Quick nugget on the McColo/Russia/Rustock connection
Just a quickie before the weekend -
I was browsing through the captures from my Rustock bot lab and I noticed something not-exactly-earth-shattering
POST /data.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: davis-service.org
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: 134
Connection: Close
Pragma: no-cache
davis-service.org, let's see what we can find:
[Querying whois.publicinterestregistry.net]
[whois.publicinterestregistry.net]
...
...
...
Domain ID:D153207965-LROR
Domain Name:DAVIS-SERVICE.ORG
Created On:03-Jul-2008 08:55:16 UTC
Last Updated On:02-Sep-2008 03:50:20 UTC
Expiration Date:03-Jul-2009 08:55:16 UTC
Sponsoring Registrar:Regtime Ltd (R1602-LROR)
Status:OK
Registrant ID:CO316371-RT
Registrant Name:Patricia A Davis
Registrant Organization:dAVIS cOMPUTERS
Registrant Street1:8 Ann Ct
Registrant Street2:
Registrant Street3:
Registrant City:Franklin
Registrant State/Province:TN
Registrant Postal Code:37064
Registrant Country:US
Registrant Phone:+1.6152108455
Registrant Phone Ext.:
Registrant FAX:+1.6152108455
Registrant FAX Ext.:
Registrant Email:Ptish555@aol.com
This appears to be someone's actual information, as a Google search would show you. I highly doubt that she actually registered the domain, but rather that someone randomly picked her name for the domain (I sent an email to the address above, but it 550 bounced)
Anyways, to whom the domain is registered isn't as important as who is hosting the nameservers:
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
NAMESELF.COM:
;; QUESTION SECTION:
;NS1.NAMESELF.COM. IN A
;; ANSWER SECTION:
NS1.NAMESELF.COM. 85316 IN A 195.161.113.218
root@alex_lanstein --- {~} dig NS2.NAMESELF.COM
;; QUESTION SECTION:
;NS2.NAMESELF.COM. IN A
;; ANSWER SECTION:
NS2.NAMESELF.COM. 85306 IN A 217.16.27.38
And a whois shows...
[Querying whois.ripe.net]
[whois.ripe.net]
% Information related to '195.161.113.0 - 195.161.113.255'
inetnum: 195.161.113.0 - 195.161.113.255
netname: RTCOMM-NET
descr: RTComm.RU network
descr: 8/1, Olsufievsky pereulok,
descr: 121021, Moscow Russia
country: RU
admin-c: RT-RU
admin-c: MVT7-RIPE
tech-c: RT-RU
tech-c: MVT7-RIPE
status: ASSIGNED PA
remarks: --------------------------------------------------------
remarks: Please use abuse@rtcomm.ru e-mail address for complaints
remarks: --------------------------------------------------------
mnt-by: AS8342-MNT
source: RIPE # Filtered
role: RTComm.RU Internet Center
address: JSC RTComm.RU
address: 13/43, 2-nd Zvenigorodskaya Str.
address: 123022, Moscow
address: Russia
phone: +7 495 645 0170
fax-no: +7 495 645 0171
root@alex_lanstein --- {~} whois 217.16.27.38
[Querying whois.ripe.net]
[whois.ripe.net]
% Information related to '217.16.27.0 - 217.16.27.255'
inetnum: 217.16.27.0 - 217.16.27.255
netname: MASTERHOST-COLOCATION
descr: Masterhost is a hosting and technical support organization.
country: RU
admin-c: MHST-RIPE
tech-c: MHST-RIPE
status: ASSIGNED PA
mnt-by: MASTERHOST-MNT
source: RIPE # Filtered
role: MASTERHOST NOC
address: .masterhost
address: Lyalin lane 3, bld 3
address: 105062 Moscow
address: Russia
phone: +7 495 7729720
fax-no: +7 495 7729723
Not every thing that goes on in Russia is malicious, for sure, but when you pair it with this, the evidence becomes a bit more damning:
;; QUESTION SECTION:
;davis-service.org. IN A
;; ANSWER SECTION:
davis-service.org. 3514 IN A 208.72.168.191
root@alex_lanstein --- {~} whois 208.72.168.191
[Querying whois.arin.net]
[whois.arin.net]
OrgName: McColo Corporation
OrgID: MCCOL
Address: 64 East main st. box 275
City: Newark
StateProv: DE
PostalCode: 19715
Country: US
This is a pretty brazen move, IMHO
Alex Lanstein @ FireEye Malware Intelligence Labs
Comments/Questions to fgong@fireeye.com
Recent Comments