Why Blacklist Destinations?

If you know the neighborhood is not safe, you don’t go there. That’s common sense in the brick and mortar world, but not standard practice when dealing with the virtual world. You should avoid unsafe neighborhoods in both aspects of the real world.

If “blacklist” has negative connotations, substitute the phrase “IP and DNS Reputation Service.” Note that mechanisms to specify IP address (IPv4 and IPv6) and DNS address will be required.

You would be better served by a “whitelist” of network destinations that people are expected to visit. An analysis of DNS lookup history would be useful here. Review what people actually connect to. Implement a whitelist of mission critical destinations before implementing a measure which may deny them access to mission critical applications. Don’t forget to include your corporate network within your whitelist.

When implementing a blacklist, particularly a third party’s blacklist service, implement a whitelist that includes yourself (your own IP range(s) and your own domain name(s)). Do not inadvertently blacklist yourself. This could produce a very real and difficult to explain denial of service.

Block outbound traffic to prevent:

  • Botnet Trojan downloads
  • Malware, spyware, and worm downloads
  • Access to botnet CnC sites
  • “Phone home” behavior from infected machines (zombies)
  • Access to phishing sites
  • Information disclosure

Block inbound traffic to prevent:

  • Spam and phishing emails
  • DDoS attacks from botnet hosts
  • Web application attacks from botnet hosts

Blacklists are an accepted approach to reducing unsolicited commercial email (“spam”). Blacklisting HTTP traffic has less acceptance. Why not drop unsolicited commercial network traffic? When implemented as a third party URL filter or reputation filter, a blacklist of HTTP traffic has growing acceptance (and goes by the vague name “cloud-based web security”).

Note that blacklisting is never a complete measure. No preventative measure is 100% effective. Blocking known bad is not a substitute for enabling only known good. Blacklisting is an easy to enable (once the first change has been implemented, subsequent adds are easy), hard to maintain (but when should entries be removed?) measure. (See also: How Adobe Flash blacklisted certain URL prefixes when implementing its local-with-filesystem-sandbox, but failed to anticipate all permutations.)

A blacklist adds further protection to your already firewalled, already limited attack surface by not allowing known malicious sources near it.

  • Blacklisting is a measure to avoid future, previously undetected attacks (so-called “zero-day” attacks). If an attack has been detected once you have reason to expect an attack to appear again, and perhaps be undetected. This is a “fool me once, shame on you; fool me twice shame on me” approach to defense.
  • Blacklisting is a measure to reduce current detected alerts. The goal should be to investigate every alert. Blacklisting avoids reviewing repeated alerts.

If you are still not convinced, then note Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain. Specifically,

Our research into Nitol uncovered that the botnet was being hosted on a domain linked to malicious activity since 2008. This study also revealed that in addition to hosting b70, 3322.org contained a staggering 500 different strains of malware hosted on more than 70,000 sub-domains.

If you had been paying attention to malicious software sources for the past few years, you would have been aware of 3322.org. I was. If you were aware of 3322.org, you should have taken steps to protect yourself and should not wait for someone else to take them for you. I did.

If you’re still not convinced, read Government Agencies Get Creative In APT Battle. If you can’t whitelist, you can at least blacklist. You can blacklist what was evil in the past avoid the evil it does in the future.

Among the addresses to blacklist:

67.205.131.14 (trashypretty.com) (e.g., ads.trashypretty.com/Adserve_cpx160.html, ads.trashypretty.com/Adserve_cpx300.html) detected initially as “Possible_Hifrm-2”, later as “Mal_Hifrm-2”, now as “HTML_IFRAME.ACN”. We don’t need to keep seeing these alerts; we don’t need to see the next evolution of malware hosted at this location. Block access to the ads served up by trashypretty.com.

Design to be able to block addresses and domain names. Some addresses have no domain names. Some domain names change addresses. For a specific attack pattern, block based upon one or the other (usually domain name). It can’t hurt to block both if you have whitelisted your mission-critical destinations.

A longer list of threats seen, URLs and IP addresses has been shared as VirusBlockList.xls. See Fighting Malware and Blade Malicious URL Analysis Results for current malicious sources of malware.

See Stop Traffic From China IP Address Blocks To Protect Your Web Server From Chinese Hackers for two approaches to blocking traffic:

  • iptables at your router or firewall (and wizcrafts.net can be of assistance with the list)
  • Deny statements in Apache’s .htaccess file

Malware DNS Scraper and Malicious Host List should be used as a supplemental measure. If you have been following up on virus detection alerts, then you should be able to map attempts to connect to malicious web sites back to already investigated events. What are left are the laborious investigations, where you are unsure what machines to investigate. Hopefully, if you and your anti-virus vendor have been diligent, this is a short list.

The increasing use of fast-flux DNS is NOT an excuse to ignore blacklisting. Include inexpensive and inadequate measures in your layered security. Don’t exclude them because they are incomplete. The fact that a domain name resolves to one IP address at one time and a different IP address at another time means the domain name should be blacklisted and IP addresses it has used should be logged. Consider blacklisting ranges of IP addresses that appear in this log. Shun ISPs that willingly provide havens for malware.

A graduate research project titled “A Preliminary Survey of the Bulletproof Hosting Landscape” (authors Nathaniel Markowitz, Jonathan Brown, Amanda Cummins, Erin Greathouse, Christopher Kanezo, David McIntire, Thomas Saly, Toby Taylor, Louis Ulrich, Desiree Williams) finds malware domains concentrated with a limited number of registrars and a limited number of IP ranges.

When you install a URL filtering feature, in effect outsourcing your blacklist maintenance, retain measures to supplement that service. You can be aggressive about large address ranges to avoid, while a third party product must be more reluctant in order to appeal to a broader market.

See Malware Domain List for a long list of network locations known to host malware. See Blade Malicious URL Analysis Results for current malicious sources of malware. Consider blocking entire top level domains (TLDs) such as Cameroon. Consider blocking entire SAs. Also see Fighting Back and Business Continuity for examples showing how ISPs and government agencies take down some of the most blatantly malicious network participants, if they have been active for years. They have constraints that you do not have. Don’t wait for them to step in; protect yourself.

Exercise some prudence when blacklisting. A visit to [http:]//www.tamilbeat.com/ (“Your quality source for daily Tamil MP3s”) used to automatically include a visit to [http:]//traff.funnystories.ru/img/in.php?adv=1. traff.funnystories.ru hosted malware (detected as JS_PSYME.ANT). You would blacklist traff.funnystories.ru. You might also blacklist tamilbeat.com if you find they cannot keep their site secure. This “legitimate web site hosts link to malware” scenario is very common. See Sophos Security Threat Report 2013 [pdf] “In 2012 more than 80% of the threats we saw were redirects, mostly from legitimate sites that have been hacked.”

You can, and probably should, farm out the blacklist maintenance task. Implementing a product like Purewire Web Security Service or WatchGuard’s Reputation Enabled Defense and WatchGuard Extensible Threat Management (XTM) security solutions, provides this function as well as many more useful features. Major anti-virus sofware vendors offer their own blacklist or “cloud security” service; McAfee has “TrustedSource,” Trend Micro has WebReputation, AVG has a malicious URL datafeed. As part of your malware follow-up (as described in Fellow Malware Travelers), use the attack source information to enhance your blacklist.

If you implement a vendor’s blacklist service, or if your own blacklist service becomes expansive, expect users to trust and rely upon the service. Trend Micro has reported that their Smart Protection Network indicates a huge surge in blocked threats. The surge could be due to an increase in blocked destinations or mechanisms (such as legitimate web sites) that forward to blocked destinations, but could also be attributed to disregarding safe browsing practices.

Be sure your blacklist solution also blocks access to proxy services. See Public Proxy Servers for a current list of web sites which can used to reach the web sites you block. Tools such as CTunnel and Hotspot Shield are simple mechanisms which enable encrypted and tunneled network traffic through proxy servers. Blocking web site access based upon content is particularly difficult; content is often encrypted or cached. When outsourcing your blacklist maintenance, your vendor should be blacklisting proxy servers.

collective-intelligence-framework (CIF) tools to collect information from many data sources, such as:

Regarding free VPN services (such as the aforementioned Hotspot Shield): Their marketed purpose is the blocking of cafe neighbors who eavesdrop over a public WiFi connection. They also enable highly efficient eavesdropping at a large, remote central location. Additionally, AnchorFree loads an advertising frame in each web page (wepawet analysis) and is purported to insert its own results into search results. The frame loads a Flash file (wepawet analysis). It is unclear why this browser traffic is obfuscated. It is clear that Hotspot Shield is adware; Sunbelt describes why. US-CERT warns that clientless SSL VPN products break web browser domain-based security models (Vulnerability Note VU#261869).

See also:

“Internet Bad Neighborhoods: the Spam Case” by Giovane C. M. Moura, Ramin Sadre, and Aiko Pras [pdf]

Arbor Networks: ATLAS Summary Global Botnets and ATLAS Global Fast Flux Domains

This entry was posted on Sunday, April 19th, 2009 at 8:24 PM and is filed under Virus. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.