Mega-D is one of the most prolific spam botnets accounting for around 7 percent of the spam traffic worldwide. It once accounted for as much as 50 percent of the world’s spam volume but has quieted down since the high-profile takedown of the McColo hosting service, and the 2009 takedown of its command-and-control (C&C) servers.
Mega-D is still alive though not as prolific as it once was. We let loose a Mega-D spam bot sample in our malware lab to see how many spammed messages one spam bot can generate in a day.
As shown in the chart above, the single spam bot was able to generate around 2,553,940 spammed messages in a span of 24 hours, an average of 1,764 spammed messages per minute.
Based on FireEye’s 2009 estimate, the Mega-D spam bot’s population reached 264,784, amounting to an overall spam volume of 676,242,448,960 messages. That is a lot of spam!
The following is a spam sample generated by the Mega-D spam bot.
The link in the said spammed message will direct a user to a fake pharma site, the now all-too-familiar Web page of “Canadian Pharmacy” shown below.
The “Canadian Pharmacy” sites peddled by Mega-D bots are all hosted in .RU ccTLD (country code Top Level Domain). As of this writing, these .RU domains resolve to an IP space somewhere in China.
Note that the spam traffic graph was generated via Mailgraph. Rest assured that no spammed messages escaped our malware lab. The outgoing mail traffic shown in the Mailgraph chart were all directed to one of our spam-processing systems.