http://blog.fireeye.com/research/ Threat research, analysis, and mitigation | www.fireeye.com en-US 2009-11-06T06:00:00-08:00 FE_researchhttp://feedburner.google.com http://feedproxy.google.com/~r/FE_research/~3/qRURhajCslA/smashing-the-ozdok.html In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=qRURhajCslA:ZZn1ibLaq2U:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/qRURhajCslA" height="1" width="1"/> Botnet Activities / Outbreaks Botnet Research FE Malware Researcher 2009-11-06T06:00:00-08:00 http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html http://feedproxy.google.com/~r/FE_research/~3/_3i1j8X3Wh0/killing-the-beastpart-4.html Note: Updates are available at the bottom of this article. Ozdok a.k.a Mega-d is one of those botnets that has been very successful flying under the radar over the past few years. Recent stats by Marshal TRACE show Ozdok is currently responsible for about 4.2% of the world's overall SPAM. The question that arises again is who are the guys controlling this botnet, and more importantly from where? I recently conducted a detailed study of...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=_3i1j8X3Wh0:lXQTNV3YeNI:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/_3i1j8X3Wh0" height="1" width="1"/> Botnet Activities / Outbreaks FE Malware Researcher 2009-11-03T20:58:00-08:00 http://blog.fireeye.com/research/2009/11/killing-the-beastpart-4.html http://feedproxy.google.com/~r/FE_research/~3/aJaxFiFiIzc/a-little_more_on_donbot.html Donbot is primarily a spam bot, one of the few spam botnets whose growth was not hampered by the McColo shutdown earlier this year. As a matter of fact, the sudden shut down of big spammers like Srizbi and Rustock helped Donbot climb the spam botnet rankings. In this article I am going discuss different aspects of Donbot, first as a malware and then in the later half I will try to shed some light...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=aJaxFiFiIzc:1NSf_VtT0g0:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/aJaxFiFiIzc" height="1" width="1"/> Bad Actors FE Malware Researcher 2009-10-28T11:26:50-07:00 http://blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html http://feedproxy.google.com/~r/FE_research/~3/nkWSrOfrM1Y/gumblar-not-gumby.html Ok, I admit this blog post is not about our childhood TV friend, Gumby... Instead it's about a much more sinister character, Gumblar & its malware henchmen... Originally making its debut back in March/April of this year (see here , here and here) and then suddenly it went quiet for a few months, until recently... Yes, Gumblar is back with a vengeance & still causing problems for it's unsuspecting victims. The primary delivery mechanism is...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=nkWSrOfrM1Y:0K8x3vNWrtg:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/nkWSrOfrM1Y" height="1" width="1"/> Malware Research FE Malware Researcher 2009-10-23T12:18:23-07:00 http://blog.fireeye.com/research/2009/10/gumblar-not-gumby.html http://feedproxy.google.com/~r/FE_research/~3/u7LOi3Uil4s/a-leap-into-the-uknown-part-1.html A leap into the unknown is a series which will discuss some lesser known malware, that has a reasonably good command and control structure. Most of this malware might not be totally new to the AVs, but they were never considered for more than just creating a signature. Little or no effort has been made to disclose the motivation behind creating this malware, the CnC architecture, or the people behind it. These articles are not...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=u7LOi3Uil4s:Bsvklk91Fqw:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/u7LOi3Uil4s" height="1" width="1"/> Malware Research FE Malware Researcher 2009-10-01T17:36:31-07:00 http://blog.fireeye.com/research/2009/10/a-leap-into-the-uknown-part-1.html http://feedproxy.google.com/~r/FE_research/~3/E-ceBD9mgss/killing-the-beastpart-3.html In the third part of this series, I'm going to discuss the command and control structure of another famous botnet, Clampi a.k.a ilomo. Clampi is all about data stealing and is famous for its anti-reversing and evasion techniques. The financial damage this information stealer can cause is evident from the fact that it has recently been publicly disclosed of a cyber theft of more than $150,000. Notorious isn't it..? Like the first two parts where...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=E-ceBD9mgss:vGe1RxAaPkM:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/E-ceBD9mgss" height="1" width="1"/> Botnet Activities / Outbreaks FE Malware Researcher 2009-09-29T18:15:39-07:00 http://blog.fireeye.com/research/2009/09/killing-the-beastpart-3.html http://feedproxy.google.com/~r/FE_research/~3/AONYCr6TnC4/who-is-exploiting-the-adobe-flash-0day-part-2.html The new Flash 0-day has opened multiple avenues for malware authors. In my last article I showed how this vulnerability is being exploited via the PDF reader's support for SWF files. However, this vulnerability can just as easily be exploited in a standard drive-by fashion purely in Flash as well. This is precisely what has started to happen. Here is the snippet of the javascript which is actively targeting this 0-day vulnerability. This exploit successfully...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=AONYCr6TnC4:rVYlYBLR3ZI:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/AONYCr6TnC4" height="1" width="1"/> Malware Research FE Malware Researcher 2009-07-24T13:34:55-07:00 http://blog.fireeye.com/research/2009/07/who-is-exploiting-the-adobe-flash-0day-part-2.html http://feedproxy.google.com/~r/FE_research/~3/St4F-F7NAqM/who-is-exploiting-the-flash-0day.html It looks like Zero-day discoveries for the month of July are not quite over yet. I have already talked about two vulnerabilities inside MS products earlier this month: July 7th 2009: Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ? July 14th 2009: Who is Exploiting the Office Web Components 0-day? Then came the 3rd one inside Mozilla FireFox 3.5, almost at the exact same time. Sadly enough, this article is about another 0-day (fourth in...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=St4F-F7NAqM:qmDYg85IvyE:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/St4F-F7NAqM" height="1" width="1"/> Malware Research FE Malware Researcher 2009-07-23T06:24:00-07:00 http://blog.fireeye.com/research/2009/07/who-is-exploiting-the-flash-0day.html http://feedproxy.google.com/~r/FE_research/~3/YDAS-ZXFkGI/actionscript_heap_spray.html Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash.<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=YDAS-ZXFkGI:kL2WFpFYal4:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/YDAS-ZXFkGI" height="1" width="1"/> Exploit Research FE Malware Researcher 2009-07-23T06:04:23-07:00 http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html http://feedproxy.google.com/~r/FE_research/~3/SPJ5tUSrKz8/bad-actors-part-7-3fn.html “Wait … *beep beep* back up for a second, Alex. I heard 3fn was brought down by the FTC!” That would be correct! On June 4th the FTC served a takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert, APX Telecom, APS Communications) off the Internet. I was approached by law enforcement looking for evidence of malicious activities, and luckily, I was in the midst of writing up an article for my Bad...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=SPJ5tUSrKz8:1sfTIC2RaKk:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/SPJ5tUSrKz8" height="1" width="1"/> Bad Actors FE Malware Researcher 2009-07-21T13:37:09-07:00 http://blog.fireeye.com/research/2009/07/bad-actors-part-7-3fn.html http://www.fireeye.com/images/FE_logo_horiz_sm.jpghttp://www.fireeye.com/