[Emerging-Sigs] RBN-Blackhole evasion tactic

David Glosser david.glosser at gmail.com
Fri Feb 15 12:35:02 EST 2008 

Matt, sounds like a good lead for a possible snort rule...


On Fri, Feb 15, 2008 at 2:27 AM, Jart Armin <jart351 at googlemail.com> wrote:

> Yo Jim,
>
> Yes, noticed this trend recently from RBN and appearing within some
> botnets. There is one paradoxical advantage - if using *.site.com -
> then = RBN or affiliate (at the moment).
>
>
> Jart
>
>
>
>
>
>
> On Thu, Feb 14, 2008 at 2:29 AM, Jim McQuaid <jim.mcquaid at gmail.com>
> wrote:
> > Last weekend I found several new RBN domains and IP ranges.  They have
> >  adopted a new tactic, which is to use an "*" as the subdomain's name.
> >  When one tries to use an asterisk as a subdomain in Smoothwall's
> >  Blackhole, an error is produced.  In addition to the RBN, typosquatter
> >  Joey Dauben is using the same tactic.  The domains I've found thus far
> >  include:
> >
> >  RBN:
> >  *.bestsellerantivirus.com
> >  *.cleanuptool.com
> >  *.confidentsurf.com
> >  *.diskretter.com
> >  *.doginhispen.com
> >  *.elmejorantivirus.com
> >  *.erreurchasseur.com
> >  *.exterminadordevirus.com
> >  *.gubbishremover.com
> >  *.harddriveguard.com
> >  *.pctoolpro.com
> >  *.schijfbewaker.com
> >  *.securepccleaner.com
> >  *.sharedzilla.com
> >  *.toolsicuro.com
> >  *.trustedprotection.com
> >  *.trygpcbruger.com
> >  *.whbdns.com
> >  *.yourprivacyguard.com
> >
> >  Joey Dauben:
> >  *.0penhack.com
> >
> >  I am still learning how to write Snort rules of value, but will work
> >  on an inline drop rule.  I expect RBN will go to something like:
> >  *.beardedladies.trustedprotection.com and eventually
> >  *.heavily.bearded.ladies.trustedprotection.com ad infinitum...
> >
> >  Can anyone help out on this?
> >
> >  James McQuaid
> >
> >
> >
> >  > Haha, ya eventually it will be a problem.
> >  >
> >  > That's one reason I'm moving toward using a block distribution tool
> to
> >  > push this data soon. Snort isn't effective at IP matching large
> lists,
> >  > so we gotta do this another way.
> >  >
> >  > Soon...
> >  >
> >  > Matt
> >  >
> >  > Michael Scheidell wrote:
> >  > > would it be easier to submit a list of netblocks NOT 0wn8d by RBN?
>  :-)
> >  > >
> >  > > They seem EVERYWHERE, including US based ISP's who seem to be
> oblivious
> >  > > to the criminal nature of their clients.
> >
> >
> >  --
> >  James McQuaid
> >  http://www.jamesmcquaid.com
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080215/e64b2af0/attachment.html

More information about the Emerging-sigs mailing list