[Emerging-Sigs] auto-domain creation
David Glosser
david.glosser at gmail.com
Wed Mar 12 12:25:10 EST 2008
Seems like:
for the fast-flux stuff you can't block by IP but you can block by domain
for the static stuff you can block by IP but you can't block by domain
(due to too many domains being created).
And one day the bad guys will code into some of their trojans
attempted contact to hundreds of fake domains, or contact to
thousands of real domains, just to DOS a honeypot/sandbox, and make
it more difficult to tease out the actual malware downloads......
On Wed, Mar 12, 2008 at 12:15 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Ya, I didn't mean to imply that I didn't think RBN was running botnets.
> Just that the fast flux is botnet stuff, not related to their static
> nets. The static nets are info drops, the fake AV sites, and c&c for
> static trojans.
>
> The bot nets appear to be a different 'department' from the fraudulent
> software stuff to me. :)
>
> Matt
>
>
>
> David Glosser wrote:
> > I was under the impression
> > (http://rbnexploit.blogspot.com/2007/11/rbn-google-search-exploits.html)
> > that RBN is now using fast flux for their botnets.....
> >
> >
> >
> > On Wed, Mar 12, 2008 at 7:57 AM, Matt Jonkman <jonkman at jonkmans.com
>
>
>
> > <mailto:jonkman at jonkmans.com>> wrote:
> >
> >
> > David Glosser wrote:
> > > 1. How often do these guys switch netblocks?
> >
> > Jim can answer that better than I, but I'd say from watching Jim's work
> > that the major move was after the wash post article. Since that major
> > scattering it's been just additions for improved capacity.
> >
> > > 2. I guess none of these are fast-flux.
> > > Is it best to concentrate on blocking the fast-flux domains rather
> > than
> > > "regular ones"
> >
> > 2 different issues. The fast flus stuff is botnet controllers, mostly
> > (as far as I see) medium level to small time operators. RBN uses
> > redundant dns and the like, but they're more into the static fraud, fake
> > products stuff of late. Static websites, fake AV and antispyware, etc.
> > Not fast flux for any on those. That correlate with what you're
> > seeing Jim?
> >
> > > 3. Sounds like an interesting two-pronged strategy would be to
> > block IPs
> > > of "regular" RBN domains and domains themselves which are part of a
> > > fast-flux botnet... Not sure what the easiest way to do this is
> > besides
> > > a script to check each domain to see if it's fast-flux'ed...
> > >
> >
> > We've got a version of that running behind the RBN ruleset and the
> > compromised domains. RBN is the static nets. mostly what Jim is tracking
> > and what shows up in the sandnet. The compromised is fast flux, storm
> > major peers, and others that show up as just plain and obviously
> > hostile.
> >
> > We're working on better ways to track and to distribute the information
> > though.
> >
> > Matt
> >
> >
> > >
> > >
> > >
> > > On Tue, Mar 11, 2008 at 11:24 PM, Jim McQuaid
> > <jim.mcquaid at gmail.com <mailto:jim.mcquaid at gmail.com>
>
> > > <mailto:jim.mcquaid at gmail.com <mailto:jim.mcquaid at gmail.com>>> wrote:
> > >
> > > "One way to beat the RBN's auto-domain creation tactic is to
> > catalogue
> > > their IP space and block it whether they have anything there
> > or not.
