Finding the unknown on your network
One of the things I constantly keep in mind is “how do I find what I don’t know about?”. An unknown threat is what will hurt you and your organization. So how does one find something they don’t know...
View ArticleSources of Badness – LeaseWeb
**Edit 2** I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive...
View ArticleSources of Badness – UATelecom
The next source of badness I’ll cover is UATelecom (AS44997). With a /22, this host is much smaller than LeaseWeb. A Swiss blogger also had a run in with this host which you can read about here...
View ArticleSources of Badness – ZlKon
After a weekend hiatus, I’m back with the next host of interest – ZlKon. role: ZlKon HostMaster address: Lilijas iela 4-74 address: Riga, LV-1055 address: Latvija phone: +371 26330593 e-mail:...
View ArticleSources of Badness – PortNAP
One of the smaller hosts I’ve identified is PortNAP Internet Services. They appear to get their service from Grafix Internet B.V. We’ve seen fake anti virus coming from 3 of their IPs in two different...
View ArticleSources of Badness – Starline Web Services
Next up, we have Starline Web Services, based in Estonia. Starline was recently in the news for briefly hosting a Srizbi C&C as reported by Fireeye. inetnum: 92.62.101.0 - 92.62.101.255 netname:...
View ArticleSources of Badness – Still Trade LTD
The absolute worst culprit that I’ve come across so far in terms of bad IPs is Still Trade LTD from Russia. They have their own /24, AS47486. Out of 34 web servers in their IP block, 30 are bad....
View ArticleFinding the Unknown – Detecting Emailed Malware Waves
In a previous post I discussed using the technique of watching for the transfer of executable files around the network as a method of intrusion detection. This is a great way of discovering machines...
View ArticleOne Click Hosting Spreads Banking Trojan
While this is not totally new, I only recently came across my first event involving a one click host serving malware. What is one click hosting? These are providers which you have probably heard of...
View ArticleMajor Stealthy Malware Campaign – 711 Domains Taken Down
Starting sometime around November 6th, many attacks were observed coming from strangely named domains such as us.bf9.info, us.bp0.info, us.bn3.info, etc. The attackers employed some code splitting...
View Article
More Pages to Explore .....