Category Archives: Threat Research

Technical posts by the FireEye Labs team

The Business Of Mr. Alexander S Kopylov

| By | Botnets

On the FireEye blog we have talked a lot about Botnets, their CnC coordinates, bad ISPs, etc. You may be curious to know who actually runs these Botnets. Who are these puppet masters and what is their business model? How they work and who are their customers?

There are many questions but the answers are scarce. In this post I will try to answer some of them which often pop up in my mind as well.

It’s no secret that most of the SPAM Botnets are invented in Russia and controlled by Russian cyber-criminals.  Why should I believe this to be the case?  Srizbi’s recent comeback gave me some valuable hints to confirm the industry suspicion. Here is one email sent by Srizbi that day:

From: "herbie eliot" <dabliktom@centrum.cz>
To: <info@****lends.com>
Subject: =?koi8-r?B?88HNwdEg3MbGxcvUydfOwdEg0sXLzMHNwQ==?=
Date: Thu, 12 Feb 2009 04:28:14 +0000
MIME-Version: 1.0
Content-Type: text/plain;
.charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

.. ….. ….. ……….. ….. ………. ….. ……. - http://advert1.ru

Continue reading »

‘Bancos’ - A Brazilian Crook

| By | Advanced Malware

It’s fairly well accepted that most of the banking
Trojans originate in Brazil, while most of the big SPAM botnets originate in
Russia. One such banking Trojan is ‘Bancos’, a kind of malware that tries
to steal every ‘bit’
of financial data from a victim’s PC.

Normally it happens like this:

Once executed on the victim's system, ‘Bancos’ contacts its ‘Command and Control Server’ and tries to download a .txt file. This .txt file has the exact format as the Windows default hosts file (%system32/drivers/etc/hosts) as shown below:

3

Continue reading »

Bad Actors Part 4 - HostFresh

| By | Targeted Attack

There was an excellent report published in 2008 by HostExploit that showed the connections between Atrivo and those for whom it provided downstream services. One of those such customers was a Chinese provider called HostFresh. I thought it might be interesting to look at two IP blocks which were previously part of the Atrivo network - 58.65.232.0/21 and 116.50.8.0/21 - but are now routed by others.

Continue reading »

Srizbi Spam/Hosting Services…

| By | Advanced Malware

This link was http://advx…..ru, which took me to a Russian web site.
This web site revealed to me how these spammers get customers to sell their botnet spam. This
web site was probably owned by the Srizbi gang or some front end guys and was
trying to sell spam services/hosting……

————

This post is a continuation of my previous article where I talked about Srizbi's newly discovered command server in Estonia and speculated a relationship between Xarvester and Srizbi botnets. The initial spam sent by Srizbi at that moment gave me some breakthrough information about the gang behind the Srizbi botnet and their business model.

I showed in my previous article that it all started when we saw a potential Srizbi communication inside one of our customer's networks. This event was enough to give us the compromised host information along with the CnC's IP (92.62.100.97) address and port information (TCP 80). After seeing Srizbi come alive again, the first thing I wanted to do was to grab a Srizbi sample which could communicate with this new CnC on port 80 from my botlab's controlled environment. Running that sample for a longer period of time could give me some valuable information like:

1. Spam template/Spam Theme.
2. Initial targeted SPAM.
3. Srizbi binary update (if any).

Unfortunately I was not able find any Srizbi sample from my MW DB which could talk to this particular CnC. Luckily, some tweaking in my sandnet environment fooled an older Srizbi sample into talking to the new CnC. This trick worked really well and the Srizbi bot inside my lab successfully downloaded the spam template from new server and started sending spam.

Some of the initial spam captured by my spam filter was for a Russian audience. Although the emails were using a Russian dialect (which I was not able to understand), one embedded link inside some of the emails was enough to tell me the purpose of these spam emails.

Continue reading »

Bad Actors Part 3 - Internet Path/Cernel

| By | Advanced Malware

Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog.  While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed.

Continue reading »

Srizbi, Xarvester, and the MSRT

| By | Advanced Malware

After months of silence, yesterday we finally found some Srizbi activity in one of our customer's networks. As Alex wrote in his last post, the newly discovered Srizbi CnC is 92.62.100.97. This IP belongs to Starline Web Services, hosted in Estonia. Apart of seeing Srizbi coming live again, there were two more things which caught my attention immediately.

Continue reading »