Blog

McColo found a new upstream provider (update)

UPDATE:  Although the below is still interesting data, Telia has withdrawn the routes for McColo’s net blocks

As we were monitoring Srizbi and Rustock in our labs today, all of a sudden a sample from the lab started connecting to a routable  McColo C&C server. This McColo hosted C&C server, with an IP of 208.66.194.22, was again fully responding to Rustock.  It appears they’re back!  The best part about this story is that they haven’t physically moved their servers… they’re still in Market Post Tower in sunny San Jose.  Telia (whom I contacted) appears to have low enough standards that they are providing McColo a new cross-connect.

[atif@max ~]$ whois 208.66.194.22
[Querying whois.arin.net]
[whois.arin.net]
McColo Corporation MCCOLO (NET-208-66-192-0-1)
208.66.192.0 – 208.66.195.255
McColo corp MCCOLO-DEDICATED-SERVERS-SNDALN01 (NET-208-66-194-0-1)
208.66.194.0 – 208.66.194.63

# ARIN WHOIS database, last updated 2008-11-14 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

This was the Rustock’s initial communication just recorded a few minutes ago:

POST /login.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en
User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 208.66.194.22
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: 96
Connection: Close
Pragma: no-cache

z.S.#|….rP…….$..P……_.?.1.9.yE.H….Aq..k.XFT3!…..~<F.;…@……3..
..;./|…a..:…HTTP/1.1 200 OK
Date: Sun, 16 Nov 2008 00:42:59 GMT
Server: Apache/2.0.52 (Win32)
X-Powered-By: PHP/4.3.4
Content-Length: 16
Connection: close
Content-Type: text/html

h…..).)…..j.

In order to see which ISP started to provide route McColo again, I did a simple traceroute.  Here are the results:

C:\Documents and Settings\atifm>tracert  208.66.194.22

Tracing route to 208.66.194.22 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms 1x.68.xx.1
2     2 ms     1 ms     2 ms   1x.87.xx.205
3     3 ms     3 ms     2 ms  tbr2.sffca.ip.att.net [12.122.114.66]
4     2 ms     2 ms     2 ms  ggr4.sffca.ip.att.net [12.122.86.185]
5     4 ms     3 ms     3 ms  192.205.34.38
6     4 ms     4 ms     4 ms  giglinx-ic-122068-sjo-bb1.c.telia.net [213.248.84.210]
7     4 ms     4 ms     4 ms  vl-701.rt02.sjc.mccolo.com [208.66.192.26]

If I were McColo, I would try to get my IPs routed as quickly as possible, if only for a few days before they are down again.  This would be to push out a global update to my Botnets to either change the C&C server, or to create a proper fallback Command and Control channel.

Atif Mushtaq @ FireEye Malware Intelligence Labs

Comments/Questions to research@fireeye.com

2 thoughts on “McColo found a new upstream provider (update)

  1. I also contacted Telia yesterday and heard back from Jimmy Arvidsson, head of TeliaSoneraCERT, who said they’re taking action to revoke the peering (indeed, as of right now they seem to be unroutable again). Was great to get such a quick response. Hopefully they’ll stay that way a bit longer this time, though as you noted it’s already too late to stop the Rustock migration.

  2. Great work guys!
    Keep up the pressure. This is the easiest way to keep these f***ers down: kick them while they’re down.
    I once chased another (Russian) rogue spam network off about a dozen providers until they gave up. ISPs seem to be much more responsive when you alert them proactively about potential problem customers with evidence to back it up, rather than if you contact them six months afterwards when the client has already established a relationship (with checks…) with the ISP.

Comments are closed.