[Dec, 8th, UPDATE] Today NOC4HOSTS responded our abuse notifications and pulled the plug for all Pushdo CnC servers as mentioned in this post along with many Grum CnC as mentioned here. We really say thanks to NOC4HOSTS for their positive response.
[Dec, 4th, UPDATE] One more Cnc within NOC4HOSTS 74.50.113.92.
[Dec, 4th, UPDATE] One more IP from NOC4HOSTS 74.50.120.87 is found to be serving Cutwail. As in other cases this host is continuously delivering new SPAM templates hence becoming a cause of recent increase in Wordwide SPAM.
[UPDATE] We have Identified one more Cutwail CnC (74.50.125.72) hosted at NOC4HOSTS. So far NOC4HOSTS has not responded to any of the abuse notifications sent by FireEye.
In my previous post, I discussed different aspects of Pushdo’s command and control
architecture and its fallback mechanism. Now I will discuss some datacenters which are currently hosting Pushdo and Cutwail command/control servers.
Let’s first discuss the Cutwail CnCs, as these are the ones which supply daily SPAM ammunition to bots all over the world in the form of new templates. In the absence of these servers, the Pushdo botnet will no longer be able to send SPAM.
One such server is currently located in Estonia hosted by STARLINE WEB SERVICES having an IP address 92.62.100.95:1995.
This is the same data center used by Srizbi few days back in an attempt
to regain its control. This attempt did not prove to be very fruitful after
a quick response by the community and Estonian CERT.
UPDATE: Estonia has pulled this server offline and we sincerely appreciate their swift action.
Here is the WHOIS response against 92.62.100.95
inetnum: 92.62.100.0 - 92.62.100.255
netname: STARLINE_EE
descr: Starline Web Services
country: EE
admin-c: VN268-RIPE
tech-c: VN268-RIPE
status: ASSIGNED PA
mnt-by: AS39823-MNT
source: RIPE # Filtered
person: Viktor Norin
address: Pae 21
address: Tallinn
address: Estonia
nic-hdl: VN268-RIPE
phone: +3726370911
abuse-mailbox: abuse@starline.ee
SPAM templates provided by this server have mostly been fake job offers to tempt users into sending their resumes to the given email addresses. I guess it’s another social engineering trick to snatch people’s personal information.
NOC4HOSTS USA is another datacenter currently being used by Cutwail to download new SPAM
templates. Here are some of the IPs the belong to NOC4HOSTS which are active at this moment.
74.50.125.84:3590, 74.50.125.98:3590, 74.50.125.72:3590
WHOIS for these servers is as follows:
ReferralServer: rwhois://rwhois.noc4hosts.com:4321/
NetRange: 74.50.96.0 - 74.50.127.255
CIDR: 74.50.96.0/19
NetName: NOC4HOSTS2
NetHandle: NET-74-50-96-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS.NOC4HOSTS.COM
NameServer: NS2.NOC4HOSTS.COM
Comment:
RegDate: 2007-03-14
Updated: 2007-11-14
RAbuseHandle: NAA7-ARIN
RAbuseName: Noc4Hosts Abuse Admin
RAbusePhone: +1-877-801-1443
RAbuseEmail: abuse@noc4hosts.com
The SPAM theme provided by these servers are selling ‘male enhancement pills’; most of the links inside these SPAM emails point to Canadian Pharmacy websites.
After the McColo shutdown, only a few CnCs for Pushdo are still responding to its bots. One such server (69.147.239.106:80) is located in USA, hosted by UBIQUITY SERVER
SOLUTIONS NEW YORK.
[atif@max ~]$ whois 69.147.239.106
[Querying whois.arin.net]
[whois.arin.net]
Nobis Technology Group, LLC NETBLOCK-NOBIS-TECHNOLOGY-GROUP-02 (NET-69-147-224-0-1)
69.147.224.0 - 69.147.255.255
Ubiquity Server Solutions New York NETBLK-UBIQUITY-NEW-YORK-69-147-239-0 (NET-69-147-239-0-1)
69.147.239.0 - 69.147.239.255
The IPs above are not a complete list, but these are ones which are most active today. I suspect there might be many other CnCs in the same subnet which are currently unknown to us. As we find more samples and do more research, we’ll continue to make posts (after we send notification emails) to update the community on the current state of the CnCs.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
ip closed
[DUE TO QUICK ACTION BY COMPIC]
Hello,
Try this email
jay@hivelocity.net
This is who replied when I redported abuse on noc4hosts.
More & more people know that Blog are goods for every one where we can get more knowledge nice job keep it up !