SecureWorks / Team Cymru solve the mystery of the Mega-D Trojan

Joe Stewart is the man . . . I have a ton of respect for him and everyone at Team Cymru.  They teamed up to find the C&C for the Mega-D trojan and Joe has done another one of his excellent write-ups here:

What I find interesting is:

  1. This malware appears to have been in the wild (probably in small numbers) for at least a year.

  2. The botnet appears to be made up of only about 35,000 infected machines - relatively small by today's botnet standards - yet is able to contribute to 1/3 of all known spam!

  3. Even though it contributes 30+% of all known spam - the AVs still seem to be having a hard time consistently detecting the malware and attributing that detection to a common family (although once they have detection - removal doesn't seem to be a problem).

  4. It's not using any form of active stealth as near as I can tell (just good ole ADS's and clevelry named services to hide in plain sight).

Joe doesn't explicitly link Ozdok / Mega-D to any particular web based 0-day but there have been a number of 0-day's in various products in recent months that could have been used to infect these 35,000 machines (Acrobat, QuickTime etc.).

Here's the recipe for disaster:

  1. 0-day in some trusted / widely installed AX control (Flash / Acrobat / QuickTime etc.)

  2. Vulnerable PHP servers visited by tens of thousands of people a day

  3. Malware spam-bot that is not detected by any AV signatures

The bad guys compromise a legitimate Apage / PHP server and set it up to serve up the exploit + malware payload . . . BUT they can make the PHP pages they upload only hand out the exploit a certain number of times to a given IP address or they can make it only hand out the exploit + payload if you click through to the page from a search engine result or a combination of both to make it harder for first responders to figure out where it came from.  The bad guys can purchase or download all of the major AV packages and continually refine their malware until it is no longer detected by any of them (and in fact they probably automate this process!).

A strange game - the only winning move is not to play.

Comments (1)

  1. Anonymous says:

    Given how few people actually seem to update Java, QuickTime, Adobe Reader, Flash etc on a regular basis, it doesn’t have to be zero-day.

    I recently discovered that installing new Java Runtimes (JREs) does not block off access to old ones – a web page can request a specific version and if installed, it will load, EVEN IF IT IS VULNERABLE. This germ of information came from Secunia’s Personal
    Software Inspector (

    Keeping the OS up to date is no longer really a problem. Keeping the web browser updated is harder, if it’s not shipped with the OS. Keeping plugins updated seems to be very hard indeed.

    If you’re interested in keeping your system secure, ditching Adobe Reader for the apparently less vulnerable (though probably much less targetted) Foxit Reader seems like a good idea.

Skip to main content