Security researchers have taken down a major spam offender, though the dip in spam levels may be only temporary. Members of the FireEye security team coordinated an attack on the Mega-D botnet (also known as Ozdok) last week by preemptively registering domains meant for the botnet's command and control channels (CnCs) and shutting down others. Spam coming from Mega-D stopped almost instantly, proving that David really can take down Goliath every once in a while.

Ever since the shut-down of McColo in 2008, the brains behind spam botnets have been much smarter about diversifying their CnCs. As pointed out by a FireEye blog post, they're no longer relying on a single net of domains to control the botnet—instead, many current botnets have mechanisms in place that randomly generate the next block of domains that the zombie machines will look for once the current set is shut down, and the people controlling the CnCs just register those domains on the fly as needed.

Such is the case with Mega-D/Ozdok, which has not one, but two fallback mechanisms for when the original CnCs go down. Not only can it use its own list of DNS servers to access its CnCs, it can generate new domains based on the current date and time. "Unless someone is committed enough to pre-register those domains, the bot herders can always come forward and register those domains and take botnet control back," the FireEye team wrote.

FireEye's move against Mega-D started with abuse notifications to the ISPs being used as hosts—all but four were taken down immediately. The firm then worked with numerous domain registrars to take down the primary CnC domains in order to throw a wrench into the botnet's workings. Then, the researchers registered a number of domains that were on Mega-D's permanent CnC list but were mysteriously unregistered; this move essentially gave FireEye CnC control of the botnet, which they pointed to a sinkhole server where data was collected on victim machines in order to help users recover control of their PCs.

Finally, FireEye began registering in advance some of the soon-to-be-generated domains based on date and time for the next three days, anticipating that the botnet would begin looking for those domains once it realized the current ones were out of commission. This, apparently, was the nail in the coffin, as the firm wrote in a new blog post (via Slashdot) that "everything went right according to plan."

Spam coming out of Mega-D has stopped altogether (at least for the time being), but it's not all good news from here on out. For one, much of Mega-D's spam was caught by server-side spam filters, meaning that users may not even notice much of a difference in spam levels on the client end. Additionally, in order to keep Mega-D offline forever, the firm would have to continue registering future domains before Mega-D's controllers get ahead. Still, even a temporary victory in this case is notable—all it took was swift action (it all happened within a period of 24 hours) with a coordinated plan from all angles to seriously disable Mega-D, and all thanks to a relatively small security team.