Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« March 2010 | Main | June 2010 »

2 posts from April 2010

Storm Resurrection, is it true?

I got very excited when I heard that recently Steven Adair from Shadowserver has spotted a slightly modified Storm variant live in action. But I was little surprised when I read the details of this alleged new variant. This new variant (a modified version of actual storm) was discovered back in 2008 and I got a chance to write about it in quite a detail.

From my article written back in 2008:

Another interesting nugget is "User-Agent" header:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1921)

I guess the Storm author meant to type ‘Windows’ here, but fat-fingered it and made a typo.  There is a sig in Bleeding Snort that recognizes this mistake:

#storm c&c with a typo'd UA.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Storm C&C with typo'd User-Agent (Windoss)"; flow:established,to_server; content:"User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windoss NT"; depth:200; classtype:trojan-activity; sid:2007742; rev:3;)

http://blog.fireeye.com/research/2008/10/storm-just-befo.html

Continue reading "Storm Resurrection, is it true?" »

Account Deleted on 2010.04.28 Permalink Comments (2) TrackBack (0)

Who is Exploiting the Java 0-day?

Update: Oracle released an emergency patch recently to fix this major flaw. See details in the bottom.

-------------

The recent discovery of a 0-day design flaw in the 'Java Web Start' module has opened new avenues for malware drive by attacks.  This flaw was exposed by Tavis Ormandy a few days back and it did not take a long time for bad guys to start using the proof of concept code for real exploitation.  I have been reading about the exploit details for the last few days, but very few details were available on the active use of this exploit.  Who are the guys using this exploit and for spreading what?  This article is all about this, with emphasis on the post infection stuff.

Users who are interested in the inner workings of this 0-day flaw itself, can read the full disclosure here.

It all started like this... yesterday afternoon my colleague Stuart Staniford pointed me to a malicious domain hxxp://zikkuat.com (dead at the moment) which he believed seemed to be exploiting this 0-day flaw.  After a little analysis, I found it to be true indeed.  Here are the details of my findings after a detailed analysis.

Continue reading "Who is Exploiting the Java 0-day?" »

Account Deleted on 2010.04.15 Botnet Activities / Outbreaks, Exploit Research, Vulnerability Research, Zero-day Permalink Comments (3) TrackBack (0)