Bot-hunters were somewhat puzzled recently when a botnet called Mega-D suddenly started grabbing headlines as the successor to the Storm (or Nuwar) botnet. Though the Storm network does seem to have declined in overall numbers over recent months, reports of its demise still seem exaggerated, and no-one seemed quite sure what Mega-D was and where it had come from. However, an excellent analysis by the estimable Joe Stewart casts some light on the subject.
According to Joe’s investigations, the Mega-D network seems to have grown to a formidable 35,000 or so machines, virtually unnoticed. (By his estimate, Storm currently runs at around 85,000 bots.) Why did the size of Mega-D come as such a surprise?
It seems that Mega-D is using the Ozdok bot family, which Joe describes as "little known". He’s also pointed out, having submitted a sample to VirusTotal, that while most vendors detected it (yes, of course we did, but thank you for asking!), very few detected it by that name. So, as Shakespeare said, what’s in a name? If you detect it, does it matter what name you identify it by? Well, usually, no. In fact, the sheer volume of malware variants nowadays means that it’s more efficient to use more generic detection techniques such as heuristic analysis and generic signatures wherever possible. So this doesn’t represent a detection failure in terms of bot-compromised PCs: it’s unlikely that the botnet would be any smaller if all companies were using the same identifier. However, it would probably have taken much less time to flag the existence of what turns out to be a fairly hefty botnet, because we’d have recognized the commonality of the infections. Whether that would have had any mitigating effect on the scale and impact of Mega-D is another question.
You could see this as an illustration of the problem this industry has with naming: no-one has the time and resources to crossmatch all the samples we see so that everyone can use the same name for every variant or subvariant.
On the other hand, there’s something quite reassuring about the way the name can change as we learn more about a specific family or variant. Pierre-Marc checked back on some of the samples we’ve received over the past month or so. If NOD32 picked up an Ozdok compromise on your network, the actual identifier it would have used might have varied quite a lot, according to which variant it picked up and when. Some of those samples were identified generically as a bot or agent: for example, programs using obfuscation techniques characteristic of malware families ring an immediate alarm bell. Some were identified as specific Ozdok variants, and those are usually the ones that have been around long enough for more detailed analysis. But what matters most is that they’re detected as malicious programs, and as early as possible in their evolution.
David Harley, Research Author
Author David Harley, We Live Security