Rustock's new home in cyberspace... Russia!
As we predicted in an earlier post, Rustock began it's global update last night to change the Command and Control servers from McColo to a data center in Russia. We believe that the Rustock controllers don't expect McColo to be very stable in the near future, so they are hedging their bets and moving the C&C's to a different provider.
I am still in the process of gathering a more complete story, so I'll be making more posts throughout the day about the shift. Here is the VirusTotal report for Rustock's new variant from the update.
This is the route to CnC server located in Russia:
C:\Documents and Settings\atifm>tracert 62.176.17.200
Tracing route to abilena.podolsk-mo.ru [62.176.17.200]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 12.68.100.1
2 2 ms 2 ms 2 ms 12.87.130.205
3 2 ms 2 ms 2 ms tbr2.sffca.ip.att.net [12.122.114.70]
4 2 ms 2 ms 2 ms ggr3.sffca.ip.att.net [12.122.82.169]
5 4 ms 3 ms 3 ms att-gw.sanfran.level3.net [192.205.33.78]
6 10 ms 4 ms 13 ms vlan99.csw4.SanJose1.Level3.net [4.68.18.254]
7 9 ms 17 ms 17 ms ae-94-94.ebr4.SanJose1.Level3.net [4.69.134.253]
8 74 ms 73 ms 74 ms ae-2.ebr4.NewYork1.Level3.net [4.69.135.186]
9 77 ms 73 ms 74 ms ae-74-74.csw2.NewYork1.Level3.net [4.69.134.118]
10 74 ms 74 ms 75 ms ae-71-71.ebr1.NewYork1.Level3.net [4.69.134.69]
11 153 ms 144 ms 145 ms ae-41-41.ebr2.London1.Level3.net [4.69.137.65]
12 153 ms 162 ms 162 ms ae-2.ebr2.Amsterdam1.Level3.net [4.69.132.134]
13 163 ms 162 ms 162 ms ae-1-100.ebr1.Amsterdam1.Level3.net [4.69.133.85
]
14 157 ms 161 ms 162 ms ae-2.ebr2.Dusseldorf1.Level3.net [4.69.133.90]
15 156 ms 158 ms 162 ms ae-1-100.ebr1.Dusseldorf1.Level3.net [4.69.132.1
29]
16 167 ms 162 ms 162 ms ae-2.ebr2.Frankfurt1.Level3.net [4.69.132.138]
17 173 ms 162 ms 162 ms ae-82-82.csw3.Frankfurt1.Level3.net [4.69.140.26
]
18 160 ms 160 ms 160 ms ae-3-89.edge3.Frankfurt1.Level3.net [4.68.23.139
]
19 195 ms 194 ms 194 ms 212.162.19.50
20 350 ms 526 ms 318 ms msk-m9-pr1-ge-0-3-v02.rascom.ru [80.64.96.52]
21 223 ms 219 ms 231 ms 80.64.102.206
22 202 ms 201 ms 202 ms zinger-gw.ll4.inetcomm.ru [212.152.38.70]
23 * * * Request timed out.
Atif Mushtaq @ FireEye Malware Intelligence Labs
Comments/Questions to research@fireeye.com
may be you should blackhole TeliaSonera, that made possible Rustock to move?
Posted by: JL | 2008.11.22 at 04:58 AM
Perhaps I'm just being angry (and hi Warpkat! see you on IRC!), but maybe we should just blackhole russia for a while.
Posted by: Canadian Christian | 2008.11.19 at 01:57 PM
In Soviet Russia, Botnet controls YOU!
Posted by: WarpKat | 2008.11.18 at 06:32 PM
This very cruel that McColo have done to attact my grandma with spam or with malware. Now botnets leave Unite States of America and go to country in Russia there do same send spam or phishing mail with malware and Trojan Horse?
Posted by: 0ther WorId Kingdom 0WK.cz | 2008.11.16 at 04:24 AM