Entries filed under 'Rustock'

Threat Research Blog

FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.

    Silent Rustock

    By Atif Mushtaq
    There has been a significant observed drop in worldwide SPAM levels during the last month or so.  M86 thinks it's due to Rustock, the world's largest spam botnet, suddenly stopped sending spam for unknown reasons.   McAfee has expressed a different point of view. According to them, the steep drop in spam levels is due to recent attempts to shutdown Pushdo.D, another famous spam botnet.  It's clear that spam levels are dropping, so Read more...

    Rustock and Mega-D fallback domains

    By Alex Lanstein, Todd Rosenberry
    To me, charts and graphs illustrate trends much more clearly than a <table> does.  Below I'll show the number of unique IPs over time, the number of unique IPs per hour, and the breakdown by domain for the fallback channels of Rustock and Mega-D.The first graphic below represents our current visibility into Rustock (aside from our customer sites).  Much like Srizbi, we registered as many fallback domains as we could find for Read more...

    Quick nugget on the McColo/Russia/Rustock connection

    By Alex Lanstein
    Just a quickie before the weekend -I was browsing through the captures from my Rustock bot lab and I noticed something not-exactly-earth-shatteringPOST /data.php HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: enUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)Host: davis-service.orgContent-Type: multipart/form-dataContent-Encoding: gzipContent-Length: 134Connection: ClosePragma: no-cachedavis-service.org, let's see what we can find:root@alex_lanstein --- {~} whois davis-service.org[Querying whois.publicinterestregistry.net][whois.publicinterestregistry.net].........Domain ID:D153207965-LRORDomain Name:DAVIS-SERVICE.ORGCreated On:03-Jul-2008 08:55:16 UTCLast Updated On:02-Sep-2008 03:50:20 UTCExpiration Date:03-Jul-2009 Read more...

    Srizbi and Rustock: Family Feud or Sibling Rivalry? Part II

    By Atif Mushtaq
    FireEye recently dove into the world of spam email Botnets to further strengthen our belief that Botnets like Srizbi, Pushdo, and Rustock, although having completely different C&C architectures, are operated by same group.This go around, we looked at the servers that control these Botnets and spam created from live Bots in our lab. As part of this investigation, we analyzed multiple malware samples of these Botnets in our both virtual and real Read more...