Entries filed under 'Alex Lanstein'

Threat Research Blog

The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.


    Anatomy of an MS08-078 exploit, part 1

    By Alex Lanstein
    Often times I'm asked what actually happens to a system when the browser is exposed to a modern web exploit.  By "web exploit", I'm referring to the type of exploit where your browser only need visit a site - no user interaction (like opening a file) is necessary.  I thought it might be interesting to take a look at a real-world implementation of the new IE exploit (MS08-078) to see what the Read more...


    NOC4HOSTS and the Grum Botnet

    By Alex Lanstein
    Update: As of 12/08, Jay from HiVelocity took the necessary steps to get these Command and Control servers shutdown.  The FE research team thanks him and his team profusely for their efforts.  Individual verification of customers is nearly impossible for a facility of their size, so we appreciate any efforts they can make after the fact.  We'd also like to thank Ross Thomas from SophosLabs and Phil Hay from Marshal TRACE for Read more...


    Srizbi control regained by original owner

    By Alex Lanstein, Atif Mushtaq
    UPDATE:  The Estonia based Command and Control servers have been kicked offline.  I'll post more details of how this happened when I get the go ahead from the responsible party.  The below information is still valid, but the addresses listed (except for the one in Frankfurt) are no longer reachable.---Srizbi has returned from the dead and has begun updating all its Bots with a fresh, new binary.  The worldwide update began just Read more...


    Rustock is Back...

    By Alex Lanstein, Atif Mushtaq
    UPDATE:  There was an abuse notification sent to LayeredTech by my co-researcher Alex Lanstein earlier this morning. As a result LayeredTech seems to have pulled the server. 'sdx3Fs5B.info' still has an A entry for the IP, but it is no longer responding.  Perhaps colos are starting to pay more attention to botnets and abuse notifications?----------------------------------------Rustock and its SPAM are back. All Rustock variants which were able to update themselves during McColo's brief Read more...


    Rustock and Mega-D fallback domains

    By Alex Lanstein, Todd Rosenberry
    To me, charts and graphs illustrate trends much more clearly than a <table> does.  Below I'll show the number of unique IPs over time, the number of unique IPs per hour, and the breakdown by domain for the fallback channels of Rustock and Mega-D.The first graphic below represents our current visibility into Rustock (aside from our customer sites).  Much like Srizbi, we registered as many fallback domains as we could find for Read more...