Entries filed under 'M-Labs'

Threat Research Blog

FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.


    An In-Depth Look Into Data Stacking

    By M-Labs

    Mandiant's Nick Bennett and Jake Valletta discussed data stacking at MIRcon™ last month. If you were unable to attend the talk, we will discuss this data analysis technique here on the M-Unition blog.

    Read more...


    Exploring Artifacts in Heap Memory with Heap Inspector

    By M-Labs

    Please welcome the latest addition to Mandiant's free forensic gadget grab bag: Heap Inspector. This tool is the manifestation of a very simple idea a colleague and I came up with several months ago when discussing the prevalence of heap sprays as a staging mechanism for most exploits in the wild today (and why anti-virus/HIPS did not recognize and block heap sprays in progress). The idea was simple: a heap spray stores identical copies of the same block of data hundreds of times on the heap, so why not hash each chunk in an application's heap space and report repeating patterns? The idea grew into a full-featured tool to visualize and search an application's heap space in near real-time. I presented Heap Inspector at a turbo talk this year at Blackhat USA 2011.

    Read more...


    What the fxsst?

    By M-Labs

    If you deal with the same threats that Mandiant does, you may have noticed a lot of malware lately named "fxsst.dll". If you're wondering why this is happening, this article is for you.

    Read more...


    DLL Search Order Hijacking Revisited

    By M-Labs

    Since my last blog post on the topic of DLL Search Order Hijacking there has been a lot of community activity in this area. The purpose of this article is to differentiate the specific hijack technique I was describing from the one that is currently being discussed in the media as well as propose my own solution to the problem.

    Read more...


    Reversing Malware Command and Control: From Sockets to COM

    By M-Labs

    On a Windows host there is more than one way for a program to communicate across the internet. When reverse engineering a piece of malware it is of critical importance to understand what API is being used and how it works so that you may gain an understanding of the data sent and received as well as command structure and internal protocol if applicable. The choice of networking API also effects how you craft your indicators (more on this later). I break Windows Malware Command and Control communications into four API categories: Sockets, WinInet, URLMon and COM. The primary focus of this article is COM, since it is the rarest, least understood and most difficult to reverse engineer.

    Read more...