NOC4HOSTS and the Grum Botnet
Update: As of 12/08, Jay from HiVelocity took the necessary steps to get these Command and Control servers shutdown. The FE research team thanks him and his team profusely for their efforts. Individual verification of customers is nearly impossible for a facility of their size, so we appreciate any efforts they can make after the fact. We’d also like to thank Ross Thomas from SophosLabs and Phil Hay from Marshal TRACE for their research efforts.
Yesterday, my colleague Atif was looking at Pushdo/Cutwail, and he found a disturbing number of the C&Cs were hosted at NOC4HOSTS. This isn’t another McColo, but upon further investigation, there does appear to be a higher than average number of botnet controllers and malware hosted there. The is part 1 of an N part series on C&Cs, malware, and exploits hosted at NOC4HOSTS.