Entries filed under 'Botnet'

Threat Research Blog

The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.


    Grum—New segement came and gone

    By Atif Mushtaq
    Back in July, with the help of Spamhaus and CERT-GIB, FireEye took down Grum, one of the world's largest spam botnets. The whole shutdown operation was like a roller coaster ride and is explained in my previous blog posts here and here. Apart from an unsuccessful recovery attempt made by the bot herders a few days after the takedown, we never noticed any movement from the opposite side. Apparently the Grum guys Read more...


    The Story Behind Backdoor.LV

    By Vinay Pidathala
    From May of this year, we have seen a sudden uptick in the number of samples of an interesting malware we call Backdoor.LV. We have seen this malware primarily using websites hosting .exes to propagate. The HTTP header below shows one such example from which the malware was downloaded. A quick look up on the location of the IP in the HTTP header "94.129.29.233" shows that the IP is located in Kuwait.Location Read more...


    Grum—The Money Factor

    By Atif Mushtaq
    As expected, the operators behind Grum are trying their best to reclaim their botnet. In the absence of any built-in fallback mechanisms, the bot herders used another fallback mechanism that is called money. Over the weekend we found that the Ukrainian ISP SteepHost removed the null route on three CnCs that were taken down last week. We suspect the bot herders must have paid a large amount of money in order to Read more...


    Grum Recap

    By Atif Mushtaq
    For a quick recap, here is a list of Grum CnCs. Some of these IPs were mentioned in my previous posts (1, 2, and 3), but I would like to summarize everything in one table. Based on the data from the last 30 days, below are the Grum CnC IPs along with their ISP information. IP IPS/Colo Status 190.123.46.91 190.123.46.91 Panamaserver Panamaserver Dead Dead 195.190.13.150 195.190.13.150 SteepHost DC-UA SteepHost DC-UA Dead Dead Read more...


    Grum, World's Third-Largest Botnet, Knocked Down

    By Atif Mushtaq
    I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned. How it all happened is a long story, but I would like to summarize it for you.The state of the Grum botnet has changed since we last talked (see previous posts here and here for a look back). On July 16, I reported Read more...