FireEye Malware Intelligence Lab

World's Top Malware

FE Malware Researcher — 2010-07-26T13:18:22-07:00

The malware landscape has always been very dynamic. New threat types and malware always replace the old ones. The prevalence of a particular malware family at any given time is dependent upon multiple factors like the business model, the efficiency of the person(s) driving this malware, and sometimes, actions by the anti malware industry. For example, due to efforts of the research community, Storm 1.0 and Srizbi, which were once the world's largest botnets, are...

World's Smallest PDF

FE Malware Researcher — 2010-06-21T04:28:00-07:00

Acrobat will parse some very badly formed PDF files. It's possible to remove almost everything from a PDF file, and still launch Javascript. A minimum of 58 bytes are all that is required to execute Javascript within Acrobat.

Mariposa Still Alive

FE Malware Researcher — 2010-06-18T17:37:21-07:00

In March earlier this year, Spanish police arrested three men linked to the Mariposa botnet. After this move it was widely believed that the massive botnet had shutdown. From what I have seen over the last week, that is not the case. Some Mariposa CnCs are still active and spreading. The screen shot below is a snapshot of a Mariposa sample (ad7a5b6755089ba83001f224a7067ec1) communicating to its CnC. On this occasion it received a command to spread...

Some Notes About Neosploit

FE Malware Researcher — 2010-06-04T17:31:25-07:00

Neosploit encodes into the URL, various bits of version information about a victim's browser and OS. It's using Java exploits, and is spread via malicious advertisements.

Storm Resurrection, is it true?

FE Malware Researcher — 2010-04-28T15:17:37-07:00

I got very excited when I heard that recently Steven Adair from Shadowserver has spotted a slightly modified Storm variant live in action. But I was little surprised when I read the details of this alleged new variant. This new variant (a modified version of actual storm) was discovered back in 2008 and I got a chance to write about it in quite a detail. From my article written back in 2008: Another interesting nugget...

Who is Exploiting the Java 0-day?

FE Malware Researcher — 2010-04-15T23:11:04-07:00

Update: Oracle released an emergency patch recently to fix this major flaw. See details in the bottom. ------------- The recent discovery of a 0-day design flaw in the 'Java Web Start' module has opened new avenues for malware drive by attacks. This flaw was exposed by Tavis Ormandy a few days back and it did not take a long time for bad guys to start using the proof of concept code for real exploitation. I...

Win32 API Shellcode Hash Algorithm

FE Malware Researcher — 2010-03-19T16:17:26-07:00

A reference table for Windows API Function Name Hashes, used in many shellcode examples. Also, daylight saving time is dumb.

Black Energy Crypto

FE Malware Researcher — 2010-03-03T12:54:14-08:00

The "Yes Exploit System" is encrypts its "Black Energy"-like components. The crypto design used has a fatal flaw, which allows for someone to completely recover the plaintexts, without knowing the keys, or algorithm used, or even any information at all except for a small amount of known plaintext.

MITB (Man in the Browser) Protection Layers

FE Malware Researcher — 2010-02-25T23:33:16-08:00

In my last post, I talked about some of the MITB attacks currently being used by modern banking trojans like URLZone and Zeus/Zbot. Although most modern-day banks have in place various security measures like multi-factor authentication to prevent online theft, based on my last article, we can see that most of these techniques are not enough to prevent MITB attacks. These techniques are mostly there to make the credentials theft difficult, but not impossible. Today...

Conference Stuff

FE Malware Researcher — 2010-02-24T14:46:21-08:00

FireEye has a booth at RSA2010 Expo. Julia is going to the RSA Expo, and is giving a talk at PH-Neutral in May.