Guide for CIOs, CFOs, and CISOs on why traditional security defenses are failing and how losing the security battle can hurt your business
Inside look at stopping zero-day attacks and advanced persistent threats with FireEye
Look into the changing nature of today's advanced targeted attacks and why traditional IT security is inadequate
Deep dive into spear phishing attacks and what is needed to combat this type of advanced threat
Insight into how FireEye is able to combat even the most sophisticated threats
Overview of the FireEye product family which protects against advanced cyber attacks
Back in 2009, I started writing a series of articles called "Killing the Beast." These articles were primarily focused on the command and control (CnC) coordinates of popular spam botnets. These articles not only provided readers greater visibility into these spam botnets, but also served as the basis for two botnet takedowns. So far, four articles under this series have been published. After a long time, I have decided to write the fifth one.
For a refresher, older posts can be accessed using the links shown below:
Part 1, Part 2, Part 3, and Part 4.
In recent years, we have seen the fall of many spam botnets including Srizbi, Rustock, Mega-D, Pushdo.A, Storm, and Waledac. But one botnet that has kept itself well under the radar is the Grum botnet. When I look into my Botnet Lab logs, I can see traces of Grum's earlier versions recorded around February 2008. That means that, as of today, this botnet is more than four years old. Readers who have been following the evolution of different botnets would agree that keeping a botnet active and alive for this many years is an achievement in itself.
Based on the latest statistics from M86Security, Grum is currently responsible for 17.4% of worldwide spam traffic, making it the world's third most active spam botnet after Cutwail and Lethic. Interestingly, Grum, which was once the world's number one spam botnet around January 2012 (at that time, Grum was responsible for 33.3% of worldwide spam), is already on its decline after losing its position to the Cutwail botnet.
In the first part of this series, I talked about a few botnets that are using random domain generation algorithms in order to conceal their Command and Control (CnC) servers. But that’s not the only type of evasion being used by advanced malware. There are other types of polymorphism as well.
Some of the polymorphic strains found in these malware are as follows:
Today, I would like to talk about type 2—botnets that are good at randomizing their HTTP communication. Readers will see shortly how intelligently these malware are bypassing signature-based defenses.
