Entries filed under 'Malware'

Threat Research Blog

FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.

    Grum, World's Third-Largest Botnet, Knocked Down

    By Atif Mushtaq
    I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned. How it all happened is a long story, but I would like to summarize it for you.The state of the Grum botnet has changed since we last talked (see previous posts here and here for a look back). On July 16, I reported Read more...

    Unpacking SimplePack

    By Abhishek Singh
    By packing their malicious executable, malware authors can be sure that when they are opened in a disassembler they will not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process.SimplePack is yet another packer often used by malware authors. Specifically, it uses LZMA compression. When the packed process is opened in the debugger, the packed code starts with the instruction PUSHAD as seen in Figure Read more...

    Killing the Beast - Part 5

    By Atif Mushtaq
    Back in 2009, I started writing a series of articles called "Killing the Beast." These articles were primarily focused on the command and control (CnC) coordinates of popular spam botnets. These articles not only provided readers greater visibility into these spam botnets, but also served as the basis for two botnet takedowns. So far, four articles under this series have been published. After a long time, I have decided to write the Read more...

    An Inside Look into a Customized Threat

    By Abhishek Singh
    Recently, we came across a customized threat that, per our current understanding, was customized for a single individual—the president of a billion dollar corporation. As the goal of this posting is to share the findings about the targeted attack, the individual and corporation's identity have been withheld and will not be discussed in this blog. Delivery MethodAs shown in Figure 1 below, the malware was delivered via an email message to the president Read more...

    More Flame/sKyWIper CNC Behavior Uncovered

    By Ali Islam
    When news of the Flame/SkyWiper malware hit the headlines last month, the world went into a frenzy. Flame was immediately hailed as the world’s most sophisticated malware. While security researchers will surely be talking about Flame for years to come, FireEye has since made another discovery regarding Flame’s command and control (CNC) behavior: it appears that the Flamer/sKyWIper malware’s callback has recently changed.Specifically, we have evidence that the malware is likely proxy-aware Read more...