Archive for the 'Monitoring & Reporting' Category

Page 3 of 9

AMaDa Discontinued, Palevo Tracker With A New Home

As announced on Twitter last month, abuse.ch Malware Database (AMaDa) has been discontinued on 2012-03-17.

Since my announcement on Twitter to discontinue AMaDa, I received several dozen emails from IT security representatives of ISPs, national CERTs as well as governmental and non-governmental organisations that were using AMaDa’s blocklist to identify compromised computers within their networks. I have to say that I was quite amazed how many people used AMaDa’s blocklist. However I’m unable to answer all these emails due to lack of time, hence I decided to publish a short statement on my blog.

AMaDa was launched in 2010, since then it has analysed 169’545 URLs serving malware, 160’183 malicious binaries and identified 1’685 malware botnet controllers associated with all kinds of Trojans (like Mebroot, TLD/TDSS, Carberp, BlackEnergy, Ramnit and many more).

In February 2011, I started Palevo Tracker as sub-project of AMaDa. Palevo Tracker’s blocklist was served together with the AMaDa IP and Domain blocklist.

Running and maintaining the tracking infrastructure (ZeuS-, SpyEye- and Palevo Tracker) is very time intensive, also since it created much “background noise” (sometimes I think I need a secretary to handle all emails and requests). Hence I was prevented from blogging as much as I would have liked to last year. Unfortunately, every day only has 24 hours, and due to personal circumstances as well as my focus on other (non-public) projects I’m no longer able to provide AMaDa’s data / information with a good enough quality. I always serve data and information on “best effort” basis, and as I’m no longer able commit to that for AMaDa I’ve decided to discontinue the project (please keep in mind that all these projects are done in my spare time).

I’m aware that this is bad news for many of you, but fortunately I also have some good news. This weekend I moved Palevo Tracker onto a new infrastructure. I decided to keep Palevo Tracker running as a “new” project. Since AMaDa is gone, Palevo Tracker has found a new home on it’s own sub domain:

Palevo Tracker (including it’s blocklists) can be found at https://palevotracker.abuse.ch

If you are using one of AMaDa’s blocklists, please ensure that you stop query them as they are no longer available. If you want to keep up identifying Palevo botnet C&Cs please switch to one of the blocklists available on Palevo Tracker’s Blocklist page.

*** Links ***

Cybercriminals Moving Over To TLD .su

During the past few years the Top Level Domain (TLD) .ru has been heavily abused by cybercriminals. According to ZeuS Tracker, TLD .ru was one of the most abused Top Level Domains that were used by criminals to run ZeuS botnet controllers.

The Top Level Domain .ru is managed by the Coordination Center for TLD RU (cctld.ru). CCTLD.ru finally did their job well and addressed the reputation problem TLD.ru had by setting up new terms and conditions for domain name registration of .ru domains which came into force on November 11 2011.

One of the most interesting parts of the new terms and conditions is the following passage:

5.7. The Registrar may terminate the domain name delegation upon the receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet, should the petition contain information about the domain’s information addressing system being used for:

  1. receipt from third parties (users of the system) of confidential information by misleading these persons regarding its origin (authenticity) due to similarity of the domain names, design or content of the information (phishing);
  2. unauthorized access to third parties’(users, visitors) information systems or for infecting these systems with malware or taking control of such software (botnet control);

[…]

In fact this means that a registrar can terminate a domain name when it is being used for phising attacks or when it is being used to control a botnet. However, there is one part which seems to be not well defined:

[…] receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet”

I’m asking myself what the definition of “organization indicated by the Coordinator as a competent one to determine violations in the Internet” might be. As we all know there are many security vendors and non-profit organisations out there which do a great job in tracking down malicious and fraudulent content. Will registrars accept takedown requests received from such parties? I don’t know…

However, what I can say so far is that the number of fraudulent .ru domains used by ZeuS botnet herders decreased in the beginning of 2012. I can also see that malicious .ru domains which are being added to ZeuS Tracker have a much shorter life span. While malicious .ru domains used to stay active for several weeks or months in the past, they are now getting nuked much faster (mostly within 4-24hrs). That’s great news for the internet community!

Unfortunately we all know that there is a never ending cat and mouse game between the security industry / infosec community and cybercriminals. Criminals have already noticed that their domains are getting shut down much faster. So they started to look for another TLD to use for their dirty business and found a TLD that nearly has been forgotten: the TLD .su.

For those of you who don’t know: .su is (or should I say was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (which is operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su.

Since the Soviet Union isn’t any more and I see legit .su domains pretty rarely, I think it’s a good idea to block .su on the network edge (web proxies / content filtering systems). If you are operating a gateway in your company / network you should take the time and have a look at your logs. If you don’t see any legit .su domains being hit/used in your company just simply block it.

Follow me on Twitter:
https://twitter.com/abuse_ch




Scene
Urgent!