Archive for 'October 2008'

    Silent Storm or Silence before the Storm...

    By Alex Lanstein, Atif Mushtaq
    Researchers who monitor Storm strictly from a SPAM aspect have come to aconclusion that Storm is dead (for now), but actually from a botnet point of view, Storm isvery much alive and kicking.  Read on to see our analysis about how we've been able to see live Storm bots.There is an old saying that says something like "The best way to kill a bear is to use his own power against him."This Read more...


    Rogue.AntiVirus2009 hosted by McColo

    By Alex Lanstein
    There's a segment of our Beta customers who have a data sharingagreement with us, wherein they allow the appliance to send up themalicious URLs and Botnet activity that it has discovered.  I wanted totake a quick poke at some of these URLs to see what they wereexploiting, where they were hosted, whether they were "dual use" ornot, etc.  A quick background: Last week, our engineering team released a new version of our Read more...


    More on McColo and Rogues

    By Alex Lanstein
    There doesn't seem to be a day that goes by that I don't have something new to add on McColo.  It's not that I am trying to target their fine colocation facility, and it's not that I have a thing against Scotland (har har), it's just that our appliance keeps detecting more and more badness coming out of their subnets.Today I'd like to briefly mention a couple examples of what McColo is Read more...


    McColo hosting W32/Dedler C&C

    By Alex Lanstein
    Continuing the theme of last article, here is another example of McColo hosting a Command and Control server.  It appears they are nice enough to host the C&C for a 2004 worm known as Dedler.Symantec has a page about it - http://www.symantec.com/security_response/writeup.jsp?docid=2004-050714-2558-99 - but unfortunately they don't show any of the C&C behavior.McAfee also has a page - http://vil.nai.com/vil/content/v_122235.htm - but again, no C&C listed.ThreatExpert, as usual, comes through in the clutch!  Read more...


    McColo hosting Srizbi C&C

    By Alex Lanstein
    We've written about McColo hosting the Srizbi Command and Control servers a couple times, but today I saw a fun wrinkle that I haven't seen before.After my machine got infected, it went through the standard connectivity test.  The first test was the standard "can I send SPAM?" test that Bots do - ie, the outbound port 25 check.  However, when I took a closer look at the SPAM test, the test domain Read more...


    McColo (still) hosting Rustock C&C

    By Alex Lanstein
    A month ago we wrote that McColo was hosting a Rustock Command and Control server on 208.72.168.191.  I wish I could report that Hurricane Electric or Global Crossing, their two upstream providers, had stopped routing these clowns, but unfortunately, that is not the case.Closing out today's day-in-the-life-of-McColo, I took a look at our Rustock bot lab, and I saw one communicating today on 208.66.194.22, another McColo IP address.  A google search turns Read more...