DNS-BH – Malware Domain Blocklist

Top 50 Bad Hosts & Networks Q4 2011

HostExploit is pleased to present the Q4 2011 report on the Top 50 Bad Hosts and Networks, in collaboration with Russian security company Group-IB.

The final quarter of 2011 saw AS47583 Hosting Media move up to #1 Bad Host, having been well known in the Top 10 for some time. The Lithuanian-based host was found to be supporting some of the worst types of threats including several botnet-related activities such as Zeus as well as C&smp;C servers, exploit servers, phishing servers, malware and badware.

HostExploit analyzed all 39,796 publicly-advertised Autonomous Systems (including web hosts, commercial networks and registrars) with the results represented in a number of ways. Also included are features on the latest threats such as smartphone infections and the “Dirt Jumper” DDoS botnet.

---

We’ll be examining  domains living on AS47583 and other Bad Hosts and adding them to our blocklist,  but you should perform your own research and add them as appropriate.

A research paper using our data:

EFFORT: Efficient and Effective Bot Malware Detection – http://faculty.cs.tamu.edu/guofei/paper/Shin_Infocom12_EFFORT.pdf

Again, we encourage research using our data, but please let us know so we can reference it here.

Evidence:

• http://isc.sans.edu/diary.html?storyid=12304
• http://blog.dynamoo.com/2011/12/evil-network-revisited-specialist-ltd.html

From Dynamoo‘s Blog:

“but there is still not a legitimate site in sight. Most of the bad sites are currently on 194.28.114.102 but you should block access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255) if you can, because this range of IP addresses is nothing but trouble.”

http://www.tecca.com/news/2011/12/19/malware-atlanta-hospitals/

Malware forces Atlanta area hospitals to stop accepting patients

Two medical centers lose computer systems for four days, source of infection unknown

Accuvant LABS just published a “Browser Security Comparison”  [1], but also see [2].

The data from this site was one of the URL Blocklists used in Accuvant’s study.
We encourage research using this and other blocklists,  but please let us know when the article is published.

[1] http://www.accuvant.com/sites/default/files/images/webbrowserresearch_v1_0.pdf

[2]http://www.nsslabs.com/assets/noreg-reports/2011/The%20Browser%20Wars%20Just%20Got%20Ugly.pdf

According to this report, the domain registrar “about.us” is completely compromised with RFI (Remote File Inclusion) scripts  exploiting the WordPress TimThumb vulnerability.

At my “real job”,  I’m constantly getting push back from users,  ops people (netadmins sysadmins, etc) and developers about security.  For example:

• “This isn’t the pentagon”
• “We can’t do our work”
• “But it’s encrypted and the key is only by two different people”
• “You say it’s an security issue but we haven’t been hacked so far so how much of a risk can it be”

At first glance, of these statements seem valid and reasonable (especially when it’s presented to upper management).

When management comes to you with these statements,  these needs to be simple, concise answers (maybe two, for both technical and non-technical users)

How many of you have received these arguments from users?
What other arguments have you received?
How have you responded?   (especially if you “won” the argument and convinced the user and manager)

We’ll collect the responses and summarize. Email us at 12malware8domains789@32gmail33.com33 (remove numbers)