In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined effort involving third parties like ISPs, registries, registrars, etc.
Instead of playing a passive role, this time FireEye decided to come forward and start working with these groups to make this happen. The good news is that at the time of writing this article, all the major Ozdok command and control servers (as mentioned in my last post) have been taken down. As it turns out, no matter how many fallback mechanisms are in place, if they aren't all implemented properly, the botnet is vulnerable.
FireEye's formal effort to shutdown this botnet stared last night. The research team here worked in multiple directions simultaneously. The purpose was to work against all the fallback mechanisms so fast that bot herders wouldn't get a chance to counter react.
The first step was to prepare all the evidence against the rogue domains and hosts in the form of pcaps and actual Ozdok malware samples. Once the evidence package was ready, these were the steps taken by our research team: