FireEye Malware Intelligence Lab

A month ago we wrote that McColo was hosting a Rustock Command and Control server on 208.72.168.191.  I wish I could report that Hurricane Electric or Global Crossing, their two upstream providers, had stopped routing these clowns, but unfortunately, that is not the case.

We've written about McColo hosting the Srizbi Command and Control servers a couple times, but today I saw a fun wrinkle that I haven't seen before. 

After my machine got infected, it went through the standard connectivity test.  The first test was the standard "can I send SPAM?" test that Bots do - ie, the outbound port 25 check.  However, when I took a closer look at the SPAM test, the test domain is also hosted by McColo!

Continuing the theme of last article, here is another example of McColo hosting a Command and Control server.  It appears they are nice enough to host the C&C for a 2004 worm known as Dedler. 

There doesn't seem to be a day that goes by that I don't have something new to add on McColo.  It's not that I am trying to target their fine colocation facility, and it's not that I have a thing against Scotland (har har), it's just that our appliance keeps detecting more and more badness coming out of their subnets. 

Today I'd like to briefly mention a couple examples of what McColo is doing that no one else is talking about.   I'll be doing this in a couple parts just to break up the content.

Researchers who monitor Storm strictly from a SPAM aspect have come to a conclusion that Storm is dead (for now), but actually from a botnet point of view, Storm is very much alive and kicking.  Read on to see our analysis about how we've been able to see live Storm bots.

There is an old saying that says something like "The best way to kill a bear is to use his own power against him."

This is precisely what happened with Storm. People in and around the industry talked at length about the beauty of the Storm Peer to Peer architecture and its use of fast-flux networks. But, in fact, Storm's P2P communication was the main reason that the security community had an opportunity to monitor, detect, and decrypt Storm traffic, as all inter-Bot traffic was very noisy.  Going one step further, the easily crackable communication gave those with more nefarious intentions the ability to poison, or straight take over, Storm bots. 

I decided to write this article as I read the findings from Jeremy’s article published on 5 October 2008.
http://www.sudosecure.net/archives/264