Mega-D botnet

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

On October 14, 2008, the U.S Federal Trade Commission, in cooperation with Marshal Software, tracked down the owners of the botnet and froze their assets.

On November 6, 2009, security company FireEye, Inc. disabled the Mega-D botnet by disabling its command and control structure. This was akin to the Srizbi botnet takedown in late 2008. The Mega-D/Ozdok takedown involved coordination of dozens of Internet service providers, domain name registrars, and non-profit organizations like Shadowserver. M86 Security researchers estimated the take down had an immediate effect on the spam from the botnet. On November 9, 2009, the spam had stopped altogether, although there was a very small trickle over the weekend, directed to a couple of small UK-based domains that they monitored.

Since then the botnet bounced back, exceeding pre-takedown levels by Nov. 22, and constituting 17% of worldwide spam by Dec. 13.

In July 2010, researchers from University of California, Berkeley published a model of Mega-D's protocol state-machine, revealing the internals of the proprietary protocol for the first time. The protocol was obtained through automatic Reverse Engineering technique developed by the Berkeley researchers. Among other contributions, their research paper reveals a flaw in the Mega-D protocol allowing template milking, i.e., unauthorized spam template downloading. Such a flaw could be used to acquire spam templates and train spam filters before spam hits the network.

Arrest
In November 2010, Oleg Nikolaenko was arrested in Las Vegas, Nevada by the Federal Bureau of Investigation and charged with violations of the CAN-SPAM Act of 2003. Nikolaenko eventually pleaded guilty of operating the Mega-D botnet to create a "zombie network" of as many as 500,000 infected computers.