Entries filed under 'Alex Lanstein'

Threat Research Blog

The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.


    Not to sound the panic alarm...

    By Alex Lanstein
    Not to sound the panic alarm, but it appears that I was slightly off base earlier with my comment that the Srizbi fallback C&C domains were hard coded in the sample.  It's true that the seed was hard coded, and that multiple samples had the same seed, but the domain name generated appears to be a function of the local time as well, which explains the ~36 hour window I was seeing.  Read more...


    Fallback C&C channels

    By Alex Lanstein, Julia Wolf, Atif Mushtaq, Todd Rosenberry
    As promised, a few more thoughts on fallback Command and Control channels and the Botnets that implement themSrizbi is the best example of a total failure that we've seen to date.  As a recap, Srizbi was essentially a McColo-only Botnet that had a single IP hard coded in each binary, as well as a set of 4 domains that rotated every 3 days based on the system time.  Here are some examples Read more...


    100,000+ Srizbi IPs detected in 24 hours, Part 1

    By Alex Lanstein, Julia Wolf, Atif Mushtaq
    The shutdown of the McColo Corporation left hundreds of thousands of Bots without a Command and Control server to which to connect.  The research team here at HQ decided to look into the fallback mechanism that one of the top Botnets, Srizbi, employed.  We assumed that there was a contingency plan that was enacted once the primacy C&C was down for an extended period of time.  It appears we were correct in Read more...


    McColo shutdown Nov 11, 2008 16:23 EST

    By Alex Lanstein, Atif Mushtaq
    Something funny happened while I was writing another anti-McColo article today... the domains stopped responding.    What I was going to write about was how Rustock changed its Command and Control server to an IP previously used by Pushdo/Cutwail.  This is clearly not a coincidence and shows again that these Botnets are run by the same group.However, McColo was shutdown today, so that post would be fruitless :-)  We have timestamps on all Read more...


    Quick nugget on the McColo/Russia/Rustock connection

    By Alex Lanstein
    Just a quickie before the weekend -I was browsing through the captures from my Rustock bot lab and I noticed something not-exactly-earth-shatteringPOST /data.php HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: enUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)Host: davis-service.orgContent-Type: multipart/form-dataContent-Encoding: gzipContent-Length: 134Connection: ClosePragma: no-cachedavis-service.org, let's see what we can find:root@alex_lanstein --- {~} whois davis-service.org[Querying whois.publicinterestregistry.net][whois.publicinterestregistry.net].........Domain ID:D153207965-LRORDomain Name:DAVIS-SERVICE.ORGCreated On:03-Jul-2008 08:55:16 UTCLast Updated On:02-Sep-2008 03:50:20 UTCExpiration Date:03-Jul-2009 Read more...