On the Kaspersky SecureList blog there's an interesting post about recent developments for the SpyEye malware. The blogger explains how SpyEye supports a nice plugin architecture and how he examined an interesting new plugin that downloads a flash plugin for certain banking sites which can then switch on the victim's webcam and stream the data back to the crooks.

The Lookout Moble Security blog posted a story about some new Android based malware that seems to be set up as fake driver update. This drive by works the same way as classic ones do on Windows PCs (or Macs with Flashback malware) in that if an Android phone visits the infected website it is redirected a couple of times before ending up at a place where it tries to download a new "update" that users are tricked to install.

This morning I saw various reports of a new type of Ransomware, masquerading as a fake Microsoft warning that your copy of windows is invalid. I had a quick check and was unsurprised to note that ThreatSTOP subscribers were already protected.

Since ThreatSTOP is an IP Reputation company, we naturally have a google news feed on the topic of 'IP reputation'. Today, for some reason, it provided a link to the IP reputation page of the firewall vendor SonicWALL. Naturally I had to test the page out to see how well it did. I picked the 4 addresses currently listed on our home page as being the "worst of the web":

Many organizations are subject to government regulations such as ITAR or OFAC that prohibit any dealings with certain foreign nations. Many others have countries that they will not do business with for reasons of corporate policy - because of rampant piracy or fraud for example. However with the Internet it isn't always where another computer is located. At least not from the domain name it reports or the place a user fills in as contact address. This means that, wittingly or unwittingly, computers in any organization may be connecting with other computers in locations that they are legally forbidden to have any communication with.

There is some nasty Facebook spread malware going around at the moment. F-Secure states that the malware infects users in the US and UK and applies to both Mac and PC users.

All IP reputation systems (and related filtering too for that matter) will tend to group similar things together under that assumption that if a number of them are definitely bad the rest probably are too. This isn't perfect but it generally works, as long as the system pays careful attention to corner cases to exclude any false positives.

In an email discussion over the weekend (which was based in part on this post by Brian Krebs) about the distributors of malware it was noted that much of it came from one particular AS - AS49469 Sa Nova Telecom Grup SRL. As is usually the case when I get this kind of email I take a look at our database to see what we know about the subject. In this case I discovered that AS49469 is one of the 64 ASes whose IP address ranges are completely covered by one or more of our blocklists.

As those who visit our home page may have noticed we have a section where we note the countries with the worst IP reputation. We divide it up between big countries and small ones and determine the relative badness by calculating the proportion of the country's reported IP addresses that are bad.