In a previous blog, we talked about the return of the Mega-D botnet (a.k.a Ozdok) in the wake of the McColo shutdown, which is one of the major botnet responsible for sending close to 50% of all spams. Currently, we thought we would have a closer look at this bot.
Mega-D has a unique way of hiding itself from detection. It tries to fool users by creating a new process of Svchost.exe, (a legitimate component of Windows) and injects its code into this process.
After creating a fake but legitmate looking Windows process, Mega-D copies itself into the Windows system directory as an Alternate Data Stream(ADS) using the filename “svchost.exe:ext.exe”. This is a clever method of hiding malicious files from detection since neither Windows Explorer nor cmd.exe will reveal ADS streams, unless using a special tool such as Streams from Sysinternals.
Mega-D then creates a service for the drop file to auto-execute on system startup. “FCI” is the display name for this specific Mega-D sample (md5 hash: EB6C85A3D3A17CDC4DC50CF018322A59, packed using UPX).
It looks like this in the Services management console once registered:
After Mega-D transfer its control to the injected code, it then terminates and deletes the executed malware to further reduce its footprint and the likelihood of detection. With the injected code, Mega-D performs a DNS query on one of the following domains:
- mazerattikrak.info
- host.violenzarja.biz
- m.violenzarja.biz
- pilimerkazana.biz
- jopiterazania.net
- upoyansa.com
- hotopikalar.info
- fhkacwd9aalg.info
- beztakrezt.info
Once the DNS query succeed, Mega-D will send a test message:
Here is a sample SMTP transaction when Mega-D sends a test message:
Older samples tries to connect to majzufaiuq.info which is currently an unregistered domain. It will then attempt to connect to its C&C server and we observed Mega-D connect to addresses using port 80:
- 72.21.32.138
- 98.126.40.74
- 216.32.90.186
It was also observed that it downloaded an updated binary from 98.126.40.74:80 / mss32.exe (please note: link was intentionally broken).
The message body is usually in HTML format only with themes focus on fake designer products, male enlargement, sexual enhancement, current news topic and using NDR subject lines like:
Delivery Status Notification
Delivery Status Notification (Failure)
RE: Message
RE: Order Status
Here's a sample spam from Mega-D:
In summary, the Mega-D malware uses sophisticated methods for optimizing stealth. It is difficult to identify, even by experienced users, without specialized analysis tools. It is designed to be flexible when attempting connections with Command and Control Servers and uses a range of methods to update itself. It is a very professionally written piece of malware.
