After the RBN (Russian Business Network) episode in late 2007, after the Atrivo/Intercage episode recently, here comes the McColo episode. We are very happy to see that this bulletproof hosting company has been shut down since a few days. We had followed this case quite closely, and had been investigating McColo on our own for some months...

It seems that McColo has been shut down after its Internet providers have been contacted by Security Fix. Brian Krebs wrote two great articles about it that you can find here and here. A study on the case has also been published by Jart on Hostexploit.com.

It's really amazing to see that McColo was responsible for 50% to 75% of the sent spam those days ...

Our own investigation also led us to think that McColo was only hosting fraudulent contents: spamvertised websites, botnet command&control, malware, childporn ... Just to name a few.

We had pushed our investigation further, but couldn't post anything about it until those days. I won't post infos about the fraudulent domains hosted at McColo, you can find plenty of them on the web. Instead, I've been curious about the "environment" of McColo. Who were these people ?

McColo had two main ICQ contact addresses. One was registered under "McColo Sales" while the other was registered under "Alexey (McColo)" ... Researches on these two ICQ identities soon led us to a number of russian underground forums. It seems like they were posting on them on a regular basis. We thought they might be russian and kept searching, finding some posts concerning adult content hosting, and found two other ICQ numbers associated to Alexey, or should I say "Alex" or "Alexey Bladewalker" ?
Digging more, I found several messages indicating that the leader of McColo could be dead since the 2nd or 3rd of september 2007. McColo might have been set up by a certain "Nikolaï", information I couldn't verify unfortunately, but which looks plausible. McColo died supposedly in a car crash, as the passenger of a BMW car which was racing with a Porsche Cayenne in the streets of Moscow. McColo was sitting on the front-right place of the BMW, while the driver was another well-know cybercriminal, known as "Jax". We found a local press article about this car crash here.

While we wouldn't ever be pleased of anyone dying, the famous malware developper "Corpse", responsible for A-311 Death (Haxdoor) / Nuclear Grabber trojan horses, laughed about it on one forum.

We didn't find other informations yet. Who kept on making McColo work after Nikolaï passed away? Were McColo only russian people operating from Russia or did they they have a few friends physically in the USA?

While we're still wondering about all this case, we are also very happy to see that all people involved in the neverending fight against cybercrime are communicating more and more. We believe exchanging data with other companies, LEOs and CERTs can only bring success to bringing bad guys down. But while the head is cut for the moment, the rest of the body (all customers of McColo) are probably already working on rebuilding their c&c and all other badness elsewhere...
Some pirates even tried to use the media buzz surrounding this takedown to push malware on insecured machines according to this FireEye article.

The fight continues, and fraudsters are learning every day. But so do we.

Le Patch-Day de ce mois-ci ne nous offre cette fois que deux bulletins de sécurité, dont un seul qualifié de critique et un d'important. Celui-ci, répondant au doux nom de MS08-068, concerne une vulnérabilité dans SMB vieille de ... 7 ans !
La vulnérabilité (Réf. Lexsi 10906) a en effet déjà été présentée en 2001, sous le nom de "SMB Relay". Celle-ci consiste à récupérer les identifiants envoyés par une station Windows pour se connecter à un partage SMB, et à les rejouer contre celle-ci afin d'exécuter du code arbitraire. Microsoft avait alors décidé de ne rien faire concernant la vulnérabilité, celle-ci étant basée sur une fonctionnalité de base de NTLM, afin d'éviter de nombreux problèmes d'interopérabilité.

Cependant, les développeurs ne l'ont pas oubliée, et ont fini par trouver un moyen de correction minimisant l'impact sur les applications réseaux.
Notons toutefois que cette vulnérabilité n'a été qualifiée que d'importante, étant donné que les stations ne faisant pas partie d'un domaine tentent par défaut d'utiliser le compte Invité pour se connecter à un partage SMB. De plus, la recrudescence des pare-feux personnels depuis la grande époque des vers tels que Blaster minimise encore l'impact de cette faille.

Le second bulletin, MS08-069, corrige quant à lui 3 vulnérabilités (Réf. Lexsi 10907 et 7994) dans XML Core Services. Celles-ci sont exploitables en visitant un site malveillant : deux d'entre elles permettent d'obtenir des informations provenant d'un autre domaine, et la dernière -connue depuis janvier 2007- permet quant à elle l'exécution de code arbitraire, même si la rédaction d'un code d'exploitation stable n'est pas triviale.

Profitons-en pour rappeler que Microsoft a sorti fin Octobre un bulletin de sécurité hors Patch-Day pour corriger une vulnérabilité de type 0-Day extrêmement critique dans le service Server (Réf. Lexsi 10828). Celle-ci est exploitable à distance pour exécuter du code arbitraire avec les droits SYSTEM, et un code d'exploitation stable couvrant la majorité des systèmes Windows est disponible dans le framework Metasploit.