A month ago we wrote that McColo was hosting a Rustock Command and Control server on 184.108.40.206. I wish I could report that Hurricane Electric or Global Crossing, their two upstream providers, had stopped routing these clowns, but unfortunately, that is not the case.
Closing out today’s day-in-the-life-of-McColo, I took a look at our Rustock bot lab, and I saw one communicating today on 220.127.116.11, another McColo IP address. A google search turns up a whopping 3 matches for that IP, one of which is ThreatExpert. A quick aside – The TE team really have their act together, and IMHO, don’t receive nearly enough credit for their infrastructure.
A Rustock transaction looks like this:
POST /data.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
As I was poking at this C&C server, I realized there was a ridiculously small amount of latency between my lab and McColo, as in, <10ms. Google says their that Both he.net and GBLX have an office on Market Street, in San Jose, right down the road from FireEye. Thanks to Street View, you can see a photo of it below:
Alex Lanstein @ FireEye Malware Intelligence Labs
Comments/Questions to firstname.lastname@example.org