Ozdok a.k.a Mega-d is one of those botnets that has been very successful flying under the radar over the past few years. Recent stats by Marshal TRACE show Ozdok is currently responsible for about 4.2% of the world's overall SPAM. The question that arises again is who are the guys controlling this botnet, and more importantly from where? I recently conducted a detailed study of Ozdok's active command and control servers. There are two main things I took away from this study.
1. The USA is still a first choice for bad guys when it comes to hosting CnC servers.
2. After the McColo experience, these guys are no longer relying on a single net block for hosting their CnCs. To further ensure their safety, most botnets today are equipped with a fallback mechanism. As a matter of fact, in the case of Ozdok, there is more than one fallback mechanism involved. These come into play once the primary command and control structures fall apart. How? I'll explain that shortly.
Here is geo-locations of the Ozdok command and control servers based on last few months data: