Mega-D Botnet on the Comeback

By Matthew Hines  |  Posted 2008-12-09 Print this article Print

Not long after security researchers and at least one journalist successfully lobbied for shady hosting provider McColo to be taken offline by its own hosts several weeks ago, and worldwide spam levels nearly immediately dipped by as much as 70 percent, security industry pundits began predicting that it wouldn't be long before spammers and botnet operators recovered from the event.

In the days following the McColo shuttering, some experts counted hundreds of thousands of stranded zombie PCs attempting to connect back to command centers caught up in the event, but vendors such as FireEye who were watching the situation said that the botnet masters controlling those networks would soon get their houses back in order as they found new hosts for the electronic brains of their operations.

Now it appears that those prognostications were well-placed, as security gateway vendor Marshal8e6 is among those finding that botnets of zombie machines are again swelling back to their size prior to the McColo takedown. Many of the resurrected botnets are again producing voluminous amounts of spam, some of which carries malware meant to further re-expand the bot herders' reach, the company said Tuesday.

The Mega-D botnet, well-known for producing "billions" of spam e-mails, most of which promote sexual performance drugs such as Viagra, and the Srizbi and Rustock botnets were effectively shut down when McColo went offline, the company said.

However, Mega-D's backers have worked effectively over the last three weeks to set up new command and control servers and re-establish connections with their networks of compromised bots, researchers with the Marshal8e6 TraceLabs research team report. As a result, spam levels are again rising upward, the company said.

"Spam from Mega-D has been ramping up over the last few days and reached up to 48 percent of all the spam we captured in our honey pot spam traps," Phil Hay, lead threat analyst for the Marshal8e6 Trace, said in an advisory notice.

According to Marshal8e6's numbers, the overall volume of spam has doubled since the low point immediately following the McColo shutdown.

"Many security researchers, including ourselves, predicted that spam volumes were likely to eventually bounce back after McColo's shutdown," said Hay. "Based on what we have seen from Mega-D this week, that seems to be happening now. Spam volumes are still only about 40 percent of where they were in September this year, but they have doubled since the last week of November, so the spammers seem to be clawing their way back."

While the Rustock botnet bounced back more quickly in the wake of McColo, it has now ebbed as Mega-D has made the biggest comeback, according to the firm. However, even in its new guise, Mega-D is still showing signs of weakness in relation to its former self.

"After McColo was shut down, we observed activity indicating that the individuals behind the Srizbi, Rustock and Mega-D botnets were attempting to set up new command and control servers," Hay continued. "We saw some activity occurring with the Rustock botnet, but it appears to have gone quiet again. Mega-D is the first of the affected botnets to really bounce back. However, it is a changed botnet now. It no longer exhibits some of its previously distinctive characteristics."

Hay said that the bot masters controlling Mega-D are likely having the most success because they have gone to the greatest lengths to rearchitect their infection techniques. The modifications include the use of some techniques previously related to Rustock.

"The Mega-D bots appear to have been upgraded and altered quite substantially by the people behind it. It now uses templates we have seen before with Rustock," he said. "This is an interesting development. It could mean that the Mega-D spammers have looked at and copied from their rivals. Or, it could indicate that the individuals behind both botnets are working in collusion or are one and the same."

Either way, rest assured that your spam folder is once again brimming with lurid offers for drugs that will make you a bedroom superstar.

And, you know, turn your desktop into a spambot.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel