mxlab - all about anti virus and anti spam » botnet

Rustock is back online, spam levels rise again

mxlab — Tue, 25 Nov 2008 09:09:48 +0000

UPDATE, Nov 27th: One of the new CnC servers, ‘sdx3Fs5B.info’ was resolving to 72.233.114.74 at LayeredTech. FireEye sent an abuse notification to LayeredTech when the CnC servers went online and they have pulled out the server.

—————-

Yesterday, Nov 24, 2008, I noticed a sudden spam rise. When checking some samples I found that the ‘Canadian Pharmacy’ spam is back and some new image based spam campaigns have been launched.

But the ‘Canadian Pharmacy’ spam is where we should focus on. These spam campaigns are being sent by Rustock, so the conclusion is that these guys are back online and in business.

With subjects like Obama.s new plan, Food crisis in California or Bush.s last words they try to get their email opened to see the ‘Canadian Pharmacy’ advertisment. URLs, like hxxp://alsi.kugusup.cn or hxxp://ppbka.kugusup.cn will redirect you to hxxp://beautythrow.com/ where the Canadian Pharmacy web site is hosted.

When looking for more information if Rustock is back I found that the Company FireEye Security has posted more details on their blog.

As expected, the bot admins learned from the shut down of McColo. They can now simply change DNS to make sure that their command and control server still can be accessed.

The new Rustock spam campaign is already having an impact on the spam levels. The image below is the graph for one of my domains and you can see the spam level drop when McColo was taken down. The red line is the global spam level.

We have a peak during the weekend, the absence of business emails, and a global spam level between 75% and 85% during the week. Yesterday we had a spam level of 89,4% and at the time of writting this article we are back at 93%. You can see the graph going up again after the re-activation of the Rustock C&C servers.

McColo up and down again, C&C servers to Russia

mxlab — Mon, 17 Nov 2008 11:21:14 +0000

McColo, the ISP that has been taken down because of their malicious activities, was back online during a brief period thanks to the Swedish ISP TeliaSonara AB that has a router in San Jose. The peering was revoked after complaints to the abuse email address by security from Sophos and security researcher Atif Mushtaq.

During this time Rustock admins did had time to update the Command And Control server with an IP of 208.66.194.22 at McColo to a new host in Russia.

With the takedown of McColo the drop of spam volumes worldwide is still continuing but as we can see the botnet admins are gettings thing up and running again. It is my belief that sooner or later, perhaps sooner, the spam levels will rise again and tradionally the end of the year is very attractive for spammers.

The botnet admins will learn a lesson of this and make their systems more redundant with fall back servers and we could even see systems where the centralized Command And Control server is replaced by a structure more based on P2P. Taking down the command center will become more difficult.

Spam drops after McColo Corp taken offline

mxlab — Thu, 13 Nov 2008 14:55:56 +0000

SMTP connections that involves spam have dropped 50% at MX Lab since yesterday. At first, we thought we faced a technical problem and all systems where checked to be sure but there where less SMTP conenctions that contained spam. Today we still noticed a very low level of spam volume.

Several news sites report that the San-Jose, California, US based hosting firm McColo Corp. has been taken offline when its primary Internet providers severed its connection to the web.

McColo’s clients included cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets. McColo hosts the botnet command-and-control servers (Rustock, Srizbi, Pushdo/Cutwail, Ozdok/Mega-D and Gheg) as well as other systems that ran malware distribution points and criminal payment services. McColo could be responsible for approx. 75% of all the spam traffic according to several sources.

Security Fix has gathered data about the activities of McColo over the past four months and has handed over some critical information towards the ISPs that offer the internet connection for McColo.

Hurricane Electric, one of the major Internet providers for McColo, has shut down the internet connection towards the hosting provider within the hour.

In September another U.S.-based hosting service Intercage, also active under the name Atrivo, suspected of harboring spammers was shut down. Within three days, the dip had disappeared as others stepped in. So it is expected that the spam level will return to its usual levels within the next few days.