Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IP Address Blacklist Based On Web Chatter

Posted by timothy on from the tripwires-are-everywhere dept.

itwbennett writes: A new approach to assembling blacklists analyzes chatter on the dark and open Web and can find malicious IP addresses that would have been missed using honeypots and intrusion detection systems, according to a report by security startup Recorded Future. On traditional blacklists, 99 percent of the addresses are for inbound activity, 'when someone is attacking your system from an external address,' said Staffan Truvé, chief scientist and co-founder at Recorded Future. On Recorded Future's new list, half of the addresses are for outbound activity, 'when an intruder is already in your systems, and is trying to connect to the outside world to exfiltrate data,' said Truvé. For example, Recorded Future identified 476 IP addresses associated with both the Dyreza and the Upatre malware families — only 41 of which were known to existing blacklists.

4 of 31 comments (clear)

  1. Re:Does this mean victims are being blacklisted? by Penguinisto · · Score: 2

    Oatensibly, this would blacklist bots...

    Then again, if someone popped onto a random IRC server in the undernet, and started chatting about every IP address for windowsupdate.com...

    I am also curious as to how they handle DHCP, and if there's a timeout for the IPs listed?

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  2. Re:Does this mean victims are being blacklisted? by Anonymous Coward · · Score: 4, Interesting

    The article doesn't come out clearly to state this, but I can't see them adding end users IPs to a black list, I suspect that are referring to the IP the infected machine is trying to send data TO, as opposed to the IPs that the attacks are originating from.

    Think command an control network as inbound, it sends package updates and commands to the infected machine.
    The infected machine then attempts to send data off to another server, likely not connected in any way to the C&C system. This outbound IP would be blockable.

    But you can't block the users ip as it's likely a dynamic IP assigned by their ISP.

    Then again you can argue that once you are infected, you should be blacklisted and that could be something to look into.

    I read the article (not the full report) and they are talking about scanning tweets, chats, pastebins and other stuff looking for IPs / domains with at least 2 mentions of malware.

    I find it hard to believe these IPs are end users machines.

  3. Quick! by BronsCon · · Score: 2

    Somebody create a piece of malware that connects to random IP addresses!

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  4. Re:Does this mean victims are being blacklisted? by BronsCon · · Score: 2

    It sounds to me like it's blacklisting the IPs being connected to. Easy to spoof, though, just have your malware connect to dozens of random IPs along with the few actual IPs you're using, then the list becomes so full of false positives that it is rendered useless.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.