Thursday, October 22, 2009

Tracking the Defenders

I've been working hard the last few weeks to get my malware analysis class ready, but something popped up that got me thinking. In the last few days a number of blogs have reported about, a site which is tracking the IP addresses that AV companies use to research malware.

According to the supposed author*, the reason this site is in existence is:
If you DDoS them, then you will lame down the whole AV business, then there won’t be any new detections for the time you cut them from the internet. The IP list is also useful for software that downloads something from the internet, in order to hide it from automatic analyzers like Anubis. You can simply exit the program when the IP matches with one of the AV list – and then your program stays secure from automatic analysis.
I have to admit that I'm not surprised at these reasons, or even that this is happening. In fact, I suspect its been happening a long time and this is just the first time a public list has been made.

Think about it - we watch where the attackers are coming from. We have honeypots, block lists, and share information amongst each other - why should we think the attackers are doing any differently?

This does illustrate a good point, however. In my class I teach that you should never allow malware you are analyzing to contact its home servers from your organization. When you do, the attackers can figure out where you are coming from and, in the best case, block your access. In the worst case you would be on the receiving end of a DDoS attack.

* I say supposed because I have no proof one way or another.