How Three Guys Dismantled One of the World's Most Powerful Botnets

If you're envisioning lines of code flying across bays of screens, amphetamine-fueled digital manhunts and dramatic, albeit rendered, explosions, I'm sorry. When major botnets fall nowadays, it's the product of hard work, patience, and some well-placed phone calls.

For the last couple years, security firm FireEye has been under contract to protect its clients' computers from the Mega-D botnet, a 250,000-PC-strong army of drones that's probably spammed you at one point or another, if not worse. After a while, they took the fight to the botnet's home turf. It's a tale of phone calls! Emails! Polite requests! Filling out forms! Etcetera!:

FireEye and the registrars worked to claim spare domain names that Mega-D's controllers listed in the bots' programming. The controllers intended to register and use one or more of the spare do mains if the existing domains went down—so FireEye picked them up and pointed them to "sinkholes" (servers it had set up to sit quietly and log efforts by Mega-D bots to check in for orders).

This is how you kill a botnet: by slowly, diligently severing all its ties to legitimate companies, which, whether knowingly or not, play a vital role in its survival. Anyway, BORING, why do we care?

MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had "consistently been in the top 10 spam bots" for the previous year. The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says.

Three dudes prevented billions of averted V1AGR4 messages, without ever leaving their office. They should make a Band of Brothers-style miniseries about this. It would be boring! But I would watch it. [PCWorld]