Why blacklist? Why configure your firewall to drop traffic to a domain name, IP address or IP address range? Before we go any further, you would be better served by a “whitelist” of network destinations that people are expected to visit. An analysis of DNS lookup history would be useful here.
When implementing a blacklist, particular a third party’s blacklist service, implement a whitelist that includes yourself (your own IP range, your own domain name). Don’t inadvertently blacklist yourself. This could be a very real and difficult to explain denial of service.
A blacklist adds further protection to your already firewalled, already limited attack surface by not allowing known malicious sources near it.
- Blacklisting is a measure to avoid future, previously undetected attacks (so-called “zero-day” attacks). This is a “fool me once, shame on you; fool me twice shame on me” approach to defense.
- Blacklisting is a measure to reduce current detected alerts. The goal should be to investigate every alert. Blacklisting avoids reviewing repeated alerts.
Among the addresses to blacklist:
67.205.131.14 (trashypretty.com) (e.g., ads.trashypretty.com/Adserve_cpx160.html, ads.trashypretty.com/Adserve_cpx300.html) detected initially as “Possible_Hifrm-2″, later as “Mal_Hifrm-2″, now as “HTML_IFRAME.ACN”. We don’t need to keep seeing these alerts; we don’t need to see the next evolution of malware hosted at this location. Block access to the ads served up by trashypretty.com.
The increasing use of fast-flux DNS is NOT an excuse to ignore blacklisting. An inexpensive and inadequate measure can be part of your layered security. The fact that a domain name resolves to one IP address at one time and a different IP address at another time means the domain name should be blacklisted and IP addresses it has used should be logged. Consider blacklisting ranges of IP addresses that appear in this log. Shun ISPs that willingly provide havens for malware.
See Malware Domain List for a long list of network locations known to host malware. Consider blocking entire top level domains (TLDs) such as Cameroon. Also see Fighting Back and Business Continuity for examples showing how ISPs and government agencies take down some of the most blatantly malicious network participants, if they have been active for years. They have constraints that you do not have. Don’t wait for them to step in; protect yourself.
Exercise some prudence when blacklisting. A visit to [http:]//www.tamilbeat.com/ (“Your quality source for daily Tamil MP3s”) used to automatically include a visit to [http:]//traff.funnystories.ru/img/in.php?adv=1. traff.funnystories.ru hosted malware (detected as JS_PSYME.ANT). You would blacklist traff.funnystories.ru. You might also blacklist tamilbeat.com if you find they cannot keep their site secure. This “legitimate web site hosts link to malware” scenario is very common.
You can, and probably should, farm out the blacklist maintenance task. Implementing a product like Purewire Web Security Service provides this function, as well as many more useful features. Major anti-virus sofware vendors offer their blacklist or “cloud security” service; McAfee has “TrustedSource,” Trend Micro has WebReputation, AVG has a malicious URL datafeed. As part of your malware follow-up (as described in Fellow Malware Travelers), use the attack source information to enhance your blacklist.
If you implement a vendor’s blacklist service, or if your own blacklist service becomes expansive, expect users to trust and rely upon the service. Trend Micro has reported that their Smart Protection Network indicates a huge surge in blocked threats. The surge could be due to an increase in blocked destinations or mechanisms (such as legitimate web sites) that forward to blocked destinations, but could also be attributed to disregarding safe browsing practices.
