Last week we posted our statistics highlighting that the Mega-D botnet accounted for 32% of spam. Since then other researchers have been busy trying to pinpoint the malware behind this major spam operation. Joe Stewart from SecureWorks has done some excellent detective work in identifying the culprit as “Ozdok” – from a little known malware family. As his analysis highlights, this relative obscurity probably enabled this botnet to grow steadily in its spamming capacity for over a year.
The method of distribution of this malware remains unclear. But once established on a PC, the malware will connect to a control server, and download a spam template and a list of email addresses to send to. According to the analysis from SecureWorks, the number of bots in the Mega-D botnet is an estimated 35,000, considerably less than the Storm’s estimated 85,000. However, in terms of volume of spam sent, there is no denying the impact Mega-D has had in recent months – it has inundated users’ inboxes almost everywhere.
Since yesterday, the Mega-D control servers appear to have gone offline, and the volume of spam from Mega-D has dropped off dramatically starting yesterday. Today it has dropped away to under 1% of the spam received in our traps. This is a welcome respite from this pesky spammer, although its quite possible new control servers and more spam from this spam operation may appear again sometime soon.
