Spyware Listening Post

The goal of the Spyware Listening Post is to collect information about trojans and spyware we aren't aware of through sample collection methods. We are accomplishing this by relying on great projects like David Glosser's MalwareDomains.com project and our existing Emerging Threats Spyware Signatures to funnel known traffic to analysis points to identify the unknown.

How it works is this: we ask you to send hostile requests for known bad domains to a collection server rather than to localhost. We will return a 1 byte text file for each request to minimize bandwidth. The logs from those requests will be the source of new information. More information about how to contribute to this data collection effort is available at the Malware Domains page. If you do not use this tool you are encouraged to use whatever tools you do have available to redirect spyware traffic and infections to listen.emergingthreats.net.

What we are learning:

1. Information about the url’s and parameters being used by known spyware. We can confirm existing signature accuracy and add new signatures based on new information

2. Identify new User-Agent strings

3. Identify new binary names and url's to be submitted to AV and ccontent filtering firms

4. We can follow the trail of requests to new domains and add those to the Malware Domains list.

5. We learn more about what, who, and how the bad guys work.

The collected information is sanitized. We will not release the source of any hit, nor do we track which sites are submitting traffic. This is a very safe way to contribute information about badness that will directly result in new signatures.

To use the spyware listeningpost we recommend using the block list available at MalwareDomains.com, and use a zone file like below for each of those domains:

$TTL    86400  ; one day

@      IN      SOA    dns01.emergingthreats.net.
threats.emergingthreats.net. (
                         28800  ; refresh  8 hours
                         7200    ; retry    2 hours
                         864000  ; expire  10 days
                         86400 ) ; min ttl  1 day

@ IN NS   dns01.emergingthreats.net.
@ IN A
* IN A
@ MX 10 mail.emergingthreats.net.

Put this in place for your blockeddomains.hosts file as recommended at MalwareDomains.com.

Topic revision: r4 - 2011-08-17 - MattJonkman
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats