Monthly Archives: April 2012

Spear phished by FireEye?

| By | Targeted Attack

Blogging about crimeware (commodity malware that will infect victims in a purely opportunistic fashion) is an easy thing to do ethically, as the “victim” often times does not add much value to the story. Also, there are so many copies of the malware publicly available that talking about the threat does not compromise your collection source, and in general, we try to avoid “naming names” for the sake of shaming anyone.

In the case of crimeware, whether a home user or a chemical company gets compromised by a ddos bot, the malware is going to act pretty much the same. For this reason, publicly talking about those types of threats don’t lead you down discussions of, “But now they now know that you know!”

Continue reading »

Quick Reference for Manual Unpacking

| By | Advanced Malware

By packing their malicious executable, malware authors ensure that, when these malicious executables are opened in a disassembler, these executables do not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process. One method to locate the address of the code’s first instruction before it was packed, also known as the Original Entry Point (OEP) of a file, is to apply the breakpoint on the APIs that set up execution environments, like GetLoadLibraryA, and then use step-by-step tracing to locate the initialization of the stack frame. Initialization of the stack frame will denote that the file is unpacked.

For many commonly occurring packers, there are specific instructions for locating the OEP.

Continue reading »

Zeus takeover leaves undead remains

| By | Botnets

Some of you may be aware that Microsoft this week went after a group of botnets. These botnets were created from the famous Zeus toolkit. This effort was part of so called Operation B-71.

When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar. The answer is yes. Based on data collected from the FireEye MPC (Malware Protection Cloud), we have been detecting and protecting our customers from most of these malware. 

There was one thing that caught my attention during this investigation. One botnet was able to partially recover  from the takeover attempt. This particular zeus variant is known for rapidly changing its CnCs.


Continue reading »