UPDATE: There was an abuse notification sent to LayeredTech by my co-researcher Alex Lanstein earlier this morning. As a result LayeredTech seems to have pulled the server. ‘sdx3Fs5B.info’ still has an A entry for the IP, but it is no longer responding. Perhaps colos are starting to pay more attention to botnets and abuse notifications?
Rustock and its SPAM are back. All Rustock variants which were able to update themselves during McColo’s brief return on 15 Nov 2008, are back with new nasty SPAM campaigns.
The updated Rustock binaries in our lab since the shutdown have been trying to connect to different CnC servers to look for more commands, but either the domains were not resolving or the servers were not acknowledging Rustock’s login requests. This no longer appears to be the case. Today, one of the new CnC servers, ‘sdx3Fs5B.info’ which is currently resolving to 22.214.171.124 (abuse notification to LayeredTech sent), started to respond. After accepting the login, the next instruction was to download new spam templates. Immediately after receiving the templates, the samples started sending SPAM.
There was nothing wildly new in the initial SPAM recorded by my SPAM trap. As in the past, many of the emails were related to male enhancement pills. Here are some examples:
Subject: Bush.s last words
Subject: Food crisis in California
Subject: Obama.s new plan
The actual text inside these emails has nothing to do with the subject line. The body of the messages, tempts users to visit websites like
These random looking links further redirect users to hxxp://beautythrow.com/, a Canadian pharmacy advertisement site “selling” Viagra at a cheap price.
This Rustock variant differs from older variants in terms of the CnC location architecture. Unlike the older variants which used hard coded McColo IPs, the new one relies on DNS entries to locate its CnCs.
Here are some of the CnC hosts I’ve seen:
All of these are registered domains so the botherders are no longer giving researchers a chance to register these domains to monitor these botnets :). Whois data corresponding to IP 126.96.36.199 is:
[atif@max ~]$ whois 188.8.131.52
[Redirected to rwhois.layeredtech.com:4321]
%rwhois V-1.5:003eff:00 rwhois.layeredtech.com (by Network Solutions, Inc. V-184.108.40.206)
Due to Rustock’s new CnC location architecture, we don’t believe that something like McColo will ever exist again. If the Cnc servers ever become unavailable, the botherder can simply change the DNS entries to point elsewhere.
Atif Mushtaq and Alex Lanstein @ Fireeye Malware Intelligence Lab
Comments/Questions to email@example.com