Mega-D botnet

From Wikipedia, the free encyclopedia

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.[1][2][3]

On October 14, 2008, the U.S Federal Trade Commission, in cooperation with Marshal Software, tracked down the owners of the botnet and froze their assets.[4]

On November 6, 2009, security company FireEye, Inc. disabled the Mega-D botnet by disabling its command and control structure.[5][6] This was akin to the Srizbi botnet takedown in late 2008. The Mega-D/Ozdok takedown involved coordination of dozens of Internet service providers, domain name registrars, and non-profit organizations like Shadowserver. M86 Security researchers estimated the take down had an immediate effect on the spam from the botnet. On November 9, 2009, the spam had stopped altogether, although there was a very small trickle over the weekend, directed to a couple of small UK-based domains that they monitored.[7]

Since then the botnet bounced back, exceeding pre-takedown levels by Nov. 22, and constituting 17% of worldwide spam by Dec. 13.[8]

In July 2010, researchers from University of California, Berkeley published a model of Mega-D's protocol state-machine, revealing the internals of the proprietary protocol for the first time.[9] The protocol was obtained through automatic Reverse Engineering technique developed by the Berkeley researchers. Among other contributions, their research paper reveals a flaw in the Mega-D protocol allowing template milking, i.e., unauthorized spam template downloading. Such a flaw could be used to acquire spam templates and train spam filters before spam hits the network.


In November 2010, Oleg Nikolaenko was arrested in Las Vegas, Nevada by the Federal Bureau of Investigation and charged with violations of the CAN-SPAM Act of 2003.[10] Nikolaenko eventually pleaded guilty of operating the Mega-D botnet to create a "zombie network" of as many as 500,000 infected computers.[11]

See also[edit]


  1. ^ "Storm worm dethroned by sex botnet". Archived from the original on 2012-04-02. Retrieved 2010-07-31.
  2. ^ "New Mega-D botnet supersedes Storm". SPAMfighter. 2008-02-01. Retrieved 2010-07-31.
  3. ^ "New Mega-D menace muscles Storm Worm aside". ars technica. February 2008. Retrieved 2011-12-06.
  4. ^ Stone, Brad (October 14, 2008). "Authorities Shut Down Spam Ring". The New York Times.
  5. ^ Smashing the Mega-d/Ozdok botnet in 24 hours
  6. ^ Cheng, Jacqui (November 11, 2009). "Researchers' well-aimed stone takes down Goliath botnet". Ars Technica. Retrieved 2009-11-30.
  7. ^ "Mega-D botnet takes a hit". M86 Security. November 9, 2009. Retrieved 2009-11-30.
  8. ^ "Spam Statisti cs from the Security Labs team at M86 Security". M86 Security. Retrieved 2010-06-07.
  9. ^ C.Y. Cho, D. Babic, R. Shin, and D. Song. Inference and Analysis of Formal Models of Botnet Command and Control Protocols, 2010 ACM Conference on Computer and Communications Security.
  10. ^ Vielmetti, Bruce (December 3, 2010). "Milwaukee FBI agent trips up Russian 'king of spam'". Milwaukee Journal Sentinel. Retrieved December 3, 2010.
  11. ^ Leyden, John (December 1, 2010). "Feds pursue Russian, 23, behind ⅓ of ALL WORLD SPAM". The Register. Retrieved December 3, 2010.