ThreatSTOP 4.10 Release Notes

ThreatSTOP 4.10 Release Includes:


A new threat meta data section has been added to the Check IOC results page 

  • New meta data details have been added to provide deeper context around an IP address or domain that is blocked by ThreatSTOP. This new section can be found toward the bottom of the Check IOC results page, below the Passive DNS section.
  • This new meta data framework will be leveraged to deliver additional contextual information about IOC’s in future releases.

Beta release of the REST API v4.0

  • ThreatSTOP has released our next generation REST API 4.0 to Beta. The new API delivers a full range of services to manage accounts, devices, policies, user-defined lists and more.
  • We are announcing end-of-life for the legacy ThreatSTOP API to occur by end of December 2016, with no new feature enhancements planned for this legacy API. ThreatSTOP will continue to maintain legacy API functionality and will provide ongoing support for bug fixes and security patches. It is highly recommended for any customers and partners integrating with the legacy API to contact ThreatSTOP for information on the REST API 4.0.

ThreatSTOP public website upgraded from CheckIP to the improved Check IOC

  • ThreatSTOP has upgraded the publicly available CheckIP research tool to our more robust Check IOC research suite. Check IOC allows users to check both IP addresses and domains, delivering richer results. Customers using this free tool are encouraged to sign-up for a free trial account to access the fully-featured version of Check IOC that delivers more meta data, passive DNS and a host of additional intelligence.

New Security Policy Target added: DNSTunnel IP Global List

  • A new policy target has been added containing IP addresses observed using DNS Tunneling as an exploit. Adding this target to your policy can protect your network from IPs known to attempt tunneling of data through a DNS server, thereby bypassing the network firewall. This is frequently used as a method of data exfiltration by attackers.

The aging process for the MS ISAC security policy target has been modified

  • The threat target MS ISAC has been modified to remove IoC entries after a 7-day period if they are no longer present in the feed. This change is expected to reduce the total IoC count in the target and further reduce the chance of a false positive.

Buzz: Going to RSA 2017? Stop by and see us at booth 2714.

Houdini’s RAT Is No Disappearing Act


Most creators of Trojans or worms only known attribution to their creation is made by security researchers, and although, these individuals are not known in person, some of them are known and active in the cybercriminal scene. One of these “celebrity cyber criminals” is known by his alias Houdini, and according to is named ‘Mohamed Benabdellah‘. Houdini is believed to be based in  Algeria and connected to njq8” (aka ‘Naser Al Mutairi’) the developer of other RATs as “njRAT” and “njw0rm”.

RATs by Houdini have been reported since 2013, and H-w0rm is the earliest reported by fireEye. H-w0rm is a tool in VBS  and has also an AUTOIT version. The VBS file in the relevant version, was found to be obfuscated with multiple levels of standard Base64 encoding (Safa Crypter). The H-w0rm has been known to act as a RAT; log keystrokes, record sound through the user’s microphone, capture photos through the webcam and run updates of the RAT on the infected node. The C&C communication of this RAT is done by using Dynamic DNS services and over HTTP protocol.

Both ThreatSTOP IP Firewall Service and DNS Firewall Service customers are protected from “Houdini’s RAT\H-w0rm” if they enable the TS Critical targets in their policies.

Don’t Pony Up Your Data to Fareit


Fareit, also known as Pony, is a data stealing Trojan that can decrypt or unlock passwords for over 110 different applications, including VPN, FTP, email, instant messaging, web browsers and much more. It is also capable of stealing a victim’s bitcoin wallets. Once it has collected its victim’s data, Fareit uploads these stolen credentials to a remote Command and Control (C2) server the criminal has access to. Fareit is very dangerous because its infection on a computer can make the device part of a botnet, allowing the malware to use it to infect other devices.

A typical attack is executed using a phishing e-mail containing a malicious attachment. One of the most concerning aspects of Fareit/Pony  is having the source code fully available and free to download online, meaning that anyone with the correct level of knowledge and motivation could use it to set up a botnet.

Detected as early as 2011, Fareit is not a new threat. It initially started as a malware downloader, but has evolved into its current form over time. Recently, Fareit has spread through spam email campaigns using MIME HTML files, which are generally used to archive webpages.

ThreatSTOP customers are protected from Fareit/Pony if they have TS Crit targets enabled in their policies.

DNS Firewall: What Is It & Why Should You Have One?


What’s DNS? 

Simply put, DNS is the GPS of the internet. This massive directory houses those easy-to-remember URLs (IE: and translates them into those not-so-easy-to-remember IP addresses. Why is it such a big deal? Your device only understands and accesses websites through this unique IP language. It allows browsers to connect with websites — The core component to the internet’s role and functionality.

