http://blog.fireeye.com/research/ Threat research, analysis, and mitigation | www.fireeye.com en-US 2012-05-30T05:00:00-07:00 FE_researchhttp://feedburner.google.com http://feedproxy.google.com/~r/FE_research/~3/nhVLRiRconY/flamerskywiper-analysis.html As widely reported elsewhere, the Flamer/sKyWIper malware has largely been attributed to yet another unknown APT actor, which appears to target organizations in the Middle East. Rather than speculate on attribution or repeat the initial analysis provided by CrySyS Lab, this blog post will focus on additional indicators of compromise that have yet to be documented elsewhere.<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=nhVLRiRconY:q9f00JdblUg:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/nhVLRiRconY" height="1" width="1"/> Bad Actors Malware Research Darien Kindlund 2012-05-30T05:00:00-07:00 http://blog.fireeye.com/research/2012/05/flamerskywiper-analysis.html http://feedproxy.google.com/~r/FE_research/~3/Me0qrLJao68/1q2012-email-attack-trends.html In our second half (2H) of 2011 Advanced Threat Report, we provided compelling evidence that illustrated a possible correlation between an increase in email-based attacks and national holidays. Continuing this theme, let’s widen our dataset to include all worldwide customers and focus on the corresponding statistics collected year-to-date for 2012. To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments who share intelligence back to us.<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=Me0qrLJao68:KhSfPerZcvI:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/Me0qrLJao68" height="1" width="1"/> General Security Malware Research Zero-day Darien Kindlund 2012-05-24T09:02:00-07:00 http://blog.fireeye.com/research/2012/05/1q2012-email-attack-trends.html http://feedproxy.google.com/~r/FE_research/~3/AvTgms7OZfk/spear-phished-by-fireeye.html Blogging about crimeware (commodity malware that will infect victims in a purely opportunistic fashion) is an easy thing to do ethically, as the “victim” often times does not add much value to the story. Also, there are so many copies of the malware publicly available that talking about the threat does not compromise your collection source, and in general, we try to avoid “naming names” for the sake of shaming anyone. In the case of crimeware, whether a home user or a chemical company gets compromised by a ddos bot, the malware is going to act pretty much the same. For this reason, publicly talking about those types of threats don’t lead you down discussions of, “But now they now know that you know!” Attacks that are people-driven are much more interesting to analysts because playing against a human leads to a whole different set of challenges than playing against an automated attack algorithm. The attacker, be it APT (China) or simply a well-resourced attacker, performs very systematic attacks on you to see what the simplest method that they need to use in order to be successful is. There is a lot of FUD in the security community about how all APTs use unknown and/or unpatched software vulnerabilities, which is simply false. Why burn a zero-day if a link to an exe/hlp/chm/scr will work just as well? Why use a carefully constructed PDF email attachment that works 5% of the time when you could simply send a link to an older java exploit that works 50% of the time? We’ve seen link lures for “iPhone 5's” and “movie premieres” that work better than the hottest UAV conference. The fact is that there is very much a ramping up of the sophistication of the exploit over the attack timeline between you (or your organization) and a specific threat actor. Obviously, if there is data that needs to be exfiltrated in short order, the volume and sophistication of attacks will escalate faster, but the general “shopping list” with which they are tasked see a very gradual rise until an attack is successful. To put it another way, you’re not always fighting against the A-team, and although the B players aren’t that talented, they are just as relentless.<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=AvTgms7OZfk:7CiR_e_JlW4:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/AvTgms7OZfk" height="1" width="1"/> Vulnerability Research FireEye, Inc. 2012-04-13T07:16:00-07:00 http://blog.fireeye.com/research/2012/04/spear-phished-by-fireeye.html http://feedproxy.google.com/~r/FE_research/~3/_mAJUWfSEuU/quick-reference-for-manual-unpacking.html By packing their malicious executable, malware authors ensure that, when these malicious executables are opened in a disassembler, these executables do not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process. One method to locate the address of the code’s first instruction before it was packed, also known as the Original Entry Point (OEP) of a file, is to apply the breakpoint on the APIs that set up...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=_mAJUWfSEuU:AcZjodpi6rM:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/_mAJUWfSEuU" height="1" width="1"/> Malware Research Abhishek Singh 2012-04-09T17:28:10-07:00 http://blog.fireeye.com/research/2012/04/quick-reference-for-manual-unpacking.html http://feedproxy.google.com/~r/FE_research/~3/D6GDinDWDF8/zeus-takeover-leaves-undead-remains.html Some of you may be aware that Microsoft this week went after a group of botnets. These botnets were created from the famous Zeus toolkit. This effort was part of so called Operation B-71. When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar. The answer is yes. Based on data collected from the FireEye MPC (Malware Protection Cloud), we have been detecting...<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/FE_research?a=D6GDinDWDF8:TB1kgLbTdxc:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/FE_research?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/FE_research/~4/D6GDinDWDF8" height="1" width="1"/> Botnet Activities / Outbreaks Botnet Research Malware Research Atif Mushtaq 2012-04-02T22:29:15-07:00 http://blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html http://www.fireeye.com/images/FE_logo_horiz_sm.jpghttp://www.fireeye.com/