Using DNS Logs As a Security Information Source :
Interesting article on Analyzing DNS Logs Using Splunk and being able to identify if splunk sees a DNS lookup for a known bad domain name.
Again, if you use our data as this article does, do not pull the zone file more than once every 12 hours or you will be banned. Better yet, check to see if the file has changed first (such as via a wget option) BEFORE pulling the zone file. And please DONATE if you consider the list useful. A years worth of donations does not even equal one month’s hosting and infrastructure costs and we are not sure how much longer we can continue to pay these expenses out-of-pocket.
Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.
Occasionally this list is used as part of research into malware and domain security. Please drop us a note if you find such a reference in an article or presentation; if you are the author, let us know.
Two papers we’ve become aware of:
Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games - http://www.cc.gatech.edu/~ynadji3/docs/pubs/gzaraid2011.pdf
A Demonstration of DNS3: a Semantic-Aware DNS Service – http://iswc2011.semanticweb.org/fileadmin/iswc/Papers/PostersDemos/iswc11pd_submission_106.pdf
Today, we’re happy to announce Google Safe Browsing Alerts for Network Administrators — an experimental tool which allows Autonomous System (AS) owners to receive early notifications for malicious content found on their networks. A single network or ISP can host hundreds or thousands of different websites. Although network administrators may not be responsible for running the websites themselves, they have an interest in the quality of the content being hosted on their networks. We’re hoping that with this additional level of information, administrators can help make the Internet safer by working with webmasters to remove malicious content and fix security vulnerabilities.
To get started, visit safebrowsingalerts.googlelabs.com.
F-Secure has just published a list of Swineflu related domains. You can be sure some will will be used for spam or serve up malware:
Obviously, use extreme caution when accessing these sites or clicking on links in emails related to the swineflu.
You may want to caution your users about clicking on these links or proactively add them to your own blocklist. Domains will only be added here once they have been verified to be malicious.
MaraDNS has a reputation as one of the most secure DNS servers available.
Alexander Clouter <alex – at – digriz.org.uk> has created a script to create MaraDNS compatible zone files. It’s located at http://www.malwaredomains.com/files/createmaradns-pl.txt (change the extension to .pl). Please try it out and give us feedback. Thanks to Alexander for his hard work!
Search on www.xssed.com and make sure your site is not listed as a site vulnerable o cross-site scripting (XSS)*
*Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. (Source: http://en.wikipedia.org/wiki/Cross-site_scripting)
66 domains were deleted due to duplicates or false positives. Check out the “diff” file in the http://www.malwaredomains.com/files directory for more details.