Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« September 2009 | Main | November 2009 »

3 posts from October 2009

A little more on Donbot...

Donbot is primarily a spam bot, one of the few spam botnets whose growth was not hampered by the McColo shutdown earlier this year.  As a matter of fact, the sudden shut down of big spammers like Srizbi and Rustock helped Donbot climb the spam botnet rankings.  In this article I am going discuss different aspects of Donbot, first as a malware and then in the later half I will try to shed some light on its command and control architecture.

Lets start with a particular donbot sample (273a07dccdfff421bfde652912f02e32).  Like its peer botnets (Ozdok, Xarvester etc), Donbot is also a template based spam bot.  Everything from the subject line to the mailing list, the message body, and the User Agents to be used in the SMTP headers are retrieved from the CnC server. 

Template

Continue reading "A little more on Donbot..." »

Gumblar... Not Gumby!

Ok, I admit this blog post is not about our childhood TV friend, Gumby... Instead it's about a much more sinister character, Gumblar & its malware henchmen...

Originally making its debut back in March/April of this year (see here , here  and here) and then suddenly it went quiet for a few months, until recently... Yes, Gumblar is back with a vengeance & still causing problems for it's unsuspecting victims.

The primary delivery mechanism is still via Drive-By-Download (notably compromised sites serving malicious Adobe PDF's) which when successful will load the malware onto your system.

We have taken a look at a couple of the Gumblar associated malware samples, you can see some VirusTotal results here & here.

Continue reading "Gumblar... Not Gumby!" »

A leap into the unknown - Part 1

A leap into the unknown is a series which will discuss some lesser known malware, that has a reasonably good command and control structure.  Most of this malware might not be totally new to the AVs, but they were never considered for more than just creating a signature.  Little or no effort has been made to disclose the motivation behind creating this malware, the CnC architecture, or the people behind it.  These articles are not to prove that "My (discovered) botnet is bigger than yours".  No offense to those who may already know about this malware and might not agree with the word 'unknown' in the title of this article. There is always someone who knows more than you do.

Continue reading "A leap into the unknown - Part 1" »