New IP Address Blacklist Based On Web Chatter

itwbennett writes: A new approach to assembling blacklists analyzes chatter on the dark and open Web and can find malicious IP addresses that would have been missed using honeypots and intrusion detection systems, according to a report by security startup Recorded Future. On traditional blacklists, 99 percent of the addresses are for inbound activity, 'when someone is attacking your system from an external address,' said Staffan Truvé, chief scientist and co-founder at Recorded Future. On Recorded Future's new list, half of the addresses are for outbound activity, 'when an intruder is already in your systems, and is trying to connect to the outside world to exfiltrate data,' said Truvé. For example, Recorded Future identified 476 IP addresses associated with both the Dyreza and the Upatre malware families — only 41 of which were known to existing blacklists.

Re:Does this mean victims are being blacklisted?

The article doesn't come out clearly to state this, but I can't see them adding end users IPs to a black list, I suspect that are referring to the IP the infected machine is trying to send data TO, as opposed to the IPs that the attacks are originating from.

Think command an control network as inbound, it sends package updates and commands to the infected machine.
The infected machine then attempts to send data off to another server, likely not connected in any way to the C&C system. This outbound IP would be blockable.

But you can't block the users ip as it's likely a dynamic IP assigned by their ISP.

Then again you can argue that once you are infected, you should be blacklisted and that could be something to look into.

I read the article (not the full report) and they are talking about scanning tweets, chats, pastebins and other stuff looking for IPs / domains with at least 2 mentions of malware.

I find it hard to believe these IPs are end users machines.