Honeypots mailing list archives
Re: regarding malicious domains becoming inactive
From: yelukati mahendra <mahendra_yn () yahoo com>
Date: Wed, 5 Nov 2008 11:46:58 +0530 (IST)
These websites operate as one night shops,they have a range of domain names and IP's,they use the domain names or IP's randomly - I mean per activity basis,like for one kind of malware they use a particular name or a particular IP and when this activity gets traced,that particular domain name / IP is blocked or blacklisted,but they continue their activity using the other names/IP's to pump in other malware. So in my perspective it is quite hard to tell when these particular websites or on and when they are off.Until and unless somebody blacklists or blocks the entire range given to these kind of people. --- On Tue, 4/11/08, Sushant Sinha <sushant () umich edu> wrote:
From: Sushant Sinha <sushant () umich edu> Subject: Re: regarding malicious domains becoming inactive To: "Bhatnagar, Mayank" <mbhatnagar () ipolicynetworks com> Cc: honeypots () securityfocus com Date: Tuesday, 4 November, 2008, 9:58 PM List of mailicious/advertising domains is maintained by a number of people. SURBL (surbl.org) maintains list of URLs found in spam and Google maintains list of websites that may infect the end user (uprovides using the safe browsing API). Stopbadware also maintains such a list. So the only question is when are these websites active and when are they inactive. I do not see why this information is terribly important as assuming that these websites are always up is more safe. -Sushant. On Tue, 2008-11-04 at 12:05 +0530, Bhatnagar, Mayank wrote:Hi, Often we find while analyzing malwares that maliciousdomains becomeinactive after some period of time. They may be active during initial period of activity,malwares whenexecuted connecting to these domains, these domainsthen sendingmalicious files....binaries etc.....but just as soonas this informationis being known or the behavior has been captured byIDS/IPS signaturesblocking this domain, soon the domain itself becomeinactive.What do you feel should be the responsibility ofIDS/IPS solutionproviders? I feel keeping track of such domains (liveor down) in anautomated manner may be one possibility, keeping asignature for sometime as a measure of protection another. Alsomaintaining blacklists ofthese domains may be helpful. How should one handle such cases? Any ideas? Thanks & Regards, Mayank "DISCLAIMER: This message is proprietary to iPolicyNetworks-Security Products division of Tech Mahindra Limited and is intended solely for the use of the individuals to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. iPolicy Networks-Security Products division of Tech Mahindra Limited accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
Current thread:
- Picviz 0.4 released Sebastien Tricaud (Oct 27)
- regarding malicious domains becoming inactive Bhatnagar, Mayank (Nov 04)
- Re: regarding malicious domains becoming inactive Andre D. Correa (Nov 04)
- Re: regarding malicious domains becoming inactive Sushant Sinha (Nov 04)
- Re: regarding malicious domains becoming inactive yelukati mahendra (Nov 05)
- regarding malicious domains becoming inactive Bhatnagar, Mayank (Nov 04)