<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=439793516377641&amp;ev=PageView&amp;noscript=1">

Collateral Damage and IP Reputation

All IP reputation systems (and related filtering too for that matter) will tend to group similar things together under that assumption that if a number of them are definitely bad the rest probably are too. This isn't perfect but it generally works, as long as the system pays careful attention to corner cases to exclude any false positives.

Over the last couple of days there have been a couple of examples of this - one good, one bad. The bad one is a false positive that occurred on the Russian Business Network feed in which a perfectly harmless company was swept up in the suspicion that it was as bad as its neighbors. The problem in this case was that a quick look showed that it had some features similar to a malware site (multiple subdomains and sub-subdomains on the same host) and was in the same /24 subnet as a number of hosts that were indeed malware sites. Hence the RBN researchers decided to add the entire /24 subnet to their list.

In this case the benefit that ThreatSTOP provides of proactive whitelisting meant that when one of our customers complained, we could quickly add the affected hosts to our whitelist so that they were no longer blocked for our subscribers. And, subject to periodic checks to conform their goodness, they will remain that way so that if other analysts also decide to block the same /24 we will continue to carve out their addresses.

The other example is a minor issue that befell Sony Thailand. As if Sony didn't have enough to worry about, it seems that one of Sony Thailand's servers was infiltrated with malware and became a phishing site masquerading as an Italian bank. Now the interesting thing here (from an IP reputation standpoint) is that while www.sony.co.th and many other sony domains are hosted on Akamai's global network, the host in question (hdworld.sony.co.th) turns out to be hosted on by Thai ISP at 203.151.233.98. A quick check on the ISC's passive DNS database shows that this address is used by a number of Sony and non-Sony related sites as well:

3d.sony.co.th.    A    203.151.233.98
bloggie.sony.co.th.    A    203.151.233.98
bpex2009.sony.co.th.    A    203.151.233.98
bravia.sony.co.th.    A    203.151.233.98
dexdev.com.    A    203.151.233.98
diwmap.zg-zing.com.    A    203.151.233.98
dslr.sony.co.th.    A    203.151.233.98
feelmorepower.com.    A    203.151.233.98
handycam.sony.co.th.    A    203.151.233.98
hdworld.sony.co.th.    A    203.151.233.98
icrecorder.sony.co.th.    A    203.151.233.98
mail.nabaan.com.    A    203.151.233.98
ns3.readyspaces.net.    A    203.151.233.98
ns4.readyspaces.net.    A    203.151.233.98
salt.sony.co.th.    A    203.151.233.98
sframe.sony.co.th.    A    203.151.233.98
vaio.sony.co.th.    A    203.151.233.98
walkman.sony.co.th.    A    203.151.233.98
www.dexdev.com.    A    203.151.233.98
www.nabaan.com.    A    203.151.233.98
www.pantenestarsearch.com.    A    203.151.233.98
www.zg-zing.com.    A    203.151.233.98
youngcreative.sony.co.th.    A    203.151.233.98

I strongly suspect that in this case proximity led to the infection. That is to say that one of the other virtual hosts on the same server was compromised and then the attackers infected some or all of the other vhosts, including in this case one of Sony's. Ooops. And a great example of why IP reputation works. Ir really is likely that infections and malware spread to otherwise innocent bystanders.

Share this: