Blog

Rustock is Back…

UPDATE:  There was an abuse notification sent to LayeredTech by my co-researcher Alex Lanstein earlier this morning. As a result LayeredTech seems to have pulled the server. ‘sdx3Fs5B.info’ still has an A entry for the IP, but it is no longer responding.  Perhaps colos are starting to pay more attention to botnets and abuse notifications?

—————————————-

Rustock and its SPAM are back. All Rustock variants which were able to update themselves during McColo’s brief return on 15 Nov 2008, are back with new nasty SPAM campaigns.

The updated Rustock binaries in our lab since the shutdown have been trying to connect to different CnC servers to look for more commands, but either the domains were not resolving or the servers were not acknowledging Rustock’s login requests. This no longer appears to be the case. Today, one of the new CnC servers, ‘sdx3Fs5B.info’ which is currently resolving to 72.233.114.74 (abuse notification to LayeredTech sent), started to respond. After accepting the login, the next instruction was to download new spam templates. Immediately after receiving the templates, the samples started sending SPAM.

There was nothing wildly new in the initial SPAM recorded by my SPAM trap. As in the past, many of the emails were related to male enhancement pills. Here are some examples:

Subject: Bush.s last words

Subject: Food crisis in California

Subject: Obama.s new plan

The actual text inside these emails has nothing to do with the subject line. The body of the messages, tempts users to visit websites like

hxxp://alsi.kugusup.cn

hxxp://ppbka.kugusup.cn

These random looking links further redirect users to hxxp://beautythrow.com/, a Canadian pharmacy advertisement site “selling” Viagra at a cheap price.

Canadian_pharmacy

This Rustock variant differs from older variants in terms of the CnC location architecture. Unlike the older variants which used hard coded McColo IPs, the new one relies on DNS entries to locate its CnCs.

Here are some of the CnC hosts I’ve seen:

sdx3Fs5B.info

geforcesliconfig.info

geforcesliconfig.cc

usa-crunch.ws

All of these are registered domains so the botherders are no longer giving researchers a chance to register these domains to monitor these botnets :). Whois data corresponding to IP 72.233.114.74 is:

[atif@max ~]$ whois 72.233.114.74
[Querying whois.arin.net]
[Redirected to rwhois.layeredtech.com:4321]
[Querying rwhois.layeredtech.com]
[rwhois.layeredtech.com]
%rwhois V-1.5:003eff:00 rwhois.layeredtech.com (by Network Solutions, Inc. V-1.5.9.6)
%referral rwhois://rwhois.layeredtech.com:4321/auth-area=72.233.0.0/17
%ok

Due to Rustock’s new CnC location architecture, we don’t believe that something like McColo will ever exist again.  If the Cnc servers ever become unavailable, the botherder can simply change the DNS entries to point elsewhere.

Atif Mushtaq and Alex Lanstein @ Fireeye Malware Intelligence Lab

Comments/Questions to research@fireeye.com

One thought on “Rustock is Back…

Comments are closed.