> > > I've thought about this as a means to diminish the
> > effectiveness of
> > > fast flux. An example is at RapidSwitch, yesterday the RBN sigs
> > > blocked:
> > > 87.117.252.11 <http://87.117.252.11> <http://87.117.252.11>
> > > 87.117.255.20 <http://87.117.255.20> <http://87.117.255.20>
> > > 87.117.255.30 <http://87.117.255.30> <http://87.117.255.30>
>
>
>
> > >
> > > However, we have now observed:
> > > 87.117.252.11/32 <http://87.117.252.11/32>
> > <http://87.117.252.11/32> trustedprotection.com
> > <http://trustedprotection.com>
> > > <http://trustedprotection.com>
> > > 87.117.255.20/32 <http://87.117.255.20/32>
> > <http://87.117.255.20/32>
> > > mail.yourprivacyguard.com <http://mail.yourprivacyguard.com>
> > <http://mail.yourprivacyguard.com>,
> > > mail.storageprotector.com <http://mail.storageprotector.com>
> > <http://mail.storageprotector.com>,
> > > ns1.trustedprotection.com <http://ns1.trustedprotection.com>
> > <http://ns1.trustedprotection.com> and
> > > mail.trustedprotection.com <http://mail.trustedprotection.com>
> > <http://mail.trustedprotection.com>
> > > 87.117.255.30/32 <http://87.117.255.30/32>
> > <http://87.117.255.30/32> ns2.harddriveguard.com
> > <http://ns2.harddriveguard.com>
> > > <http://ns2.harddriveguard.com>, ns2.trustedprotection.com
> > <http://ns2.trustedprotection.com>
> > > <http://ns2.trustedprotection.com>
> > > 87.117.255.38/32 <http://87.117.255.38/32>
> > <http://87.117.255.38/32> *.trygpcbruger.com
> > > 87.117.255.41/32 <http://87.117.255.41/32>
> > <http://87.117.255.41/32> *.toolsicuro.com
> > > 87.117.255.42/32 <http://87.117.255.42/32>
> > <http://87.117.255.42/32> *.schijfbewaker.com
> > > 87.117.255.47/32 <http://87.117.255.47/32>
> > <http://87.117.255.47/32> *.harddriveguard.com
> > > 87.117.255.52/32 <http://87.117.255.52/32>
> > <http://87.117.255.52/32> *.erreurchasseur.com
> > > 87.117.255.81/32 <http://87.117.255.81/32>
> > <http://87.117.255.81/32> *.trustedprotection.com
> > > 87.117.255.85/32 <http://87.117.255.85/32>
> > <http://87.117.255.85/32> *.elmejorantivirus.com
> > > 87.117.255.87/32 <http://87.117.255.87/32>
> > <http://87.117.255.87/32> *.diskretter.com
> > > 87.117.255.96/32 <http://87.117.255.96/32>
> > <http://87.117.255.96/32> *.bestsellerantivirus.com
> > > 87.117.255.98/32 <http://87.117.255.98/32>
> > <http://87.117.255.98/32> *.exterminadordevirus.com
> > > 87.117.255.124/32 <http://87.117.255.124/32>
> > <http://87.117.255.124/32> *.pctoolpro.com
> > > 87.117.255.158/32 <http://87.117.255.158/32>
> > <http://87.117.255.158/32> *.confidentsurf.com
> > > 87.117.255.185/32 <http://87.117.255.185/32>
> > <http://87.117.255.185/32> *.cleanuptool.com
> > > 87.117.255.218/32 <http://87.117.255.218/32>
> > <http://87.117.255.218/32> *.gubbishremover.com
> > > 87.117.255.226/32 <http://87.117.255.226/32>
> > <http://87.117.255.226/32> *.yourprivacyguard.com
> > > 87.117.255.250/32 <http://87.117.255.250/32>
> > <http://87.117.255.250/32>
> > >
> > > Conclusion, RBN owns that block of 255 addresses. So, we should
> > > always block it, as they are free to move domains in and out
> > of that
> > > range at will."
> > >
> > >
> > > --
> > > James McQuaid
> > > http://www.jamesmcquaid.com
> > > _______________________________________________
> > > Emerging-sigs mailing list
> > > Emerging-sigs at emergingthreats.net
> > <mailto:Emerging-sigs at emergingthreats.net>
> > > <mailto:Emerging-sigs at emergingthreats.net
> > <mailto:Emerging-sigs at emergingthreats.net>>
> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > >
> > >
> > >
> > >
> > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Emerging-sigs mailing list
> > > Emerging-sigs at emergingthreats.net
> > <mailto:Emerging-sigs at emergingthreats.net>
> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > --
> > --------------------------------------------
>
> > Matthew Jonkman
> > Emerging Threats
> > Phone 765-429-0398
> > Fax 312-264-0205
> > http://www.emergingthreats.net
> > --------------------------------------------
> >
> > PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >
>
> --
>
>
>
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
More information about the Emerging-sigs
mailing list