Cutwail and Rustock/Costrat: Same Command-and-Control Network
September 24th, 2008 — bjouYesterday I posted an analysis of Cutwail, today, while analyzing a Rustock/Costrat binary, I found something interesting:
Cutwail issued the following command to 208.66.194.232:80 (hosted by McColo, known for hosting nefarious stuff)
GET /40E80010484449525657494F5357594C49584F456C000000066600000000760000046BEB000530CDE1E7ED HTTP/1.0
receiving the answer from the web server
HTTP/1.0 200 OK
Date: Fri, 29 Aug 2008 18:21:44 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 29 Aug 2008 18:21:44 GMT
Cache-Control: no-cache
Content-Length: 326160
Connection: close
Content-Type: application/octet-stream
followed by an encrypted/encoded binary. I have not been able to check that file out by now, but I might provide it to the interested reader upon request. The Rustock/Costrat binaries connect to the same network. These connections by Rustock to 208.66.194.0/24 are verified by Symantec and ThreatExpert.
Yet another proof that the top spam botnets are linked together in certain ways, this time in command-and-control.
October 3rd, 2008 at 6:39 pm
Hi Björn!
Try this webpage as well:
http://anubis.iseclab.org/
They do the same like Symantec and ThreatExpert but provide more details on the filesystem, registry or process activities.
Note: The section “General Information” does not show the system behavior caused by your binary only. It is a general view on the system.
Downloading the file from the webserver mentioned above brings this result:
http://anubis.iseclab.org/result.php?taskid=f39a0f6ee6d65b34298a46b7b683414c&refresh=1
Seems to be inoperable in this format. (encoded)
Perhaps you have an already decoded version to analyze.
Best wishes …
Florian