Effective and reliable security monitoring that produces actionable information is one of the toolset’s that can help us adjust to today’s complex threat landscape. One of the existing mechanisms under security monitoring is the use of real time blacklists (RBLs). These blacklists keep track of IP addresses that are considered malicious or offensive and will help people and organizations keeping track of IP addresses that they own. For example, you can monitor and potentially detect if your public IP address space is being blacklisted ; or one of your systems has been compromised and is communicating with a blacklisted IP (e.g. sending intellectual property overseas or receiving command and control commands with malevolent instructions).
The information available is mainly public and is a contribution of well-known individuals – like Roman Hussy from Abuse.ch or Steven Adair from Shadowserver Foundation – to the security community. I have reasons to believe that when combining information from reliable and trustworthy blacklist data source with the defense mechanisms in place – traditionally blacklists are used at perimeter due to the volume of data – we have a straight forward method which will accurately identify signs of dangerous, reduce our exposure to today threats and provides actionable intelligence.
From the available data sources of blacklist, three of them worth to remark (description taken from their respective websites):
Abuse.ch is one of the best public resources that you can use to track botnet command and control domains and IP addresses. At the moment is contains three trackers:
Zeus tracker is a list of all ZeuS C&Cs as well as Fake URLs which are currently known to the ZeuS Tracker. You can browse the ZeuS Tracker to get a list of ZeuS C&Cs and FakeURLs in a specified Country or AS number. Additionally the ZeuS Tracker provides a feature which allows to filter the ZeuS C&Cs for specified Nameservers, Level, Status and many more.
SpyEye Tracker is another project by abuse.ch. It is similar to the ZeuS Tracker with the slight difference that SpyEye Tracker tracks and monitors malicious SpyEye Command&Control Servers (and not ZeuS C&Cs). SpyEye Tracker provides blocklists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the C&C servers. Additionally, SpyEye Tracker should help ISPs, CERTs and Law Enforcement to track malicious SpyEye C&C servers which are their responsibility
Palevo tracker is a list of Palevo infections. Palevo is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks). It is being sold in underground forums like ZeuS. The worm (also known as Rimecud, Butterfly bot and Pilleuz) made big press in 2010 (see Trend Micro: “Clipping Mariposa’s Wings” / Symantec: “Symantec: The Mariposa Butterfly“).
Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware. You might have heard about them on their collaborationw with Microsoft on taking down the Waledac botnet.
Emerging Threats is an open source community for collecting Suricata and Snort rules, firewall rules, and other IDS rulesets. The open source community still plays an active role in Internet security, with more than 200,000 active users downloading the ruleset daily.
Other than those three, the following picture illustrates a compilation of data sources of blacklisted IPs with the amount of addresses they provide and the respective site to download the blacklist. Most of them are free for private use.
All these lists contain a sum of 16749 IPs (type = address) from which 95.4 % are unique. The amount of IPs for Shadowserver is not mentioned because their monitoring service works based on the information that is provide to them by you about the ASN or CIDR ranges that you own.
Besides that, you can search through these block lists to get valuable information, which at the same time it can be time consuming. Nonetheless, online services like the Anti-Abuse Project automatically checks IP addresses and domains against 60 Real-time blacklists and would give you actionable information. For example if the IP address is listed in more than 10 block listed is positively malicious.
Well, after all this text, the name of this blog entry is 334 due to the fact that at the moment of writing this is the number of IP addresses that you should certainly monitor. This 334 IP addresses are the sum of the IP addresses on the lists provided by : Zeus, Spyeye and Palevo tracker from Abuse repository (+) RBN (Russian Business Network) Frequent Malware Advertisers from Emerging Threats repository.
If you use any of these blacklist, you should updated them at reasonable intervals. These blacklists will definitely help you creating a list of prohibited events and build procedures for remediating them. Use them as you see fit.