New IP Address Blacklist Based On Web Chatter

itwbennett writes: A new approach to assembling blacklists analyzes chatter on the dark and open Web and can find malicious IP addresses that would have been missed using honeypots and intrusion detection systems, according to a report by security startup Recorded Future. On traditional blacklists, 99 percent of the addresses are for inbound activity, 'when someone is attacking your system from an external address,' said Staffan Truvé, chief scientist and co-founder at Recorded Future. On Recorded Future's new list, half of the addresses are for outbound activity, 'when an intruder is already in your systems, and is trying to connect to the outside world to exfiltrate data,' said Truvé. For example, Recorded Future identified 476 IP addresses associated with both the Dyreza and the Upatre malware families — only 41 of which were known to existing blacklists.

Does this mean victims are being blacklisted?

[ebyrob]

Seems like IPs sending out their sensitive data to attackers would normally be termed "victims"?

Re:

[Penguinisto]

Oatensibly, this would blacklist bots...

Then again, if someone popped onto a random IRC server in the undernet, and started chatting about every IP address for windowsupdate.com...

I am also curious as to how they handle DHCP, and if there's a timeout for the IPs listed?

Re:

[Archangel Michael]

But, with the new features built into Windows10, Windows updates can come from anywhere!

What could possibly go wrong with that??

Re:

[BronsCon]

It sounds to me like it's blacklisting the IPs being connected to. Easy to spoof, though, just have your malware connect to dozens of random IPs along with the few actual IPs you're using, then the list becomes so full of false positives that it is rendered useless.

Re:

[BronsCon]

That seems more targeted than random to me. Also easy to combat with a whitelist overlaid on top of the blacklist. Truly hitting a few dozen, or a few hundred random IPs with every phone home to the actual C&C or dump server would render any blacklist based on those IPs useless. Think about it, if each machine hits 24 random IPs and 1 legit IP every time it phones home, only rotates out half of those so you can't easily pick out the one that's always the same, and phones home hourly, that's 12 new IPs p

Re:

[Anonymous Coward]

You are assuming they are analyzing traffic reports. They aren't. they are scraping chat logs, twitter, pastebins and other resources to gather domains/ips with more than 1 mention of malware, it's right in the article.

None of what they are talking about in this article relates to traffic monitoring, at all, by any stretch. It has nothing to do with coding your malware to connect to random IPs or domains. It's literally them sending a bot into rooms and recording the chats. And depending on which IRC n

Re:

[BronsCon]

My ISP knows I pen-test for a living. I pay a premium for my bandwidth and they leave me alone as a result. I do get an email from them once in a while if I've been testing a new exploit, making sure I'm actually the one doing it and not an infected system. A portscan? I doubt theyd even blink. Connecting to a couple hundred or so IPs in the frame of an hour? No ISP would think twice about it, especially if you're connecting on 443. Normal browsing habits for most households.

Re:

[BronsCon]

Oh, and for the record, one email I got from them was about my Time Capsule being used in a DDOS. Fucking Apple ships the things with SNMP on by default, with default communities and no security; and no version of AirPort utility that runs on an Intel CPU can change the setting. I had to boot up an old Windows machine to fix that.

Re:

[AHuxley]

A group of people need huge data moving pipes, distant command and control and some link to their safe location to make a long term project work without discovery.
Days, weeks, months to chat, find, forum reading, ability to test the very latest and more expensive tools.
The hope is the same type of ip networks will be used for the final testing and chat as for the "project"
That can be detected.
The feel of anonymity and having privacy can be strong once a small group of skilled people are ready for their

Re:

[BronsCon]

Yes, when you're a government or quasi-government organization and have taps on every internet backbone to collect every single bit of traffic, you can do this. The company compiling this list? Not so much.

Re:

[AHuxley]

With the private sector been herded into helping or staff helping or collaborating or been called on to "collaborate and cooperate"...
Not much of the US private sector is really "free" anymore not to help make lists or have gov networks installed to track traffic in real time.
Cyber Information Sharing Act is just the start with its FOIA issues and domestic access beyond NSL (national security letter) or FISC (FISA Court) access.
Over time the entire US tech sectors private net logging is been guided in

Re:

[BronsCon]

Meds. You're off yours. You act like this is all some conspiracy we don't all already know about. Anyone in tech already knows this stuff, it's not relavent to this discussion, though.

Re:Does this mean victims are being blacklisted?

[Anonymous Coward]

The article doesn't come out clearly to state this, but I can't see them adding end users IPs to a black list, I suspect that are referring to the IP the infected machine is trying to send data TO, as opposed to the IPs that the attacks are originating from.

Think command an control network as inbound, it sends package updates and commands to the infected machine.
The infected machine then attempts to send data off to another server, likely not connected in any way to the C&C system. This outbound IP would be blockable.

But you can't block the users ip as it's likely a dynamic IP assigned by their ISP.

Then again you can argue that once you are infected, you should be blacklisted and that could be something to look into.

I read the article (not the full report) and they are talking about scanning tweets, chats, pastebins and other stuff looking for IPs / domains with at least 2 mentions of malware.

I find it hard to believe these IPs are end users machines.

Re:

[drinkypoo]

The article doesn't come out clearly to state this, but I can't see them adding end users IPs to a black list,

Why not? You might not blackhole the IP, but you could certainly ignore whole classes of traffic from such a host, and you could redirect them to a page telling them to get their act together.

Quick!

[BronsCon]

Somebody create a piece of malware that connects to random IP addresses!

Really? In this age - Blacklists?

[Anonymous Coward]

Come on submitters and editors. Can't you understand that whitelists and blacklists have a racist history? The accepted terms are "allow list" and "block list". This isn't that hard.

Re:

[Darinbob]

They're not blueprints either, they're prints of color.

IPs often assoc with multi-homed hosts

[laughingskeptic]

The problem with IPs found this way is that they are often associated with hundreds to thousands of web sites, and the bad actors shift between these backends rapidly. For instance I have seen cases where there are a few Wordpress generated sites out of thousands being used to host malware configs and updates at a single IP of a low-end hosting provider. I have seen many similar instances where the IP was associated with AWS. The most precise way to blacklist sites like this is by hostname and not by IP.

Useless w/IPV6

[JustAnotherOldGuy]

Once IPV6 is widely adopted, the idea of having any meaningful data associated with an IP address is DEAD.

The bad guys will have a nearly limitless pool of IPs to spoof and choose from, and they'll just discard them every few seconds or minutes and a get a new batch to use. That's because IPV6 has a mind-bogglingly immense address space. How much? Well....

Let's assume every single one of the 100 billion stars in the galaxy is inhabited, and each star has a population of 10 trillion humans in orbit around it

Unusual outbound activity

[Ed Tice]

For whatever reason, the most negative people on /. always manage to get first posts. Some posters have already pointed out limitations but let's talk about the benefits of this. If a bunch of hosts on my network start communicating in a way that they never have before, that me the sign that an infiltration has occurred. Inbound scanning looks for things trying to get through your firewall from the outside. But as we also point out on /. all the time, does almost nothing against social engineering attac