Category Archives: Threat Research

Technical posts by the FireEye Labs team

Quick Reference for Manual Unpacking

| By | Advanced Malware

By packing their malicious executable, malware authors ensure that, when these malicious executables are opened in a disassembler, these executables do not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process. One method to locate the address of the code’s first instruction before it was packed, also known as the Original Entry Point (OEP) of a file, is to apply the breakpoint on the APIs that set up execution environments, like GetLoadLibraryA, and then use step-by-step tracing to locate the initialization of the stack frame. Initialization of the stack frame will denote that the file is unpacked.

For many commonly occurring packers, there are specific instructions for locating the OEP.

Continue reading »

Zeus takeover leaves undead remains

| By | Botnets

Some of you may be aware that Microsoft this week went after a group of botnets. These botnets were created from the famous Zeus toolkit. This effort was part of so called Operation B-71.

When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar. The answer is yes. Based on data collected from the FireEye MPC (Malware Protection Cloud), we have been detecting and protecting our customers from most of these malware. 

There was one thing that caught my attention during this investigation. One botnet was able to partially recover  from the takeover attempt. This particular zeus variant is known for rapidly changing its CnCs.


Continue reading »

Harnig is Back

| By | Botnets

Rustock's old buddy Harnig is back in action. Harnig is considered to be a very wide spread pay-per-install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system for a small fee. There has been a long term relationship between the Harnig and Rustock botnets. For the last two years or so, Rustock has almost always been seen being spread through Harnig.

I reported back in March (right after the Rustock botnet shutdown) that Harnig botnet has abandoned all of its CnCs as well causing suspension of all of its malicious activities.  Rustock hasn't yet tried to claim back its previous position, but this is not true in the case of Harnig. After months of silence, Harnig is finally back in business, resuming all of its usual malicious activities.

A controlled run of Harnig in my lab is showing Harnig downloading a number of malware onto the infected machine.

Continue reading »

Old Wine in a New Bottle

| By | Exploits

The recent Adobe Flash 0 Day (CVE-2011-2110) is a classic case of an old malware that has used new 0 days as a vector to spread itself. How and why I will explain shortly, first a little detail about the exploit itself. The exploit is targeting a vulnerability in the Action Script Virtual machine according to our good friends at Shadowserver. The swf file takes an info parameter and a successful exploitation leads to the download of a zlib compressed and xor encoded binary. The two GET requests in succession would look like this

Get_request_cve_2011_2110

Continue reading »

Koobface - Goodbye Facebook!

| By | Botnets

It looks like Koobface has started to lose interest in Facebook. We first observed this dramatic change around February this year. All of a sudden, we saw bot herders are no longer instructing zombies to post fake messages to compromised Facebook accounts. Our first impression was that it's just a temporarily move but a continued silence for about two months is not something that can be ignored. Last time we saw Koobface trying to pollute Facebook was around Feb 13th, at that time one of the messages posted looked like this:

February 13 at 3:19pm   
Youu’ve beren caght on our supefr smmall spy camerea!
http://12344cederberglineki.blogspot.com

where as usual, the posted link was redirecting users to a fake YouTube video urging them to install a fake codec (in reality a Koobface malware binary) in order to watch a so called stunning video.

Continue reading »

The Rise Of Incognito

| By | Exploits

Have you ever wondered how malware spreads, why there are so many compromised machines out there talking back to their CnC's? There must be a medium, a vehicle if you may, to get a Zeus, a Rogue AV, a Rustock (not anymore :)) or any new malware onto a box. Have you ever wondered what this vehicle could be? If you answered exploits, then your answer is right. Exploits, Pay Per Installs, Social Engineering are the main vectors to get malware on a machine. Exploit Tool kits are like point and click tools that use these exploits to make life easy for a hacker. At FireEye Labs, we continuously monitor the latest threats and exploit toolkits. One such toolkit that has come to our attention is the Incognito Toolkit. In the year 2011 we have noticed a sudden surge in our Incognito detections. This blog attempts to explain why this toolkit is so hard to detect, the obfuscation techniques it uses to the kind of malware it drops.Though not as widespread as the Blackhole Toolkit, this toolkit looks like it is here to make a mark.

Without further delay lets get into the finer workings of this Toolkit.  Let's see what happens once a user clicks on a malicious Incognito link.

The initial GET reuquest gets a heavily obfuscated HTML page, the initial GET request looks like

Initial_incognito_get

Continue reading »

Harnig Botnet: a retreating army

| By | Botnets

Rustock is not the only botnet which suffered from the recent take down by Microsoft. It appears that Harnig (a.k.a Piptea), a close relative to Rustock, is retreating as well. There is no evidence that someone is trying to shutdown Harnig. It looks like a decision made solely by the bot herders. Why? I'll talk about it shortly.

Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine. When it comes to pay per install networks, the type and amount of malware being dropped can't easily be determined. What matters is, who and when someone is paying the bot herders. But things between Harnig and Rustock were quite different. There has been a long term relationship between the Harnig and Rustock botnets. For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.

Harnig

One can see from the above screen shot that the Rustock installation is the result of a chain reaction:

Harnig -> Downloader.DigiPog (Rustock Installer in plain text)—> Rustock Spam Engine (semi-fake Password protected 'rar' file containing Rustock Driver file).

Continue reading »

An overview of Rustock

| By | Botnets

As you might have seen in the news, the largest spam botnet, Rustock, was recently taken down in a collaborated, coordinated way. All parties involved were bound by a sealed federal lawsuit against the John Doe’s involved, but now that the case has been unsealed, it’s time to talk about a few of the details. Why has Rustock been so successful for so long? How has it managed to stay off the radar, yet be the largest spammer in the history of the Internet? Why has it taken so long for anyone to take action against them?

Continue reading »

Trojan.Linxder and the Flash 0-day (CVE-2011-0609)

| By | Exploits

Adobe recently reported the existence of a new zero day flaw in flash player which, according to them, can affect flash player 10.2.152.33 and earlier versions. Soon after, additional news broke out showing that this flaw had been used as part of limited targeted attacks. The initial attacks used a swf file embedded inside an MS excel file to lure users into clicking it. Once a user opens this excel file, the flash file embedded inside gets activated, exploiting this vulnerability. Bugix-security blog described the exploitation process in great detail here.

Today, I would like to extend this analysis by talking more about the malware behind the exploit. What kind of malware is this? What does it do, and who might be the people behind this attack? During the course of my investigation, I found some clues leading me to the potential hackers behind these attacks. My preliminary analysis shows that Chinese hackers are probably the master minds of this attack.  I will come to reasons for this conclusion later.

Continue reading »

OMG-WTF-PDF Dénouement

| By | Exploits

You may have heard something in the news about PDF recently… By the power of Google!

I recently gave this presentation at the 27th Chaos Computer Congress in Berlin.
For some reason, the slides never made it from Pentabarf to the Fahrplan.
(They should be here: http://events.ccc.de/congress/2010/Fahrplan/attachments/1796_27C3_Julia_Wolf_OMG-WTF-PDF.pdf Curerntly 404, not by intent.) So first order of business, here are the long sought after slides:
27C3_Julia_Wolf_OMG-WTF-PDF.pdf
(I have had so many requests for these.)

Continue reading »