Entries filed under 'Alex Lanstein'

Threat Research Blog

FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.

    Spear phished by FireEye?

    By Alex Lanstein
    Blogging about crimeware (commodity malware that will infect victims in a purely opportunistic fashion) is an easy thing to do ethically, as the “victim” often times does not add much value to the story. Also, there are so many copies of the malware publicly available that talking about the threat does not compromise your collection source, and in general, we try to avoid “naming names” for the sake of shaming anyone.In the Read more...

    An overview of Rustock

    By Alex Lanstein
    As you might have seen in the news, the largest spam botnet, Rustock, was recently taken down in a collaborated, coordinated way.  All parties involved were bound by a sealed federal lawsuit against the John Doe's involved, but now that the case has been unsealed, it's time to talk about a few of the details.  Why has Rustock been so successful for so long?  How has it managed to stay off the Read more...

    Bad Actors Part 7 - 3fn (Or: Cutwail - How to do it right)

    By Alex Lanstein
    “Wait … *beep beep* back up for a second, Alex.  I heard 3fn was brought down by the FTC!”  That would be correct!  On June 4th the FTC served a takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert, APX Telecom, APS Communications) off the Internet.  I was approached by law enforcement looking for evidence of malicious activities, and luckily, I was in the midst of writing up an article Read more...

    SPAM bots have bugs too!

    By Alex Lanstein
    As you may or may not know, the popular SPAM bots work off something called a "template".  These templates contain tokens for the system-resident malware to replace with a word list that is periodically fetched from an external server.  In the past we've seen some bots that clearly separate the template update mechanism from the c&c communication (like Pushdo/Cutwail) and some that combine it more into one blurry malware package (like Rustock Read more...

    A new method to monetize scareware

    By Alex Lanstein
    Scareware in the form of Rogue AntiVirus software, such as XpAntiVirus2009, has long been a way to monetize infected computers.  Previously, the Rogue AVs would present you with screens that listed malware you didn't have, and for a nominal fee, you could buy the full version and clean the "infections". Over the past couple days, Vundo has been pushing a piece of malware that encrypts various personal file types (.pdf, .doc, .jpg, Read more...