Domain Feeds Update: July 2017
We’re always researching new sources of malicious domains to block via Strongarm. In addition to harnessing the collective intelligence provided by Strongarm customers using our community feed, we’ve also recently added three new domain feeds (sources of malicious domains) to Strongarm. These sources provide us with more malicious domains that we block from harming our customers’ networks. Keep reading for details on the three new sources we have added recently.
Bambenek Consulting provides a list of domains from malware that use DGAs (domain generation algorithms). By using domain generation algorithms, attackers avoid hardcoding the command-and-control domain in their malware and instead calculate a new domain periodically.
Defenders must reverse engineer these algorithms in order to understand what domains are being used by the malware in order to block them. This list is updated daily and contains domains from the past two days through the next three days.
Note that these domains aren’t necessarily malicious—many are actually unregistered—but all of them are nonsensical (i.e. you likely wouldn’t be typing them in directly, because they are usually long and do not contain real words). Currently Strongarm only includes a subset of this list, since many of the domains included are no longer active, but this still totals over 100,000 domains. The threat families that are included in this domain feed are: nymaim, pykspa, ramnit, and virut.
The Computer Incident Response Center Luxembourg (CIRCL) provides indicators of compromise from a variety of sources, including their own analysis. This data is shared via their OSINT Malware Information Sharing Platform instance, and has now added into Strongarm’s blackhole.
The botvrij.eu data has been added to the Strongarm blackhole as well. This dataset aggregates indicators of compromise, including domains, that have been published in the past six months from publicly available papers, blog posts, and more.
Making Strongarm Better Together
These three information sources add almost 175,000 domains to Strongarm to protect our customers. If you ever find any false positives with a domain that Strongarm is blocking, you can whitelist it for your team, which will stop it from being by blocked your network. Additionally, please let us know if this is the case, so we can evaluate and update for everyone (and notify upstream data sources like the ones listed above).