Obviously, protecting these addresses is huge. If malware can infiltrate your network through a gap in its security, it can take down your entire system. (and everything with it) With the most infamous of recent examples, the DDoS attacks on Dyn (that DNS service company), hackers utilized botnets to misdirect the all-knowing GPS of the internet. By targeting a DNS server company like Dyn, malware made its websites unreachable by overwhelming it with requests it can’t complete. This attack that took down massive sites, including Twitter and Amazon, shows just how critical DNS is to a stable, secure internet world.

Got It. Sounds Serious. So, How Can We Protect It?

How does malware turn thousands of devices into a botnet of malicious software? Threat actors are looking for any open door (or tiny cracked window) into your network. They intently scan and gauge your network to pick up on these vulnerable holes in your security. If a breach can happen as easily as a simple phishing email or accidentally clicking an infected website page, how can you take control? To the rescue: DNS Firewalls. Essentially, it blocks outbound traffic and requests. Every interaction on the web involves DNS and malware can’t touch your data without access to it. It’s a simple solution to a vital issue.

ThreatSTOP’s DNS Firewall Service delivers curated threat intelligence to user-defined policies, stopping the attacks heading to your DNS server. Sound cool, but how does it actually work? You always have the latest intelligence: We take our security research and integrate it automatically into the platform. Your DNS server becomes your DNS firewall with no added hardware or software. It’s compatible with Windows Server 2016 and scales to protect your entire network, no matter the size.

When the University of Baltimore wanted to beef up their security and still keep their open, academic sharing network, they utilized ThreatSTOP’s DNS Firewall Service to get a little more peace of mind. Since a university’s open environment is a gateway for cyber-attacks, security is huge.

“ThreatSTOP eliminated manual blacklisting and remediation, reducing help desk tickets related to malware by 90%,” Mike Conners, IS Analyst at University of Baltimore.

In our IoT world, these threats are the new reality. Every machine and device is vulnerable – We just need to take the right steps to protect them, prevent a costly breach and sleep a little better at night.

If you’re interested learning more about ThreatSTOP’s DNS Firewall Service, please contact us for more information or a free trial here.

Sweeten Your Security with Honey



Here at ThreatSTOP, we know the threat landscape is ever-changing. With that in mind, we’re always searching for data sources that keep our customers safe and informed.

Using daily updated data from Dr. Jose Nazario, a researcher with the Honeynet Project (You can read about them and their amazing work at their website –, we have created a new target called “Honeypot feeds.” These new feeds defend against incoming attacks on the following platforms – SSH, Telnet, Apache, PHPMyAdmin and WordPress.

The separate honeypots have their own targets in ThreatSTOP’s policy editor (in expert mode), with the ability to block each one individually.

We highly recommend updating your policies to include these new threats.

“Book of Eli” malware and recently reported that several African countries are amongst the most targeted countries by malware attacks and cyber criminals. One can speculate that these attack trends are motivated by relatively low user awareness to cyber security practices in these regions.

The malware named “Book of Eli”, discovered by Eset, has been targeting mainly Libyan entities. It was first discovered back in 2012, and is known for its distribution via social networks such as Twitter and Facebook. The attackers use compromised profiles to post links to malicious download. Another method used by this malware operators is spear-phishing with malicious attachments.

Depending on the campaign, this malware can be deployed in various versions that differ in their functions. “Book of Eli” has been known to log keystrokes, collect information from browsers, record sound through the user’s microphone, take desktop screenshots, capture photos through the webcam, and collect information related to the versions of operating systems and Antivirus software deployed on the compromised machine.

The communication of the infected nodes is done over the SMTP protocol for exfiltration of the collected data and over the HTTP protocol for communication with the C&C servers.

Both ThreatSTOP IP Firewall Service and DNS Firewall Service customers are protected from “Book of Eli” if they enable the TS Critical targets in their policies.

Security Update – 11/10/2016

Three new allow lists were added to the ThreatSTOP Policy Builder. The following allow lists can be found under the “Allow” tab in the “Inbound Attacks (Servers)” category:

  • Monitoring Service IPs

IP addresses for Nodeping website/server monitoring service. If you are a subscriber of Nodeping than these IPs should be allowed, otherwise, if you are not a subscriber – these can be used by malicious individuals to track your online status. The addresses in this feed were provided by

  • Website Monitoring Service, IPs

IP addresses for statuscake website/server monitoring service. If you are a subscriber of statuscake than these IPs should be allowed, otherwise, if you are not a subscriber – these can be used by malicious individuals to track your online status. The addresses in this feed were provided by

  • Website Monitoring Service

IP addresses for uptimerobot website/server monitoring service. If you are a subscriber of uptimerobot than these IPs should be allowed, otherwise, if you are not a subscriber – these can be used by malicious individuals to track your online status. The addresses in this feed were provided by

These targets are also available in the “Block” tabs to add to a policy. For users who don’t subscribe to nodeping, statuscake, or uptimerobot, blocking these IPs may make sense as these IPs might be abused and used to scan networks for vulnerabilities prior to an outright attack.



« Older Entries