Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« Previous Post | Main | Next Post »

McColo's Video Debut

While looking for more information on the recent Mccolo shutdown, the research team here came across something very interesting. We found a blog with the name of 'micaelale blog'  which had an article about the recent take down.

hxxp://micaelale.vox.com/library/post/mccolo.html?_c=feed-atom (careful, it's malicious!)


The main headline of this blog looks like this:

mccolo

Washington Post Blog Shuts Down 75% of Online Spam . ESCquire writes "Apparently, the Washington Post Blog 'Security Fix' managed to shut down McColo, a US-based hosting provider facilitating more than 75 percent of global spam. " ..</em>

This article used a very small font size so it was hard to read the text without zooming in, but if you had, you would have noticed an excessive use of term 'McColo' in the whole article, as if to try to up the page rank on search engines.  This succeeded, at least in the short term, when there were very few people referencing McColo.  Mccolo.  mcColo.  mccolo.  Just kidding.

Just above the main article it offers user a chance to watch a video, supposedly related to McColo  - perhaps the video from the NBC affiliate who interviewed FireEye about the take down yesterday!

hxxp://topmovie2008.com/index.php?name=mccolo (malicious, don't try to click)

When user clicks on the media player - which looks like a YouTube video - it asks the user to download a fake video codec.  This codec is an Activex Object (setup.exe), which is most certainly a Trojan with callback functionality. This fake page looked identical to what we saw during the recent Trojan.Exchanger social engineering campaign.

Mccolo_video

So what is the research team to take from this latest move?  That people behind McColo’s Botnets are using their own recent notoriety to spread more malware?  Perhaps it's some sort of revenge towards those who are inadvertantly seeking information about McColo?  Perhaps that it's a completely unrelated group?  The only positive we can take from this is that even as all their zombies are being (temporarily) abandoned, the Botherders have not abandoned their sense of humor.

Interestingly there was a user's comment on this video as well:

"Wow! Nice mccolo "

It's hard to understand who could actually enjoy this video, but then again, this comment is right in line with those on the YouTube videos that this is trying to emulate  ;)

Atif Mushtaq and Haroon Malik @ FireEye Malware Intelligence Labs

Comments/Questions to research@fireeye.com

Account Deleted on 2008.11.13 Botnet Activities / Outbreaks

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef010535ed9c9e970b

Listed below are links to weblogs that reference McColo's Video Debut:

Recent Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

  • If you view several of the blog postings on the referenced blog, it appears to be set-up to regurgitate press releases from PRNewWire and AP news stories. All of the blog postings have links to video clips that in turn have affiliate links associated with them downloads. While I think they are trying to have malware or adware installed or vistor's PCs, the fact that a blog posting mentions McColo seems to be a coincidence.

    John LaCour on McColo's Video Debut

The comments to this entry are closed.