McColo (still) hosting Rustock C&C

A month ago we wrote that McColo was hosting a Rustock Command and Control server on  I wish I could report that Hurricane Electric or Global Crossing, their two upstream providers, had stopped routing these clowns, but unfortunately, that is not the case.

Closing out today’s day-in-the-life-of-McColo, I took a look at our Rustock bot lab, and I saw one communicating today on, another McColo IP address.  A google search turns up a whopping 3 matches for that IP, one of which is ThreatExpert.  A quick aside – The TE team really have their act together, and IMHO, don’t receive nearly enough credit for their infrastructure.

A Rustock transaction looks like this:

POST /data.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/, application/, application/msword, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: 135
Connection: Close
Pragma: no-cache


As I was poking at this C&C server, I realized there was a ridiculously small amount of latency between my lab and McColo, as in, <10ms.  Google says their that Both and GBLX have an office on Market Street, in San Jose, right down the road from FireEye.  Thanks to Street View, you can see a photo of it below:

View Larger Map

Alex Lanstein @ FireEye Malware Intelligence Labs
Comments/Questions to