FireEye Malware Intelligence Lab

UPDATE:  Although the below is still interesting data, Telia has withdrawn the routes for McColo's net blocks

As we were monitoring Srizbi and Rustock in our labs today, all of a sudden a sample from the lab started connecting to a routable  McColo C&C server. This McColo hosted C&C server, with an IP of 208.66.194.22, was again fully responding to Rustock.  It appears they're back!  The best part about this story is that they haven't physically moved their servers... they're still in Market Post Tower in sunny San Jose.  Telia (whom I contacted) appears to have low enough standards that they are providing McColo a new cross-connect.

While looking for more information on the recent Mccolo shutdown, the research team here came across something very interesting. We found a blog with the name of 'micaelale blog'  which had an article about the recent take down.

hxxp://micaelale.vox.com/library/post/mccolo.html?_c=feed-atom (careful, it's malicious!)

The shutdown of the McColo Corporation left hundreds of thousands of Bots without a Command and Control server to which to connect.  The research team here at HQ decided to look into the fallback mechanism that one of the top Botnets, Srizbi, employed.  We assumed that there was a contingency plan that was enacted once the primacy C&C was down for an extended period of time.  It appears we were correct in this assumption, but we were shocked, to say the very least, at the implementation.  This is part 1 of an N part series about Botnet fallback channels.

Something funny happened while I was writing another anti-McColo article today... the domains stopped responding.    What I was going to write about was how Rustock changed its Command and Control server to an IP previously used by Pushdo/Cutwail.  This is clearly not a coincidence and shows again that these Botnets are run by the same group.

Just a quickie before the weekend -

I was browsing through the captures from my Rustock bot lab and I noticed something not-exactly-earth-shattering

A month ago we wrote that McColo was hosting a Rustock Command and Control server on 208.72.168.191.  I wish I could report that Hurricane Electric or Global Crossing, their two upstream providers, had stopped routing these clowns, but unfortunately, that is not the case.

We've written about McColo hosting the Srizbi Command and Control servers a couple times, but today I saw a fun wrinkle that I haven't seen before. 

After my machine got infected, it went through the standard connectivity test.  The first test was the standard "can I send SPAM?" test that Bots do - ie, the outbound port 25 check.  However, when I took a closer look at the SPAM test, the test domain is also hosted by McColo!

Continuing the theme of last article, here is another example of McColo hosting a Command and Control server.  It appears they are nice enough to host the C&C for a 2004 worm known as Dedler. 

There doesn't seem to be a day that goes by that I don't have something new to add on McColo.  It's not that I am trying to target their fine colocation facility, and it's not that I have a thing against Scotland (har har), it's just that our appliance keeps detecting more and more badness coming out of their subnets. 

Today I'd like to briefly mention a couple examples of what McColo is doing that no one else is talking about.   I'll be doing this in a couple parts just to break up the content.