Entries filed under 'Alex Lanstein'

Threat Research Blog

FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.

    Bad Actors Part 1 - Starline Web Services

    By Alex Lanstein
    A remarkably small number of data centers host services for those groups who operate the most sophisticated malware and botnets, known to the industry as Bad Actors.  Over the next couple weeks I'll take a closer look at the worst of the worst.Depeering Bad Actors seems to be all the rage lately.  Atrivo/Intercage and McColohave gotten the most press, but it seems more and more researchers areinterested in shining a light in Read more...

    A weekend warrior web exploit?

    By Alex Lanstein
    While examining some events from the past couple weeks, I noticed an interesting anomaly - there was a specific grouping of exploits that only occurred on the weekend!A couple of us in the research team kicked a few ideas around, and the best hypothesis we could come up with was that most people monitoring IDS systems tend to look at the most recent events first, and hence might never investigate the "older" Read more...

    Using Honeypots to Sniff and Snuff out Botnets, part 2

    By Alex Lanstein
      This is a continuation of my previous posting on botnets that propagate through remotely exploitable vulnerabilities.       I suggest you read the first posting to understand how the data below is gathered.  That being said, let's examine another one of my honeynets: The first thing you'll notice is there is a particular worm that first tries to connect to a random IP and port with a random GET request Read more...

    Using Honeypots to Sniff and Snuff out Botnets, part 1

    By Alex Lanstein
    In recent years, honeypots have seemed to fall out of favor with security researchers.  The reason for this is pretty straightforward - a classic honeypot (a single IP running vulnerable services) or honeynet (a honeypot on multiple IPs) will only catch attacks that actively attempt to propagate.  These attacks could be similar to a loud worm like Blaster, Gimmiv, Slammer, etc, or they could be a less noisy attack such as a Read more...

    Anatomy of an MS08-078 exploit, part 2

    By Alex Lanstein
    This is part 2 of the article on MS08-078.Below I'll talk about what this particular invocation of the exploit carried in terms of payloads.So after the exploit succeeds, the first thing is does is download and execute a binary.  To do that, it needs to do a DNS lookup for the hostname of the server serving the malicious exe (often not on the same server as the exploit page).  I run a Read more...