The Rotterdam Library (Bibliotheek Rotterdam), one of the largest in the Netherlands, is deploying ThreatSTOP Botnet Defense Cloud atop a Juniper SRX 240H Services Gateway to keep the library’s Wi-Fi network free from malware infestation. Before using ThreatSTOP, the library was regularly blacklisted by its ISP and its Internet service shut down due to recurring malware infestation. Now that ThreatSTOP is deployed, in a joint solution supported by Juniper, the library no longer has to constantly deal with trouble tickets and service interruptions due to malware.Read More
ThreatSTOP has released ThreatCHECK, a free applet for Windows users to check what we know about the IP addresses their computer connects to. This is the most reliable way to determine who the computer is really talking to. ThreatCHECK will provide a report identifying which countries the IPs are in, and call out known botnet and malware sites along with detailed research about them. ThreatCHECK is easy to download and can be run in the background. To download: www.threatstop.com/threatcheckRead More
Krueger Wholesale Florist, a Wisconsin-based distributor of fresh cut flowers, green plants and supplies to customers across a nine states, has deployed an EdgeWave iPrism Web Security solution to four separate locations with hundreds of employees. One of the key reasons for EdgeWave's win was ThreatSTOP, whose botnet blocklist is integrated into the iPrism. This is often the case with EdgeWave, Simwood and other partners, where ThreatSTOP provides a key differentiator and value unavailable anywhere else.Read More
Over at ZDnet Ed Bott has a report on the ineffectiveness of anti-vrus tools against current malware where he notes that many AV vendors only detect it a day or two after it has been distributed and that by then a new variant that they don't detect has also been sent out. In the IT security space, this is not exactly new news. In fact here at ThreatSTOP, we've been using similar statistics in our sales pitch for about a year now and in fact the AV vendors themselves admit they have a problem. If you ask them in private that is.Read More
As anyone who reads the technical, financial or even the general news is aware, May has not been a good month for Internet security. We started with Sony which appears to have been comprehensively "PWNed" by one of more groups of criminals and we end up with the news of Lockheed and PBS joining the list of victims. Needless to say these news reports have led to a lot of our customers (and potential customers) asking whether ThreatSTOP's IP Reputation can save them.Read More
Jeff Bardin has a post up as his CSO Online blog which has a nice metaphor for data security by comparing it to vehicular traffic on highways. The metaphor comparing data to cars is pretty good (and not unique to the security space, lots and lots of traffic management and queuing strategies are well understood in terms of highways and cars) and I kind of like the way he suggests that a tool can just send 'red' (i.e. bad) cars for detailed inspection etc.Read More
Since the Internet is nearly out of IPv4 addresses, people are finally getting serious about using IPv6. As people start deploying IPv6 we will find new bugs and loopholes that crooks can exploit. Holes like this one that mean that a bot on a network could act as the "man in the middle" for everyone else nearby.Read More
Thanks to an email from one of the folks evaluating ThreatSTOP, I did a quick comparison check to see how much quicker ThreatSTOP is to report bad IP addresses. This is very important as new, unknown IP addresses, can wreak havoc until they are tracked down.
A brief aside: once an IP address becomes known as, say, a botnet C&C host it will start to get blocked. In fact we quite often see IP addresses fall down the slippery slope of recividism. First they start out as malware droppers or C&C hosts, then they become phishing sites or spammers, finally they become recon bots searching for open ports and vulnerabilities in servers. The key to this progression is that the IP address gradually becomes better known as bad and that the things it does first, when it is unknown, are the most dangerous to the Internet. Hence the quicker they are picked up the quicker people can protect against them.
So, getting back to the responsiveness question. Our evaluator compared us to McAfee's Trusted Source (which is BTW an awesome resource) and noted that we appeared to report IP addresses faster. That is to say we'd report an IP address as bad and then some time later Trusted Source would also report it as bad. Well this was something that needed a bit of confirmation so I took our current list of the botnet C&C hosts and compared it with the list from 24 hours earlier. Of the 1911 ip addresses currently in that feed 44 were new (I'll append the list to this post) and I checked all 44 with Trusted Source.
16 were either 'unverified' or 'minimal risk' for both web and email.
12 were listed as bad for email but either 'unverified' or 'minimal risk' for web
6 were listed as bad for web but either 'unverified' or 'minimal risk' for email
10 were listed as bad for both web and email.
Of the 22 that were listed as bad for email and hence could be assumed to have history, ThreatSTOP knew about half (13) as being definitively bad and 11 we had no knowledge of other than as botnet C&C. However I'm unclear about the accuracy of McAfee's Email rating since a number of those (in fact it was probably all 11 but I gave up checking) had no email data graphs of history so it seems likely that the email report was as fresh as the the botnet one and probably related.
Finally I did a sample of the 41 that were between 24 and 48 hours old and McAfee's Trusted Source appeared to know about almost all of them as bad for web. That is to be expected.
So to recap. 44 new addresses in 24 hours of the most dangerous sorts on the Internet - that is botnet C&C hosts. Of those ThreatSTOP in fact already knew of 11 as did McAfee. We were blocking 16 that McAfee had no idea of. We blocked 6 at about the same time that McAfee knew about them and 11 more may have been known by McAfee first, but not necessarily as botnet C&Cs.
I imagine I'll run this test again in a week or two to confirm this finding but it looks like yes ThreatSTOP is faster to identify bad IP addresses, and since they get automatically downloaded onto our subscriber's firewalls, far faster to provide protection against bots calling home with stolen data.
One of the ways that ThreatSTOP keeps our IP reputation feeds up to date is that we process the firewall logs of our subscribers to see what attacks they are currently experiencing. We also want to feed the data back to other security researchers because we only mine the logs for certain information and others will find other useful information from them if they can analyze them. However there is a problem. Customers are usually unwilling to see their internal data distributed all over the place. Hence we've been looking for a way to reliably anonymize the data so thatRead More
The Register has an article today about how IPv6 will make (spam) blocklists fail. The article is correct that current DNSBL techniques - as developed by Paul Vixie & co - will struggle but that doesn't in fact mean that IPv6 kills IP (or DNS) reputation, all it means is that the exact technique used by the current DNSBL solutions is not IPv6 compatible.Read More