DNS Blackhole and RBN IP List Updated

Over the weekend I've updated the DNS Blackhole and RBN IP List files to include blocking of the most recent malware sites (including the ASProx botnet). Updating your firewall will provide you with optimal protection:

Emerging Russian Business Network rules for Snort:
http://www.emergingthreats.net/rules/emerging-rbn.rules

Emerging Threats RBN Project page:
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

IP list as a text file (last update: 10-24-2009)
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

DNS Black Hole files for Smoothwall at Emerging Threats:
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts


http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts

James McQuaid
10-25-2009

President Obama Speaks On Protecting Yourself Online, Our Shared Responsibility

Read the White House blog post at: http://www.whitehouse.gov/blog/Protecting-yourself-online/

Don't Lose Your Bank Account: Bank on a Live CD

Brian Krebs has provided people who use online banking services with excellent advice: do your online banking only from a read-only, bootable operating system, such as Knoppix, or Ubuntu.

Brian's articles on this subject have been featured by both Slashdot and Google. He provides a tutorial on how to burn a live CD using Ashampoo Burning Studio Free. If you use Nero, my tutorial on burning ISO images may also be useful.

For those who do not wish to burn their own ISO image, the large bookstores now have Linux magazines available which include bootable Linux Live CDs.

James McQuaid

Blocking the ASProx Fast Flux Botnet

With the IP addresses of the ASProx fast flux botnet changing between infected residential computers nearly daily, the only effective methods of blocking it are through the use of a DNS black hole or with Snort Inline.

Gary Warner provides an excellent write up on the botnet at his blog at: http://garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html

Today, I updated the DNS Super Blackhole at emergingthreats.net. You can download the DNS Super Black Hole files for Smoothwall at Emerging Threats from: http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples)

* config-hosts (http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts): 275,937 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Updated 10-11-2009: added 9,116 cybercrime and malware domains identified since 6-20-2009.

* hosts (http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts): Protect your home from 275,937 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback (blacklisted domains must resolve to 127.0.0.1). Updated 10-11-2009. If you believe that your domain should not be listed, please let us know and we will review it for delisting.

- James McQuaid