The Mega-D botnet was disabled last week by a team of white hat hackers. It may have had up to a quarter million infected machines under it’s control before it was disrupted. The botnet was estimated to be responsible for a third of the world’s spam output. It was knocked out of commission last week by employees of security firm FireEye.
How they did it
Dan Goodin reported: “After unplugging the Mega-D master control channels, the researchers set up a benign ’sinkhole’ channel for the bots to report to and waited to see what would happen.
Over five days, 487,340 unique IP addresses reported to the ad-hoc server. Using findings derived from last year’s take-down of the separate Srizbi botnet, FireEye estimates that the figure translates to 248,590 unique machines. Unlike Mega-D, Srizbi included an accounting mechanism that identified each infected machine. They then analyzed the number of IP addresses and noted that after five days, it was about double the number of individual Srizbi victims.”
Size hard to judge
FireEye’s Todd Rosenberry said “Any botnet size estimate should be taken with a grain of salt as they are notoriously hard to calculate and there is a lot of conflicting data out there.”
Effects felt worldwide
The researchers estimated that Brazil was the most infected country (11.5 percent of the victims), followed closely by India and Viet Nam. 214 countries were represented.
Still under watchful eye
Mega-D is still being monitored. There are plans to turn over maintenance of the sinkhole server to Shadowserver. These volunteers have established infrastructure and relationships with ISPs and Computer Emergency Response Teams, or CERTS, globally.
About Mailprotector
Mailprotector’s services are ideal for protecting your Exchange server, or any mail server, against spammers attempts to flood your inbox with their junk: spam, viruses, trojans, phishing attacks and other email borne malware and threats.
