Man Challenges 250,000 Strong Botnet and Succeeds

Dennis Faas's picture

When security officials decide to "go after" computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices -- but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all.

For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, Mega-D had forced more than 250,000 PCs to do its bidding via botnet control. That's when Mushtaq decided to take a offensive approach.

How Botnets Propagate and Infect Other PCs

The first wave of a botnet attack uses email attachments, web-based offensives and other distribution methods to infect large numbers of PCs with malicious bot programs: usually either through the fault of the computer operator or an exploit in the operating system.

Once a PC is infected, it is referred as a "bot" (as in "robot") and part of the botnet, or "network of software robots." The bots then receive orders from online command and control (C&C) servers. This is where Mr. Mushtaq looked to attack first.

Multiple Botnet C&C Servers

Problems arose, however, because Mega-D boasted a large array of C&C servers. This meant that every bot had been assigned a list of additional web addresses (destinations) if it could not reach its primary command server. (Source:

Still, Mushtaq had been pursuing the malicious botnet for two years. During that spell, he managed to gather enough information that suggested the whereabouts of the servers. Most were revealed to originate from the United States, with one in Turkey and another in Israel.

Operation: Sever Bot Ties

From there, Mushtaq and his colleagues contacted domain name registrars holding records for the domain names that Mega-D used for its control servers. The idea was that if the pool of domain names was severed, the individual bots could not reach Mega-D-affiliated servers that the overseas Internet Service Providers (ISPs) had declined to take down. (Source:

The end result was a mad dash to register previously unregistered web site addresses that Mega-D's controllers listed in the bot programming. A similar tactic was used to control and out-smart the Conficker worm back in March of this year.

The logic here was that Mushtaq and company would pick up these domain names and steer them into "sinkholes" (servers set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, Mushtaq and friends estimated that the botnet consisted of about 250,000 Mega-D-infected computers. (Source:

Mega-D a Top Ten Spam Bot for 2009

Was the operation a success? The proof is in the pudding, so to speak.

MessageLabs, a Symantec email security subsidiary, reported that Mega-D had "consistently been in the top 10 spam bots" for the previous year. On November 1, 2009 Mega-D accounted for 11.8 percent of all spam that MessageLabs observed.

Three days later, the efforts of Mushtaq had helped reduce Mega-D's market share of Internet spam to less than 0.1 percent.

Rate this article: 
No votes yet