Entries filed under 'Alex Lanstein'

Threat Research Blog

The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.


    The case against URL blacklists

    By Alex Lanstein
    There's lots of talk these days about how URL based signatures are quickly becoming obsolete, but rarely you see real live proof of this.  Today I'll show you a couple quick examples to try to hammer the point home.The malicious links mentioned below are intentionally broken.  Do not attempt to load them in a browser as you will be infected.First up to bat is hxxp://www.hmall.com.  Alexa (http://www.alexa.com/data/details/main/hmall.com) reports this site as being Read more...


    McColo (still) hosting Rustock C&C

    By Alex Lanstein
    A month ago we wrote that McColo was hosting a Rustock Command and Control server on 208.72.168.191.  I wish I could report that Hurricane Electric or Global Crossing, their two upstream providers, had stopped routing these clowns, but unfortunately, that is not the case.Closing out today's day-in-the-life-of-McColo, I took a look at our Rustock bot lab, and I saw one communicating today on 208.66.194.22, another McColo IP address.  A google search turns Read more...


    McColo hosting Srizbi C&C

    By Alex Lanstein
    We've written about McColo hosting the Srizbi Command and Control servers a couple times, but today I saw a fun wrinkle that I haven't seen before.After my machine got infected, it went through the standard connectivity test.  The first test was the standard "can I send SPAM?" test that Bots do - ie, the outbound port 25 check.  However, when I took a closer look at the SPAM test, the test domain Read more...


    McColo hosting W32/Dedler C&C

    By Alex Lanstein
    Continuing the theme of last article, here is another example of McColo hosting a Command and Control server.  It appears they are nice enough to host the C&C for a 2004 worm known as Dedler.Symantec has a page about it - http://www.symantec.com/security_response/writeup.jsp?docid=2004-050714-2558-99 - but unfortunately they don't show any of the C&C behavior.McAfee also has a page - http://vil.nai.com/vil/content/v_122235.htm - but again, no C&C listed.ThreatExpert, as usual, comes through in the clutch!  Read more...


    More on McColo and Rogues

    By Alex Lanstein
    There doesn't seem to be a day that goes by that I don't have something new to add on McColo.  It's not that I am trying to target their fine colocation facility, and it's not that I have a thing against Scotland (har har), it's just that our appliance keeps detecting more and more badness coming out of their subnets.Today I'd like to briefly mention a couple examples of what McColo is Read more...