Monday, October 26, 2009

DNS Blackhole and RBN IP List Updated

Over the weekend I've updated the DNS Blackhole and RBN IP List files to include blocking of the most recent malware sites (including the ASProx botnet). Updating your firewall will provide you with optimal protection:

Emerging Russian Business Network rules for Snort:

Emerging Threats RBN Project page:

IP list as a text file (last update: 10-24-2009)

DNS Black Hole files for Smoothwall at Emerging Threats:

James McQuaid

Friday, October 16, 2009

Don't Lose Your Bank Account: Bank on a Live CD

Brian Krebs has provided people who use online banking services with excellent advice: do your online banking only from a read-only, bootable operating system, such as Knoppix, or Ubuntu.

Brian's articles on this subject have been featured by both Slashdot and Google. He provides a tutorial on how to burn a live CD using Ashampoo Burning Studio Free. If you use Nero, my tutorial on burning ISO images may also be useful.

For those who do not wish to burn their own ISO image, the large bookstores now have Linux magazines available which include bootable Linux Live CDs.

James McQuaid

Sunday, October 11, 2009

Blocking the ASProx Fast Flux Botnet

With the IP addresses of the ASProx fast flux botnet changing between infected residential computers nearly daily, the only effective methods of blocking it are through the use of a DNS black hole or with Snort Inline.

Gary Warner provides an excellent write up on the botnet at his blog at:

Today, I updated the DNS Super Blackhole at You can download the DNS Super Black Hole files for Smoothwall at Emerging Threats from:

* config-hosts ( 275,937 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Updated 10-11-2009: added 9,116 cybercrime and malware domains identified since 6-20-2009.

* hosts ( Protect your home from 275,937 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback (blacklisted domains must resolve to Updated 10-11-2009. If you believe that your domain should not be listed, please let us know and we will review it for delisting.

- James McQuaid