Update: As of 12/08, Jay from HiVelocity took the necessary steps to get these Command and Control servers shutdown. The FE research team thanks him and his team profusely for their efforts. Individual verification of customers is nearly impossible for a facility of their size, so we appreciate any efforts they can make after the fact. We'd also like to thank Ross Thomas from SophosLabs and Phil Hay from Marshal TRACE for their research efforts.
Yesterday, my colleague Atif was looking at Pushdo/Cutwail, and he found a disturbing number of the C&Cs were hosted at NOC4HOSTS. This isn't another McColo, but upon further investigation, there does appear to be a higher than average number of botnet controllers and malware hosted there. The is part 1 of an N part series on C&Cs, malware, and exploits hosted at NOC4HOSTS.
First up to bat for Grum is 66.232.109.120.
root@alex_lanstein --- {~} whois 66.232.109.120
[Querying whois.arin.net]
[whois.arin.net]
NOC4Hosts Inc. NOC4HOSTS1 (NET-66-232-96-0-1)
66.232.96.0 - 66.232.127.255
Zackary Taylor NOC4HOSTS1 (NET-66-232-109-120-1)
66.232.109.120 - 66.232.109.131
CustName: Zackary Taylor
Address: 15335 Stout Ave
City: Detroit
StateProv: MI
PostalCode: 48223
Country: US
RegDate: 2006-06-26
Updated: 2006-06-26
The name appears to be faked on the registration based on a quick Google search.
Our friends at the Marshal TRACE lab supplied with us with some samples to confirm that the below is indeed Grum, whom they say is responsible for ~13% of the world's SPAM. They report Pushdo/Cutwail at ~15%, which is also mainly hosted at NOC4HOSTS.
....E@....@.|.+I....B.mx...P.....U.lP.@.[q..GET /spm/s_alive.php?id=21457892512412&tick=218951&ver=814&smtp=bad HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; VS2)
Host: 66.232.109.120
Accept: */*
Connection: Keep-Alive
IP 66.232.109.120.80 > xxx.xxx.xxx.xxx.1230: tcp 218
....E...HE@.7...B.mx.....P...U.l....P.......HTTP/1.1 200 OK
Date: Fri, 05 Dec 2008 17:10:14 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.5
Content-Length: 16
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
9A1284BA921852
NOC4HOSTS is hosting another Grum C&C on 66.232.105.54. This is registered to a gentleman in the Ukraine... but he couldn't possibly have used his real name in the registration...right?
network:Network-Name:Andrey Kiselev-66.232.105.54
network:IP-Network:66.232.105.54/32
network:IP-Network-Block:66.232.105.54 - 66.232.105.54
network:Organization;I:Steephost
network:Street-Address:Kvartalniy number 6/13 Room 37
network:City:Pasochin
network:State:Kharkivska
network:Postal-Code:62418
network:Country-Code:Ukraine
....E.....@.}..O.g"~B.i6...P/;..7)./P...0...GET /spm/s_alive.php?id=90814129480&tick=93850124&ver=114&smtp=bad HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; VS2)
Host: 66.232.105.54
Accept: */*
Connection: Keep-Alive
IP 66.232.105.54.80 > xxx.xxx.xxx.xxx.3016: tcp 188
....E....U@.7.*.B.i6.g"~.P..7).//;..P.......HTTP/1.1 200 OK
Server: nginx/0.5.35
Date: Fri, 05 Dec 2008 16:22:11 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 16
9104F891E91
NOC4HOSTS is hosting another Grum C&C on 206.51.226.211. Registered to Andrey Kiselev as well:
network:Network-Name:Andrey Kiselev-206.51.226.211
network:IP-Network:206.51.226.211/32
network:IP-Network-Block:206.51.226.211 - 206.51.226.211
network:Organization;I:Steephost
network:Street-Address:Kvartalniy number 6/13 Room 37
network:City:Pasochin
network:State:Kharkivska
network:Postal-Code:62418
network:Country-Code:Ukraine
E.....@.@.%k... .3...Q.P.....|.<...\u......
..+.9...GET /spm/s_alive.php?id=DEC&tick=DEC&ver=200&smtp=ok&task=DEC HTTP/1.1
Host: 206.51.226.211
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
15:56:43.662925 IP 206.51.226.211.80 > 192.168.2.32.50513: tcp 218
E....x@.1....3..... .P.Q.|.<...|...@.......
9. 9..+.HTTP/1.1 200 OK
Date: Sat, 06 Dec 2008 00:36:31 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Content-Length: 16
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
37352E3B2B26305E
15:56:43.662962 IP 192.168.2.32.50513 > 206.51.226.211.80: tcp 0
E..4..@.@.'.... .3...Q.P...|.|.....l.......
..+.9. 9
They are hosting another Grum C&C on 206.51.237.93, again, thanks to Andrey:
E....C@.@..x... .3.].?.P.i..TF..P.. ./..GET /spm/s_alive.php?id=DEC&tick=DEC&ver=200&smtp=ok&task=DEC HTTP/1.1
Host: 206.51.237.93
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0
15:59:03.266233 IP 206.51.237.93.80 > 192.168.2.32.57919: tcp 188
E....~@.0..<.3.]... .P.?TF...i..P....3..HTTP/1.1 200 OK
Server: nginx/0.5.32
Date: Fri, 05 Dec 2008 23:59:04 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4
Content-Length: 16
37352E3B2B26305E
I don't believe more packet data is needed, but they are also hosting Grum C&Cs on 66.232.114.152 and 74.50.100.117, both registered to Andrey.
One last note before the weekend, is that if you browse to these IPs directly (which I do not advise), you are presented with a fake TOS violation page, which is the template for the popular hosting platform cPanel. The connections are actually succeeding, and the bots can communicate, so the bot herder must have thrown that page up to allay suspicion.
All the bots in our labs connecting to these servers are actively trying to send SPAM. The findings above confirm our belief that a very large percentage of the world's SPAM is sent by botnets controlled through just a handful of data centers.
Alex Lanstein @ FireEye Malware Intelligence Lab
Question/Comments to research [@] fireeye dawt COM
this is another of their scam sites with a search I did http://www.nowtorrents.com/torrents/this+is+a+scam+site+.html hosted by NOC4HOSTS you may find the search results interesting! There should be an easier way to shut these sort of sites and companies down
Posted by: kai | 2009.02.15 at 05:16 PM
There's a cutwail C&C also running in HI velocity @ 69.46.20.65. The traffic is to port 2065 and looks like obfuscated traffic. The only discernible text in the stream is "L.....9ifnospam.0.exe_url..exe_url........"
The other portion of the cutwail C&C is in SoftLayer, also in the US. I posted some of the details on my blog: http://realsecurity.wordpress.com/
Posted by: Andrew | 2008.12.12 at 01:17 PM
Hivelocity response team is actually decently responsive, they null routed all mentionned IPs yesterday.
Posted by: Martin | 2008.12.09 at 01:28 AM
Out of curiosity, do you folks report this sort of thing to the DC's abuse team? Where I work (an unnamed leader in the hosting industry), our abuse team takes this sort of thing _very_ seriously. If the NOC won't do anything about it, hand the packet logs over to the upstream provider(s) along with copies of the messages submitted to the DC.
Posted by: Skudd | 2008.12.06 at 04:06 PM