Cutwail and Rustock/Costrat: Same Command-and-Control NetworkSeptember 24th, 2008 — bjou
Yesterday I posted an analysis of Cutwail, today, while analyzing a Rustock/Costrat binary, I found something interesting:
Cutwail issued the following command to 220.127.116.11:80 (hosted by McColo, known for hosting nefarious stuff)
GET /40E80010484449525657494F5357594C49584F456C000000066600000000760000046BEB000530CDE1E7ED HTTP/1.0
receiving the answer from the web server
HTTP/1.0 200 OK
Date: Fri, 29 Aug 2008 18:21:44 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 29 Aug 2008 18:21:44 GMT
followed by an encrypted/encoded binary. I have not been able to check that file out by now, but I might provide it to the interested reader upon request. The Rustock/Costrat binaries connect to the same network. These connections by Rustock to 18.104.22.168/24 are verified by Symantec and ThreatExpert.
Yet another proof that the top spam botnets are linked together in certain ways, this time in command-and-control.