Entries filed under 'Atif Mushtaq'

Threat Research Blog

The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.


    Grum—New segement came and gone

    By Atif Mushtaq
    Back in July, with the help of Spamhaus and CERT-GIB, FireEye took down Grum, one of the world's largest spam botnets. The whole shutdown operation was like a roller coaster ride and is explained in my previous blog posts here and here. Apart from an unsuccessful recovery attempt made by the bot herders a few days after the takedown, we never noticed any movement from the opposite side. Apparently the Grum guys Read more...


    Java Zero-Day - First Outbreak

    By Atif Mushtaq
    A few days ago I talked about the existence of a new java zero-day flaw (CVE-2012-4681). Soon after the publication of my blog, the white-hats kicked in and there was Proof Of Concept (POC) code ready overnight. At this point, a major outbreak was inevitable. We soon came to know that the master mind behind the Blackhole exploit kit has plans to add this zero-day to his package. This morning we started getting Read more...


    Zero-Day Season is Not Over Yet

    By Atif Mushtaq
    New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed. Initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving Read more...


    Grum—The Money Factor

    By Atif Mushtaq
    As expected, the operators behind Grum are trying their best to reclaim their botnet. In the absence of any built-in fallback mechanisms, the bot herders used another fallback mechanism that is called money. Over the weekend we found that the Ukrainian ISP SteepHost removed the null route on three CnCs that were taken down last week. We suspect the bot herders must have paid a large amount of money in order to Read more...


    Grum Recap

    By Atif Mushtaq
    For a quick recap, here is a list of Grum CnCs. Some of these IPs were mentioned in my previous posts (1, 2, and 3), but I would like to summarize everything in one table. Based on the data from the last 30 days, below are the Grum CnC IPs along with their ISP information. IP IPS/Colo Status 190.123.46.91 190.123.46.91 Panamaserver Panamaserver Dead Dead 195.190.13.150 195.190.13.150 SteepHost DC-UA SteepHost DC-UA Dead Dead Read more...