In the past year, there was a lot of discussion about Secure Sockets Layer (SSL). More service providers and internet users started using SSL for access to various services. But not only regular internet users and internet services have been using SSL encryption more. Cybercriminals also rely on SSL more often in order to bypass IDS / IPS based detection mechanisms and content scanners.
A while ago I started to play a bit with an open source intrusion detection / prevent system (IDS / IPS) called Suricata, which is being developed and maintained by the Open Information Security Foundation (OISF). A cool feature that Suricata comes with is an SSL/TLS module which is able to fingerprint SSL/TLS certificates. Since some malware families switched from plain HTTP to HTTPS recently, I decided to maintain and publish a collection of SHA1 fingerprint associated with bad SSL certificates.
Introducing: SSL Blacklist (SSLBL)
The goal of SSLBL is to provide a list of bad SHA1 fingerprints of SSL certificates that are associated with malware and botnet activities. Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule format (see SSLBL for more information). SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock. Happy malware hunting!
Follow abuse.ch on Twitter: