The FireEye group received positive responses except from the overseas ISPs. The domestic C&C servers went down.
Next, Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D's existing domain names to nowhere. By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down.
Finally, FireEye and the registrars worked to claim spare domain names that Mega-D's controllers listed in the bots' programming. The controllers intended to register and use one or more of the spare domains if the existing domains went down--so FireEye picked them up and pointed them to "sinkholes" (servers it had set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, FireEye estimated that the botnet consisted of .
MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had "" for the previous year (find.pcworld.com/64165). The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says.