Good Guys Bring Down the Mega-D Botnet

For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began . In November, he suddenly switched from de­­fense to offense. And Mega-D--a powerful, resilient that had forced 250,000 PCs to do its bidding--.

Mushtaq and two FireEye colleagues went after Mega-D's command infrastructure. A botnet's first wave of attack uses e-mail attachments, Web-based offensives, and other distribution methods to infect huge numbers of PCs with malicious bot programs.

The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet's Achilles' heel: Isolate them, and the undirected bots will sit idle. Mega-D's controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn't reach its primary command server. So taking down Mega-D would require a carefully coordinated attack.

Mushtaq's team first contacted Internet service providers that unwittingly hosted Mega-D control servers; showed that most of the servers were based in the United States, with one in Turkey and another in Israel.