET
TYPIREW.ORG
UPOYANSA.COM
WIKIROCKSA.INFO
YANKDREAM.INFO
YOURWAYBASKETS.COM
ZMCBY6VG.BIZ

All of these domains are pointing to our sinkhole server now. What this means is that all the Ozdok zombies instead of connecting to their real CnCs are coming to this sinkhole server. Data collected from the sinkhole server logs will be used to identify the victim machines and help them recover their machines back to a normal state. So far we have seen 264,784 unique IPs connecting to our sinkhole server in a 24 hour time frame. This could be a rough estimate of the current size of Mega-d botnet.

4. Registration of all unused CnC domains.

As I explained in my last article, Ozdok is also capable of generating random CnC domains based on the current date and time. As these domains could also be used by the bot herder to regain control in case all the other domains become unavailable. FireEye has registered these auto-generated domains for the next 3 days..

These domains are

4th Nov 2009 = dfcznu9q.biz

5th Nov 2009  = q0hgbn4t4g5a.info

6th Nov 2009  = lpygopoytqd6mrak.org

Sinkhole1
 

It looks like everything went right according to plan. This combined effort has been quite successful in retaining this beast for the next couple of days. I just talked to Phil Hay from Marshal TRACE in order to find latest SPAM trends against Ozdok. In his words:

"The last spam message we saw from Ozdok today was some 7 hours ago, looks like you had an impact". 

We are very relieved to see the amount of cooperation offered by most of the ISPs and registrars against our abuse notifications. It clearly shows that it's difficult but not impossible to take down some of the nastiest botnets of the world.

Note: We are currently unsure how long we can keep up with these future domains. We also looking closely how the bot herders will react to this situation. We'll keep you all informed.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM