Re: regarding malicious domains becoming inactive

[yelukati mahendra <mahendra_yn () yahoo com>]

These websites operate as one night shops,they have a range of domain names and IP's,they use the domain names or IP's 
randomly - I mean per activity basis,like for one kind of malware they use a particular name or a particular IP and 
when this activity gets traced,that particular domain name / IP is blocked or blacklisted,but they continue their 
activity using the other names/IP's to pump in other malware.

So in my perspective it is quite hard to tell when these particular websites or on and when they are off.Until and 
unless somebody blacklists or blocks the entire range given to these kind of people.



--- On Tue, 4/11/08, Sushant Sinha <sushant () umich edu> wrote:

> From: Sushant Sinha <sushant () umich edu>
> Subject: Re: regarding malicious domains becoming inactive
> To: "Bhatnagar, Mayank" <mbhatnagar () ipolicynetworks com>
> Cc: honeypots () securityfocus com
> Date: Tuesday, 4 November, 2008, 9:58 PM
> List of mailicious/advertising domains is maintained by a
> number of
> people.  SURBL (surbl.org) maintains list of URLs found in
> spam and
> Google maintains list of websites that may infect the end
> user
> (uprovides using the safe browsing API). Stopbadware also
> maintains such
> a list. 
>
> So the only question is when are these websites active and
> when are they
> inactive. I do not see why this information is terribly
> important as
> assuming that these websites are always up is more safe.
>
> -Sushant.
> On Tue, 2008-11-04 at 12:05 +0530, Bhatnagar, Mayank wrote:
> > Hi,
> >
> > Often we find while analyzing malwares that malicious
> domains become
> > inactive after some period of time.
> >
> > They may be active during initial period of activity,
> malwares when
> > executed connecting to these domains, these domains
> then sending
> > malicious files....binaries etc.....but just as soon
> as this information
> > is being known or the behavior has been captured by
> IDS/IPS signatures
> > blocking this domain, soon the domain itself become
> inactive.
> > What do you feel should be the responsibility of
> IDS/IPS solution
> > providers? I feel keeping track of such domains (live
> or down) in an
> > automated manner may be one possibility, keeping a
> signature for some
> > time as a measure of protection another. Also
> maintaining blacklists of
> > these domains may be helpful.
> >
> > How should one handle such cases? Any ideas?
> >
> > Thanks & Regards,
> > Mayank
> >
> >
> > "DISCLAIMER: 
> > This message is proprietary to iPolicy
> Networks-Security Products division of Tech Mahindra Limited
> and is intended solely for the use of the individuals to
> whom it is addressed. It may contain privileged or
> confidential information and should not be circulated or
> used for any purpose other than for what is intended. If you
> have received this message in error, please notify the
> originator immediately. If you are not the intended
> recipient, you are notified that you are strictly prohibited
> from using, copying, altering, or disclosing the contents of
> this message. iPolicy Networks-Security Products division of
> Tech Mahindra Limited accepts no responsibility for loss or
> damage arising from the use of the information transmitted
> by this email including damage from virus."


      Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/