[Emerging-Sigs] Listening Post & Blackhole DNS Update 1/1/2008
david.glosser@yahoo.com
david.glosser at yahoo.com
Tue Jan 1 09:52:10 EST 2008
Matt had a typo in his URL, the domain is www.malwaredomains.com.
(updates are located at http://www.malwaredomains.com/updates and the full files are located at: http://www.malwaredomains.com/files).
If you use the listening post, you will be contributing to the fight against spyware and malware by helping us to create a smaller list of "active" domains which can be used by smaller companies whose DNS servers do not have the horsepower to run the full blocklist, as well as the other important reasons Matt listed below.
List Update:
All known storm worm domains have been added to the DNS Blackhole List, as well as the usual list of new rogue antivirus and fake codec domains.
Blogspot and blogger continue to have phoney sites created for the sole purpose of pushing fake codec trojans (see http://sunbeltblog.blogspot.com/2007/12/fake-codecs-on-blogger.html and http://sunbeltblog.blogspot.com/2007/12/dog-breakfast-continues-on-blogger.html). However, blogspot and blogger have not been added since doing so would block too many valid sites. you should consider adding them them yourself if your company policy allows.
==============================================================================
updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files
BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference
----- Original Message ----
From: Matt Jonkman <jonkman at jonkmans.com>
To: snort-sigs at lists.sourceforge.net; emerging-sigs at emergingthreats.net
Sent: Saturday, December 29, 2007 4:06:49 PM
Subject: [Emerging-Sigs] Listeningpost IP
Because of a couple private requests, we're also reviving the spyware
listeningpost at emerging threats. That's also down while the bleeding
infrastructure has been taken offline.
For those of you using David Glosser's DNS-BH (malware-domains.com) and
want to point your spyware hits to the Spyware Listening Post, please
use the following IP:
75.125.225.163
This also is resolved by listeningpost.emergingthreats.net.
If you're nat familiar, this is a listening webserver that just logs the
domain requested, URL, and user agent. We then have been feeding this to
some normalizing scripts and have written a huge number of the spyware
snort sigs from that data.
In emerging threats we're going to expand that data mining in a number
of ways. We'll be using that data to help make some smaller lists of
more active domains, some advance warning for new fast flux domains, and
hopefully some additional C&C tracking for http based botnets. First off
though we're going to try to get some top 20 type lists of most active
spyware, most active domains, oldest/newest c&c, etc.
Eventually, if things go as anticipated, we may even be able to expand
this to an auto-notify service if you register your source IPs to get a
report of what came at us, and what likely infections we'd seen.
More as we get there though!
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Fax 61-29-4750-026
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080101/21b80c23/attachment.html
More information about the Emerging-sigs
mailing list