Symantec-owned MessageLabs said that the botnet, which was responsible for almost one in every eight spam messages at the start of this month, is now responsible for less than 0.1% of all spam sent.
Mega-D, also known as Ozdok, became one of the biggest sources of spam a year ago after the rogue ISP McColo was taken down. It has consistently made the top 10 list of spam botnets since then, until the November 4, when FireEye launched a concerted campaign to remove it.
FireEye researcher Atif Mushtaq analyzed malware delivered by the Mega-D botnet at the start of this month to try and understand the botnet command and control infrastructure. He and the rest of the team uncovered significant facts, including the continued choice of the USA as a popular location for botnet command and control servers, and the use of multiple net blocks to host those servers, providing failback positions.
Researchers found that Mega-D malware used domain names to locate the command service, and maintained a hardcoded list of domains in the malware source code. It used custom DNS servers to find the domains.
"You can't just simply shut off the CC servers. You need to ensure that the domain names used by the criminals to contact those bots are delisted", said Phil Lin, director of marketing for FireEye. "Those are often registered in other countries by different individuals."
The researchers took a 'shock-and-awe' approach to hitting the botnet, trying to take down so many failback servers that the bot herders wouldn't be able to react. They gathered all the available evidence and approached the ISPs involved directly, most of which took down the botnet servers straight away.
They then contacted the registrars responsible for the active command and control domains, and were partially successful in getting some removed. They followed this by registering all of the unused command and control domains, which were presumably awaiting registration by the botnet herders.
All of the Mega-D domains that could be controlled by FireEye now point to its sinkhole server, which will be used to connect information on victims' machines and help them recover. Based on that data, the botnet is estimated to be over a quarter of a million machines in size.
One significant finding from the company's research was that large botnets are still often hosted on US servers rather then the 'bullet proof' hosting services found in Eastern Europe and Russia, which frequently ignore takedown requests. This makes it easier for security researchers to persuade ISPs to take down the command and control servers used for botnet activity.
"The US infrastructure is still by far the best place in the world to host stuff, and because these bots are so big, you need big, powerful servers, and good, stable internet connections", said Lin. "There are C&C servers being hosted in other countries, and that's where delisting domain names becomes even more important."
FireEye is now monitoring the net for the botnet herders' next move.