[Emerging-Sigs] auto-domain creation

David Glosser david.glosser at gmail.com
Wed Mar 12 09:53:15 EST 2008 

I was under the impression (
http://rbnexploit.blogspot.com/2007/11/rbn-google-search-exploits.html) that
RBN is now using fast flux for their botnets.....



On Wed, Mar 12, 2008 at 7:57 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:

>
> David Glosser wrote:
> > 1.  How often do these guys switch netblocks?
>
> Jim can answer that better than I, but I'd say from watching Jim's work
> that the major move was after the wash post article. Since that major
> scattering it's been just additions for improved capacity.
>
> > 2.  I guess none of these are fast-flux.
> > Is it best to concentrate on blocking the fast-flux domains rather than
> > "regular ones"
>
> 2 different issues. The fast flus stuff is botnet controllers, mostly
> (as far as I see) medium level to small time operators. RBN uses
> redundant dns and the like, but they're more into the static fraud, fake
> products stuff of late. Static websites, fake AV and antispyware, etc.
> Not fast flux for any on those. That correlate with what you're seeing
> Jim?
>
> > 3. Sounds like an interesting two-pronged strategy would be to block IPs
> > of "regular" RBN domains and domains themselves which are part of a
> > fast-flux botnet... Not sure what the easiest way to do this is besides
> > a script to check each domain to see if it's fast-flux'ed...
> >
>
> We've got a version of that running behind the RBN ruleset and the
> compromised domains. RBN is the static nets. mostly what Jim is tracking
> and what shows up in the sandnet. The compromised is fast flux, storm
> major peers, and others that show up as just plain and obviously hostile.
>
> We're working on better ways to track and to distribute the information
> though.
>
> Matt
>
>
> >
> >
> >
> > On Tue, Mar 11, 2008 at 11:24 PM, Jim McQuaid <jim.mcquaid at gmail.com
> > <mailto:jim.mcquaid at gmail.com>> wrote:
> >
> >     "One way to beat the RBN's auto-domain creation tactic is to
> catalogue
> >     their IP space and block it whether they have anything there or not.
> >     I've thought about this as a means to diminish the effectiveness of
> >     fast flux.  An example is at RapidSwitch, yesterday the RBN sigs
> >     blocked:
> >     87.117.252.11 <http://87.117.252.11>
> >     87.117.255.20 <http://87.117.255.20>
> >     87.117.255.30 <http://87.117.255.30>
> >
> >     However, we have now observed:
> >     87.117.252.11/32 <http://87.117.252.11/32>    trustedprotection.com
> >     <http://trustedprotection.com>
> >     87.117.255.20/32 <http://87.117.255.20/32>
> >      mail.yourprivacyguard.com <http://mail.yourprivacyguard.com>,
> >     mail.storageprotector.com <http://mail.storageprotector.com>,
> >     ns1.trustedprotection.com <http://ns1.trustedprotection.com> and
> >     mail.trustedprotection.com <http://mail.trustedprotection.com>
> >     87.117.255.30/32 <http://87.117.255.30/32>    ns2.harddriveguard.com
> >     <http://ns2.harddriveguard.com>, ns2.trustedprotection.com
> >     <http://ns2.trustedprotection.com>
> >     87.117.255.38/32 <http://87.117.255.38/32>    *.trygpcbruger.com
> >     87.117.255.41/32 <http://87.117.255.41/32>    *.toolsicuro.com
> >     87.117.255.42/32 <http://87.117.255.42/32>    *.schijfbewaker.com
> >     87.117.255.47/32 <http://87.117.255.47/32>    *.harddriveguard.com
> >     87.117.255.52/32 <http://87.117.255.52/32>    *.erreurchasseur.com
> >     87.117.255.81/32 <http://87.117.255.81/32>
>  *.trustedprotection.com
> >     87.117.255.85/32 <http://87.117.255.85/32>    *.elmejorantivirus.com
> >     87.117.255.87/32 <http://87.117.255.87/32>    *.diskretter.com
> >     87.117.255.96/32 <http://87.117.255.96/32>
>  *.bestsellerantivirus.com
> >     87.117.255.98/32 <http://87.117.255.98/32>
>  *.exterminadordevirus.com
> >     87.117.255.124/32 <http://87.117.255.124/32>   *.pctoolpro.com
> >     87.117.255.158/32 <http://87.117.255.158/32>   *.confidentsurf.com
> >     87.117.255.185/32 <http://87.117.255.185/32>   *.cleanuptool.com
> >     87.117.255.218/32 <http://87.117.255.218/32>   *.gubbishremover.com
> >     87.117.255.226/32 <http://87.117.255.226/32>
> *.yourprivacyguard.com
> >     87.117.255.250/32 <http://87.117.255.250/32>
> >
> >     Conclusion, RBN owns that block of 255 addresses.  So, we should
> >     always block it, as they are free to move domains in and out of that
> >     range at will."
> >
> >
> >     --
> >     James McQuaid
> >     http://www.jamesmcquaid.com
> >     _______________________________________________
> >     Emerging-sigs mailing list
> >     Emerging-sigs at emergingthreats.net
> >     <mailto:Emerging-sigs at emergingthreats.net>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080312/3d87ba93/attachment-0001.html

More information about the Emerging-sigs mailing list