DNS-BH – Malware Domain Blocklist

The algorithm for creating Pseudo Random RunForestRun domains has been published by malwarereports.blogspot.com. Full list of domains (21000!) is located here.

Interesting article on Analyzing DNS Logs Using Splunk and being able to identify if  splunk sees a DNS lookup for a known bad domain name.

Again, if you use our data as this article does, do not pull the zone file more than once every 12 hours or you will be banned.  Better yet, check to see if the file has changed first (such as via a wget option) BEFORE pulling the zone file. And please DONATE if you consider the list useful.  A years worth of donations does not even equal one month’s hosting and infrastructure costs and we are not sure how much longer we can continue to pay these expenses out-of-pocket.

Article here: http://www.stratumsecurity.com/2012/07/03/splunk-security/

Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.

We are proud to announce that virustotal has integrated our list into their URL scanning engine.

http://blog.virustotal.com/2012/06/virustotal-malware-domain-blocklist.html

Since we don’t store full URLS, it’s in the “additional information” field. Thanks to the good folks at virustotal for making this happen!

Thanks to our volunteers, we have some scripts which will help to delist domains in a more timely manner as well as check domains previously delisted to see if they are once again misbehaving.

This last update added almost 75 domains, many of which were previously delisted.

http://arstechnica.com/security/2012/06/flame-espionage-malware-used-huge-network-to-steal-blueprints/

More information about flamer. The graphic lists about 20 or so additional domains.

Looking for volunteers to help us maintain the blocklist.    Things like  writing  perl programs (cygwin compatable) to compare the blocklist to google’s safebrowsing database, etc .  No compensation except authorship credit as well as knowing that you work will help in the neverending fight against malware.

If you consider this blocklist useful, please consider donating money or sponsoring the list.

Interesting article found here….  From the abstract:

…we present preliminary results from
on-going experiments we are conducting to track the lifetime of
malicious domains. Studying the lifecycles of malicious domain
names will provide insight into the many classes of criminal
networks that depend on DNS, and inspire the development of
new, more effective countermeasures.”

 

Some highlights:

• the number of resurrected domains gravitates around 200 everyday revealing a number of domains that are intermittently inactive, which could potentially be an evasion mechanism or a correlating characteristic of instability
• Contrary to our intuition …  many of the [malicious] domains are long-lived and more domains are being introduced than are dying.

We’ve noticed and tracked  many of the   “immortal” malware domains  but haven’t done any research into “resurrected”, or intermittently inactive/active domains. Hmmm

Again, we encourage research using our blocklists and have set up a mirror dedicated to open source projects and scholarly research.  All we  ask that you let us know about such research
“

Check your download scripts ASAP….

Too many users are STILL pointing to the main www site for the zone files, which have not been here for MONTHS…

PLEASE update your scripts to pull from one of the download mirrors. DO NOT point to the www (blog) site  as there is nothing to download.

We realize there are problems with the Adblock Plus subscriptions. The issue is being looked at and should be resolved soon.