Tag Archives: botnet

Stories About Botnets - Part 1

| By | Botnets

The malware threat landscape is changing very fast. New and improved malware are hitting the attack surface on a daily basis. No wonder advanced malware like to operate in stealth mode. They try to change their behaviors, shapes and patterns as much as they can do to fool their enemies. Not only do we need a signature-less technology to handle such malware, but we also need a news resource continuously talking about these emerging threats, and this is where a series of blogs on this topic comes into play.

For the first of these series, I am going to talk about four different botnets that have recently been spotted randomizing their command and control domains. I will call these generically “New Botnet” A, B, C, and D so that we can focus on the details of the morphing behaviors. All of these botnets use custom algorithms to generate/locate their CnCs. The use of random CnC domains is not a new concept. In the past, we have seen Conficker, Srizbi, and Rustock using similar techniques, but in recent days we have seen more and more botnets adopting these stealth tactics.

Continue reading »

Using Honeypots to Sniff and Snuff out Botnets, part 1

| By | Botnets

In recent years, honeypots have seemed to fall out of favor with security researchers.  The reason for this is pretty straightforward - a classic honeypot (a single IP running vulnerable services) or honeynet (a honeypot on multiple IPs) will only catch attacks that actively attempt to propagate.  These attacks could be similar to a loud worm like Blaster, Gimmiv, Slammer, etc, or they could be a less noisy attack such as a bot that will only scan a local subnet.

Why am I to presume that there aren't enough researchers employing honeypots and honeynets?  Simple - the botnets that use these types of attacks to spread have not had their controllers (C&Cs) fluctuate locations (IPs) in months or more.  Of course, this lapse in abuse notifications is on me as well, but I hope to rectify the situation by notifying the offending upstream providers relentlessly going forward.

Continue reading »

NOC4HOSTS and the Grum Botnet

| By | Botnets

Update: As of 12/08, Jay from HiVelocity took the necessary steps to get these Command and Control servers shutdown.  The FE research team thanks him and his team profusely for their efforts.  Individual verification of customers is nearly impossible for a facility of their size, so we appreciate any efforts they can make after the fact.  We'd also like to thank Ross Thomas from SophosLabs and Phil Hay from Marshal TRACE for their research efforts. 


Yesterday, my colleague Atif was looking at Pushdo/Cutwail, and he found a disturbing number of the C&Cs were hosted at NOC4HOSTS.  This isn't another McColo, but upon further investigation, there does appear to be a higher than average number of botnet controllers and malware hosted there.  The is part 1 of an N part series on C&Cs, malware, and exploits hosted at NOC4HOSTS.

Continue reading »