This weekend we have put our new log-parsing and reporting code into production. The new code significantly increases our speed of log parsing (by about two orders of magnitude) and it provides a lot more help to help our users research what particular blocked threats were caused by. As product manager I am very pleased to say that it is a massive improvement over the previous stuff but, for our existing users, there are a couple of niggles.

Over the last couple of days we've seen an increasing number of outbound DNS queries to ip addresses on our block lists - principally to ones on the DShield 4000. Since the destination servers are frequently in China and the subscribers have little to do with China this looks unlikely to be genuine traffic. It is however somewhat suggestive of Conficker and other similar fastflux DNS malware which "call home" via a DNS lookup to some randomly generated subdomain of an otherwise apparently genuine domain. The DNS lookup resolves (usually) to a fastflux intermediary that communicates with the botmaster, The DNS server itself is generally not 'bad' per se but it will be under the control of the cyber crooks because they have to feed it the zone changes so frequently and this level of activity would raise a flag in any legitimate DNS hosting service.

Recently I blogged that we had added the abuse.ch ZeuS Tracker botnet list as a block list source. Last week we confirmed that it worked by seeing that our customers had connections to addresses on that list that were blocked by ThreatSTOP, and which came from systems later confirmed to be infected.

A recent column by John Dix in Network World paints a rather depressing picture of the state of the Internet when it comes to malware. Mr Dix points out that there are millions of compromised computers (bots) out there and that while network security people can block some of the worst there are a lot that they cannot block because these other threats are quiet enough to not be detected by current IPS/IDS etc. devices. His essential claim is that we just have to assume that every network is penetrated and/or vulnerable to penetration by cyber-criminals. The article quotes various security professionals as stating that the dangerous bot attacks are stealthy and slow moving with the attack gradually building up to its most serious level over a period of days or even weeks.

Yesterday I guest blogged at Control Global about remediation steps for process automation networks and I've been thinking some more about the topic.