Honeypots mailing list archives

Re: regarding malicious domains becoming inactive

From: "Andre D. Correa" <andre.correa () pobox com>
Date: Tue, 04 Nov 2008 16:22:21 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

as a maintainer of a black list myself - www.malwarepatrol.net, I can
tell you what my policy is. We collect URLs pointing to Malware and
analyze the binaries. If a Malware is found, it's URL and domain go to
block lists. This process is fully automated.

To keep the block lists fresh we visit daily each and every address in
our database. Not just the active ones but also the unavailable. This
way we catch URLs that go unreachable for some time and later reappear.
This behavior is not rare, a very common situation is Malware hosted in
free web providers, it may get unavailable really quickly because of
bandwidth consumption limits but the next day it gets available again.

If you don't have enough resources to verify all domains daily, but for
instance just every week, I'd suggest you keep the infected domains in
your list of signatures for one extra verification cycle (i.e. a domain
is removed from the list just if it is unreachable on two consecutive
verifications). Don't forget to make clear to your users and to domain
administrators why you do this.

Good luck!

Best regards.

- --------------------------------------------------------------------
Andre D. Correa, CISSP         |  Visite meus projetos pessoais:
andre.correa (at) pobox.com    |  Visit my personal projects:
http://andre.hiperlinks.com.br |  - http://www.malwarepatrol.net/
Sao Paulo / SP / Brazil        |  - http://www.linuximq.net/
- --------------------------------------------------------------------
PGP public key and fingerprint:
                 http://andre.hiperlinks.com.br/pgp.txt
                 Key pair created at: 26/3/2000 - Key ID: 64444ED3
                 File MD5:  6cefb949fd04122dfabaebb964964f8b
                 File SHA1: b3966e5136f706afb895e2f05c1a7234315c1529
- --------------------------------------------------------------------



Bhatnagar, Mayank wrote:

Hi,

Often we find while analyzing malwares that malicious domains become
inactive after some period of time.

They may be active during initial period of activity, malwares when
executed connecting to these domains, these domains then sending
malicious files....binaries etc.....but just as soon as this information
is being known or the behavior has been captured by IDS/IPS signatures
blocking this domain, soon the domain itself become inactive.

What do you feel should be the responsibility of IDS/IPS solution
providers? I feel keeping track of such domains (live or down) in an
automated manner may be one possibility, keeping a signature for some
time as a measure of protection another. Also maintaining blacklists of
these domains may be helpful.

How should one handle such cases? Any ideas?

Thanks & Regards,
Mayank

"DISCLAIMER:
This message is proprietary to iPolicy Networks-Security Products division of Tech Mahindra Limited and is intended
solely for the use of the individuals to whom it is addressed. It may contain privileged or confidential information
and should not be circulated or used for any purpose other than for what is intended. If you have received this
message in error, please notify the originator immediately. If you are not the intended recipient, you are notified
that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. iPolicy
Networks-Security Products division of Tech Mahindra Limited accepts no responsibility for loss or damage arising
from the use of the information transmitted by this email including damage from virus."

------------------------------------------------------------------------

"DISCLAIMER: This message is proprietary to iPolicy Networks - Security Products Division of Tech Mahindra Limited
and is intended solely for the use of the individuals to whom it is addressed. It may contain privileged or
confidential information and should not be circulated or used for any purpose other than for what is intended. If you
have received this message in error, please notify the originator immediately. If you are not the intended recipient,
you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this
message. iPolicy Networks - Security Products Division of Tech Mahindra Limited accepts no responsibility for loss or
damage arising from the use of the information transmitted by this email including damage from virus."


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFJEHa9f1DinGRETtMRAteyAJ0Xj3JWUvi9iubACG11lGIhvj7wtACfSbn6
JN7aUh+1eRCsCNmX/IIdC5A=
=Ch8y
-----END PGP SIGNATURE-----

Current thread:

Picviz 0.4 released Sebastien Tricaud (Oct 27)
- regarding malicious domains becoming inactive Bhatnagar, Mayank (Nov 04)
  - Re: regarding malicious domains becoming inactive Andre D. Correa (Nov 04)
  - Re: regarding malicious domains becoming inactive Sushant Sinha (Nov 04)
    - Re: regarding malicious domains becoming inactive yelukati mahendra (Nov 05)