ThreatSTOP blocking possible Conficker variant

Over the last couple of days we've seen an increasing number of outbound DNS queries to ip addresses on our block lists - principally to ones on the DShield 4000. Since the destination servers are frequently in China and the subscribers have little to do with China this looks unlikely to be genuine traffic. It is however somewhat suggestive of Conficker and other similar fastflux DNS malware which "call home" via a DNS lookup to some randomly generated subdomain of an otherwise apparently genuine domain. The DNS lookup resolves (usually) to a fastflux intermediary that communicates with the botmaster, The DNS server itself is generally not 'bad' per se but it will be under the control of the cyber crooks because they have to feed it the zone changes so frequently and this level of activity would raise a flag in any legitimate DNS hosting service.

Share this:

ThreatSTOP Blocks "HDD Plus" Malware Ads

As noted in various places, a malware provider managed to trick various ad distribution networks such as doubleclick to distribute ads containing malware. The malware "HDD plus" pretends to detect hard disk errors on infected computers and suggests - in the same way that Fake AV programs do - that the victim upgrade to a pay package that can 'fix' the problems.

Share this:

ThreatSTOP & Vyatta combine to block bots

Threatstop has been working with Vyatta to use the Vyatta Network OS as an enforcement agent against botnets by taking advantage of Vyatta’s powerful iptables/ipset firewall that can be used to block traffic if it has the right IP addresses. At ThreatSTOP, we provide the right IP addresses as a real-time service that distributes an IP threat list via DNS directly to a Vyatta device (and other firewalls) to enable them to block all traffic from and to known botnet and malware sites.

Share this:

IP Reputation and the Limits of Metaphors

Our fellow security professionals at Damballa have written a pretty good explanation of IP reputation and the benefits of applying it. Since our business at ThreatSTOP is to provide IP reputation perhaps we should ask them to write more copy... However, while the article, as a whole is good, there are a few places where I think it could be improved.

Share this: