Thursday, April 24, 2008

Tracking malware

I've been following the certificate phish I posted about the other night for the last couple days. There have been a few more iterations of it using the same certificate scam, only for different banks. The interesting thing is while the domain names keep changing, the IP address of one of the name servers has been staying the same. This is a fast flux network, but I have to wonder if this name server is at some bullet proof hosting provider. If I find out more I'll post.

This got me thinking - how can we track the site which malware uses? The big AV/MA companies have databases and huge repositories of information from their customer base which allows them to track the websites and groups which are sending out malware. However, I don't work for a huge AV/MA company and neither to my MA buddies. We don't have access to the resources these big companies do, but is our research any less important?

I came to the conclusion that I'm going to start my own tracking database. I've only begun to formulate the idea on how to set it up in my head. I'm curious if anyone knows of anything like this, that is publicly accessible, which already exists? I know the ISC has their DShield database but this is more of any attacks and not specific to malware.

No comments: