Blog

Rustock’s new home in cyberspace… Russia!

As we predicted in an earlier post, Rustock began it’s global update last night to change the Command and Control servers from McColo to a data center in Russia.  We believe that the Rustock controllers don’t expect McColo to be very stable in the near future, so they are hedging their bets and moving the C&C’s to a different provider.

I am still in the process of gathering a more complete story, so I’ll be making more posts throughout the day about the shift. Here is the VirusTotal report for Rustock’s new variant from the update.

Rustock_virustotal

This is the route to CnC server located in Russia:

C:\Documents and Settings\atifm>tracert 62.176.17.200

Tracing route to abilena.podolsk-mo.ru [62.176.17.200]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms  12.68.100.1
2     2 ms     2 ms     2 ms  12.87.130.205
3     2 ms     2 ms     2 ms  tbr2.sffca.ip.att.net [12.122.114.70]
4     2 ms     2 ms     2 ms  ggr3.sffca.ip.att.net [12.122.82.169]
5     4 ms     3 ms     3 ms  att-gw.sanfran.level3.net [192.205.33.78]
6    10 ms     4 ms    13 ms  vlan99.csw4.SanJose1.Level3.net [4.68.18.254]
7     9 ms    17 ms    17 ms  ae-94-94.ebr4.SanJose1.Level3.net [4.69.134.253]

8    74 ms    73 ms    74 ms  ae-2.ebr4.NewYork1.Level3.net [4.69.135.186]
9    77 ms    73 ms    74 ms  ae-74-74.csw2.NewYork1.Level3.net [4.69.134.118]

10    74 ms    74 ms    75 ms  ae-71-71.ebr1.NewYork1.Level3.net [4.69.134.69]

11   153 ms   144 ms   145 ms  ae-41-41.ebr2.London1.Level3.net [4.69.137.65]
12   153 ms   162 ms   162 ms  ae-2.ebr2.Amsterdam1.Level3.net [4.69.132.134]
13   163 ms   162 ms   162 ms  ae-1-100.ebr1.Amsterdam1.Level3.net [4.69.133.85
]
14   157 ms   161 ms   162 ms  ae-2.ebr2.Dusseldorf1.Level3.net [4.69.133.90]
15   156 ms   158 ms   162 ms  ae-1-100.ebr1.Dusseldorf1.Level3.net [4.69.132.1
29]
16   167 ms   162 ms   162 ms  ae-2.ebr2.Frankfurt1.Level3.net [4.69.132.138]
17   173 ms   162 ms   162 ms  ae-82-82.csw3.Frankfurt1.Level3.net [4.69.140.26
]
18   160 ms   160 ms   160 ms  ae-3-89.edge3.Frankfurt1.Level3.net [4.68.23.139
]
19   195 ms   194 ms   194 ms  212.162.19.50
20   350 ms   526 ms   318 ms  msk-m9-pr1-ge-0-3-v02.rascom.ru [80.64.96.52]
21   223 ms   219 ms   231 ms  80.64.102.206
22   202 ms   201 ms   202 ms  zinger-gw.ll4.inetcomm.ru [212.152.38.70]
23     *        *        *     Request timed out.

Atif Mushtaq @ FireEye Malware Intelligence Labs

Comments/Questions to research@fireeye.com

4 thoughts on “Rustock’s new home in cyberspace… Russia!

  1. This very cruel that McColo have done to attact my grandma with spam or with malware. Now botnets leave Unite States of America and go to country in Russia there do same send spam or phishing mail with malware and Trojan Horse?

Comments are closed.