Something funny happened while I was writing another anti-McColo article today... the domains stopped responding. What I was going to write about was how Rustock changed its Command and Control server to an IP previously used by Pushdo/Cutwail. This is clearly not a coincidence and shows again that these Botnets are run by the same group.
However, McColo was shutdown today, so that post would be fruitless :-) We have timestamps on all the traces from our lab, so I can say with precision that McColo was shut down on Nov 11, 2008 at 16:23:17.994627, as one of my bots was right in the middle of a TCP session at the time
Brian Krebs wrote about this today on his blog. It appears having the "Washington Post" name backing him made Hurricane Electric/GBLX respond to his abuse notifications, as mine were simply ignored.
So what's next? A couple hypotheses:
- McColo finds another upstream provider to host their content, just as Intercage/Atrivo did.
- The backers of Rustock/Srizbi/Pushdo/etc simply move the C&Cs off shore. I've already observed them moving certain aspects of the Rogue world to servers hosted in the Ukraine
- cernel.net becomes a larger player in hosting malware and exploits
As soon as our Bots update with the new Command and Control structure, as always, we'll post it here.
Alex Lanstein/Atif Mushtaq @ FireEye Malware Intelligence Labs
Comments/Questions to fgong@fireeye.com
Twitter
Facebook
Live Chat
> So what's next? A couple hypotheses:
In case it wasn't obvious to you already, cernel.net is intercage is atrivo is esthosts.
Posted by: Just Me | 2008.11.11 at 11:53 PM