«  m86security.com

Mega-D

 

March 17, 2009

Aliases

  • Ozdok

Comments

The Mega-D botnet is a prolific spammer.  It has been around since at least 2007, and at times has been responsible for as much as one-third of the spam we have observed.  It name derives from its fondness for spamming male enlargement products with brands such as 'MegaDik' and 'Manster' among the many other brand names that are used. It also heavily spams 'Canadian Pharmacy' brand pharmeceuticals.  Spam output was disrupted by the takedown of the McColo network in November 2008, but bounced back soon after.

Features

  • Reports to control server on port 80, also uses encrypted HTTPS on port 443
  • Performs DNS lookups on domains to send spam
  • Uses templates
  • Injects code into SVCHOST.EXE

Spamming Rate

  • 105,000 messages per hour  per bot

Command and Control

On the samples that we have examined, the following domain names were queried to connect to its control server:

  • mazerattikrak.info
  • beztakrezt.info
  • m.violenzarja.biz
  • host.violenzarja.biz
  • galileoboots.info
  • majzufaiuq.info
  • foodcaters.info

Mega-D communicates with its control server on port 80 using an encrypted tunnel.

Below is a screenshot of Mega-D's DNS lookup attempt to resolve control server IP address.

 

 

Malware Behavior on Host

Upon execution, this Trojan creates a new process of SVCHOST.EXE in Window system32 folder. It will then inject and execute its own code to this process using CreateRemoteThread() API.

It drops a copy of itself in the Windows System32 directory using the filename SVCHOST.EX and register this drop file as a service by adding the following registry entry:

  • HKLM\SYSTEM\CurrentControlSet\Service\FCI
    • DisplayName = “FCI”
    • ImagePath = %SystemRoot%\System32\SVCHOST.EX

It then creates a batch file using a random filename with this format: <7 random digit>.bat.  The batch file will delete itself after it injects code into the SVCHOST.EXE process. The code injected in SVCHOST.EXE contains the SMTP engine for its spamming routine.  It also acts as a bot client to retrieve commands from the control server such as spamming templates, email lists and binary updates of itself.

As opposed to other spambots which change templates often, the spamming templates used appear to be relatively fixed.  Older versions of Mega-D contained a hardcoded spamming template which is not found in newer versions.

Further analysis of Mega-D can be found in this blog post.


Last Reviewed: June 20, 2010 by Rodel Mendrez