[Emerging-Sigs] auto-domain creation

Matt Jonkman jonkman at jonkmans.com
Wed Mar 12 06:57:49 EST 2008 

David Glosser wrote:
> 1.  How often do these guys switch netblocks?

Jim can answer that better than I, but I'd say from watching Jim's work
that the major move was after the wash post article. Since that major
scattering it's been just additions for improved capacity.

> 2.  I guess none of these are fast-flux.
> Is it best to concentrate on blocking the fast-flux domains rather than
> "regular ones"

2 different issues. The fast flus stuff is botnet controllers, mostly
(as far as I see) medium level to small time operators. RBN uses
redundant dns and the like, but they're more into the static fraud, fake
products stuff of late. Static websites, fake AV and antispyware, etc.
Not fast flux for any on those. That correlate with what you're seeing Jim?

> 3. Sounds like an interesting two-pronged strategy would be to block IPs
> of "regular" RBN domains and domains themselves which are part of a
> fast-flux botnet... Not sure what the easiest way to do this is besides
> a script to check each domain to see if it's fast-flux'ed...
> 

We've got a version of that running behind the RBN ruleset and the
compromised domains. RBN is the static nets. mostly what Jim is tracking
and what shows up in the sandnet. The compromised is fast flux, storm
major peers, and others that show up as just plain and obviously hostile.

We're working on better ways to track and to distribute the information
though.

Matt


> 
> 
> 
> On Tue, Mar 11, 2008 at 11:24 PM, Jim McQuaid <jim.mcquaid at gmail.com
> <mailto:jim.mcquaid at gmail.com>> wrote:
> 
>     "One way to beat the RBN's auto-domain creation tactic is to catalogue
>     their IP space and block it whether they have anything there or not.
>     I've thought about this as a means to diminish the effectiveness of
>     fast flux.  An example is at RapidSwitch, yesterday the RBN sigs
>     blocked:
>     87.117.252.11 <http://87.117.252.11>
>     87.117.255.20 <http://87.117.255.20>
>     87.117.255.30 <http://87.117.255.30>
> 
>     However, we have now observed:
>     87.117.252.11/32 <http://87.117.252.11/32>    trustedprotection.com
>     <http://trustedprotection.com>
>     87.117.255.20/32 <http://87.117.255.20/32>  
>      mail.yourprivacyguard.com <http://mail.yourprivacyguard.com>,
>     mail.storageprotector.com <http://mail.storageprotector.com>,
>     ns1.trustedprotection.com <http://ns1.trustedprotection.com> and
>     mail.trustedprotection.com <http://mail.trustedprotection.com>
>     87.117.255.30/32 <http://87.117.255.30/32>    ns2.harddriveguard.com
>     <http://ns2.harddriveguard.com>, ns2.trustedprotection.com
>     <http://ns2.trustedprotection.com>
>     87.117.255.38/32 <http://87.117.255.38/32>    *.trygpcbruger.com
>     87.117.255.41/32 <http://87.117.255.41/32>    *.toolsicuro.com
>     87.117.255.42/32 <http://87.117.255.42/32>    *.schijfbewaker.com
>     87.117.255.47/32 <http://87.117.255.47/32>    *.harddriveguard.com
>     87.117.255.52/32 <http://87.117.255.52/32>    *.erreurchasseur.com
>     87.117.255.81/32 <http://87.117.255.81/32>    *.trustedprotection.com
>     87.117.255.85/32 <http://87.117.255.85/32>    *.elmejorantivirus.com
>     87.117.255.87/32 <http://87.117.255.87/32>    *.diskretter.com
>     87.117.255.96/32 <http://87.117.255.96/32>    *.bestsellerantivirus.com
>     87.117.255.98/32 <http://87.117.255.98/32>    *.exterminadordevirus.com
>     87.117.255.124/32 <http://87.117.255.124/32>   *.pctoolpro.com
>     87.117.255.158/32 <http://87.117.255.158/32>   *.confidentsurf.com
>     87.117.255.185/32 <http://87.117.255.185/32>   *.cleanuptool.com
>     87.117.255.218/32 <http://87.117.255.218/32>   *.gubbishremover.com
>     87.117.255.226/32 <http://87.117.255.226/32>   *.yourprivacyguard.com
>     87.117.255.250/32 <http://87.117.255.250/32>
> 
>     Conclusion, RBN owns that block of 255 addresses.  So, we should
>     always block it, as they are free to move domains in and out of that
>     range at will."
> 
> 
>     --
>     James McQuaid
>     http://www.jamesmcquaid.com
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list