Tag Archives: botnets

Stories About Botnets - Part 2

| By | Botnets

In the first part of this series, I talked about a few botnets that are using random domain generation algorithms in order to conceal their Command and Control (CnC) servers. But that’s not the only type of evasion being used by advanced malware. There are other types of polymorphism as well.

Some of the polymorphic strains found in these malware are as follows:

  1. Random domain generation (as I talked about in Part 1)
  2. Random URL and HTTP header generation
  3. Custom obfuscated protocols
  4. Disguised as legitimate objects like a gif or jpeg image file, etc.

Today, I would like to talk about type 2—botnets that are good at randomizing their HTTP communication. Readers will see shortly how intelligently these malware are bypassing signature-based defenses.

Continue reading »

Barbarians Inside the Cyber Gates

| By | Advanced Malware

Critical government, military, and civilian networks have been repeatedly infiltrated to steal our intellectual property and national secrets. So, how do we build a modern, national cyber security policy as we enter into the 44th Presidency? The Center for Strategic and International Studies' report weighed in on this topic, but I think they missed the point in their technical recommendations.

Before I go further, I should introduce myself. I'm Ashar Aziz, FireEye's CEO and founder. I'll be chiming in to write about the big picture security issues that are facing CIO/CISO's, businesses, our national cyber infrastructure, and essentially anyone who does anything on the Internet these days.

Continue reading »

Srizbi and Rustock: Family Feud or Sibling Rivalry? Part II

| By | Botnets

FireEye recently dove into the world of spam email Botnets to further strengthen our belief that Botnets like Srizbi, Pushdo, and Rustock, although having completely different C&C architectures, are operated by same group.

This go around, we looked at the servers that control these Botnets and spam created from live Bots in our lab. As part of this investigation, we analyzed multiple malware samples of these Botnets in our both virtual and real lab environments to extract the relevant C&C locations. When we compared the C&C IPs being used by these three Botnets, we were surprised to see that all three were using servers in the same colocation facility, and that this facility was fairly well known (by a quick Google search) to have been used for malicious activities in the past.

Continue reading »