UPDATE: Although the below is still interesting data, Telia has withdrawn the routes for McColo's net blocks
As we were monitoring Srizbi and Rustock in our labs today, all of a sudden a sample from the lab started connecting to a routable McColo C&C server. This McColo hosted C&C server, with an IP of 208.66.194.22, was again fully responding to Rustock. It appears they're back! The best part about this story is that they haven't physically moved their servers... they're still in Market Post Tower in sunny San Jose. Telia (whom I contacted) appears to have low enough standards that they are providing McColo a new cross-connect.
Continue reading "McColo found a new upstream provider (update)" »
While looking for more information on the recent Mccolo shutdown, the research team here came across something very interesting. We found a blog with the name of 'micaelale blog' which had an article about the recent take down.
hxxp://micaelale.vox.com/library/post/mccolo.html?_c=feed-atom (careful, it's malicious!)
Continue reading "McColo's Video Debut" »
The shutdown of the McColo Corporation left hundreds of thousands of Bots without a Command and Control server to which to connect. The research team here at HQ decided to look into the fallback mechanism that one of the top Botnets, Srizbi, employed. We assumed that there was a contingency plan that was enacted once the primacy C&C was down for an extended period of time. It appears we were correct in this assumption, but we were shocked, to say the very least, at the implementation. This is part 1 of an N part series about Botnet fallback channels.
Continue reading "100,000+ Srizbi IPs detected in 24 hours, Part 1" »
Something funny happened while I was writing another anti-McColo article today... the domains stopped responding. What I was going to write about was how Rustock changed its Command and Control server to an IP previously used by Pushdo/Cutwail. This is clearly not a coincidence and shows again that these Botnets are run by the same group.
Continue reading "McColo shutdown Nov 11, 2008 16:23 EST" »
Just a quickie before the weekend -
I was browsing through the captures from my Rustock bot lab and I noticed something not-exactly-earth-shattering
Continue reading "Quick nugget on the McColo/Russia/Rustock connection" »
There's lots of talk these days about how URL based signatures are quickly becoming obsolete, but rarely you see real live proof of this. Today I'll show you a couple quick examples to try to hammer the point home.
Continue reading "The case against URL blacklists" »
A month ago we wrote that McColo was hosting a Rustock Command and Control server on 208.72.168.191. I wish I could report that Hurricane Electric or Global Crossing, their two upstream providers, had stopped routing these clowns, but unfortunately, that is not the case.
Continue reading "McColo (still) hosting Rustock C&C;" »
We've written about McColo hosting the Srizbi Command and Control servers a couple times, but today I saw a fun wrinkle that I haven't seen before.
After my machine got infected, it went through the standard connectivity test. The first test was the standard "can I send SPAM?" test that Bots do - ie, the outbound port 25 check. However, when I took a closer look at the SPAM test, the test domain is also hosted by McColo!
Continue reading "McColo hosting Srizbi C&C;" »
Continuing the theme of last article, here is another example of McColo hosting a Command and Control server. It appears they are nice enough to host the C&C for a 2004 worm known as Dedler.
Continue reading "McColo hosting W32/Dedler C&C;" »
There doesn't seem to be a day that goes by that I don't have something new to add on McColo. It's not that I am trying to target their fine colocation facility, and it's not that I have a thing against Scotland (har har), it's just that our appliance keeps detecting more and more badness coming out of their subnets.
Today I'd like to briefly mention a couple examples of what McColo is doing that no one else is talking about. I'll be doing this in a couple parts just to break up the content.
Continue reading "More on McColo and Rogues" »