Over the last couple of days we've seen an increasing number of outbound DNS queries to ip addresses on our block lists - principally to ones on the DShield 4000. Since the destination servers are frequently in China and the subscribers have little to do with China this looks unlikely to be genuine traffic. It is however somewhat suggestive of Conficker and other similar fastflux DNS malware which "call home" via a DNS lookup to some randomly generated subdomain of an otherwise apparently genuine domain. The DNS lookup resolves (usually) to a fastflux intermediary that communicates with the botmaster, The DNS server itself is generally not 'bad' per se but it will be under the control of the cyber crooks because they have to feed it the zone changes so frequently and this level of activity would raise a flag in any legitimate DNS hosting service.
As noted in various places, a malware provider managed to trick various ad distribution networks such as doubleclick to distribute ads containing malware. The malware "HDD plus" pretends to detect hard disk errors on infected computers and suggests - in the same way that Fake AV programs do - that the victim upgrade to a pay package that can 'fix' the problems.
Threatstop has been working with Vyatta to use the Vyatta Network OS as an enforcement agent against botnets by taking advantage of Vyatta’s powerful iptables/ipset firewall that can be used to block traffic if it has the right IP addresses. At ThreatSTOP, we provide the right IP addresses as a real-time service that distributes an IP threat list via DNS directly to a Vyatta device (and other firewalls) to enable them to block all traffic from and to known botnet and malware sites.
Our fellow security professionals at Damballa have written a pretty good explanation of IP reputation and the benefits of applying it. Since our business at ThreatSTOP is to provide IP reputation perhaps we should ask them to write more copy... However, while the article, as a whole is good, there are a few places where I think it could be improved.