IDS: [Suspected Spam]Re: Malicous Domains and IDS/IPS signatures

[Rishi Narang <psy.echo () gmail com>]

Hi Mayank,

IMHO, the blacklists should be regularly monitored. For product companies it is a little hard with the limited 
resources, so usually they club into a consortium or uses database available online. There are different database for 
different purposes like SenderBase for Spam Rules, MalwareDomain BH for Domain listing etc. With IDS/IPS we have no 
other choice then to block the target IP/Domain or analyze the malware HOST:/REFERRER: fields and keep a check of the 
domains it is visiting to download further binaries. If to keep harder checks we can actually analyze the binary 
install and runtime behaviors, and write rules accordingly. Capture the 'malware' specific patterns, and just not 
domains to stop its further activity.

But with time, as you mentioned the domains' activity keep on changing, and may need to be 'de-listed'. Recently 
MalwareDomain delisted some 3 domains - giveawayoftheday[dot]com; spb[dot]ru; Flashget[dot]com. I would say, if a site 
is initially listed due to a malware activity, and now, it is not serving any malware or is not active, let it be in 
BLACKLIST. There is no harm keeping a dead domain in the list. And, then if one fine day, a "legit", "good site" takes 
the place, then only on complete verification remove it from BLACKLIST. I mean a dead domain, can actually be a domain 
in a temporary dormant stage and may be hostile again!

Hope I answer your question!

--
Thanks & Regards,
Rishi Narang
Member, Evil Fingers
Vulnerability R&D Consultant, Third Brigade Labs
www.evilfingers.com | www.greyhat.in | www.thirdbrigade.com

... eschew obfuscation, espouse elucidation.

Tuesday, November 4, 2008, 12:07:57 PM, you wrote:


> Hi,
> Often we find while analyzing malwares or binaries, some malicious
> domains become inactive after some period of time.
> They may be active during initial period of activity, malwares when
> executed connecting to these domains, these domains then sending
> malicious files....binaries etc.....but just as soon as this information
> is being known or the behavior has been captured by IDS/IPS signatures
> blocking this domain, soon the domain itself become inactive.
> What do you feel should be the responsibility of IDS/IPS solution
> providers? I feel keeping track of such domains (live or down) in an
> automated manner may be one possibility, keeping a signature for some
> time as a measure of protection another. Also maintaining blacklists of
> these domains may be helpful.
> How should one handle such cases? Any ideas?
> Thanks & Regards,
> Mayank
> "DISCLAIMER: 
> This message is proprietary to iPolicy Networks-Security Products division of Tech Mahindra Limited and is intended 
> solely for the use of the individuals to whom it is addressed. It may contain privileged or confidential information 
> and should not be circulated or used for any purpose other than for what is intended. If you have received this 
> message in error, please notify the originator immediately. If you are not the intended recipient, you are notified 
> that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. iPolicy 
> Networks-Security Products division of Tech Mahindra Limited accepts no responsibility for loss or damage arising 
> from the use of the information transmitted by this email including damage from virus."

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------