Latest Blog Posts

Syndicate content The ThreatSTOP Blog
Stop Botnets Stealing from you
Updated: 34 min 10 sec ago

ThreatSTOP blocking Shellshock (Bash) scanners

Fri, 09/26/2014 - 16:10

Over the last 36 hours ThreatSTOP has identified a number of hosts that are attempting to scan for (and then exploit) the Shellshock bash vulnerability. We are actively identifying these miscreants through (failed) attacks against our servers, detection by our honeypots, and data received from malware researchers we work with.

These addresses have been added to a new expert mode target list called “shellshock” as well as to our standard mode “UNIX SERVER” target list.

We recommend that any of our users who have servers exposed to the Internet implement these target lists. If you are a Standard user, you should already be using the UNIX SERVER list if you have unix or linux servers that allow connections from the Internet. If you are an Expert Mode user, you should add the shellshock list to your policies that are used on Internet facing servers.

This list is currently around 700 entries and growing fast. We were blocking many of these even before we focused on detecting shellshock exploit attempts. As we noted in our blog posts about Heartbleed, we have been blocking a number of attacks simply because they are coming from IP addresses that are well known to us as attackers.

The shellshock vulnerability is a serious vulnerability in the GNU bash shell that runs on linux and unix based systems (this includes Apple, BTW). The vulnerability allows for arbitrary code execution in bash by setting specific environment variables. This weakness allows for installation of reverse shells and other malware on internet facing servers. The bug affects web servers which run shell scripts from CGI, and SSH servers, but could also be exploitable by other protocols such as DHCP. The vulnerability is being actively used to compromise webservers and build botnets that can attack other parts of the Internet.

ThreatSTOP recommends that all our users also apply the patches provided by the various Linux distributions to all Internet facing hosts as soon as possible. Many other security firms such as Websense are blogging about this, and many of them have useful tips. Only those who, like us, can actually provide blocks against inbound attackers are able to protect their customers from this threat. Anti-Virus, Web filtering and other host based or outbound only technologies provide no protection against this threat.

About ThreatSTOP
ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router. Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/


Categories: Blogs

ThreatSTOP Announces Improvements to Reporting

Thu, 08/07/2014 - 17:15

ThreatSTOP is pleased to announce a new release of its web portal that significantly improves the speed an utility of the logfile analysis and reporting it provides to subscribers. The new reporting UI presents data in a way that is in line with how our customers prefer to analyze the data.

The most important information is which types of attack have been seen and so the order of the default tabs has been changed so that “Summary by Threat” is the first one displayed. Within that tab, we have broken the attacks down by threat category (Botnets, Malware, Inbound …) and then within each category we detail the number of hits in particular target lists.

In addition to changing the “Summary by Threat” tab, we have also changed the “Summary by IP” tab to make it quicker to identify vulnerable internal hosts. Rather than displaying communication pairs, it now shows internal IP addresses only. Clicking on a particular internal IP address shows what communications with it have been blocked.

Finally we have tweaked the “Summary by Date” tab to display the busiest date/hour and to provide breakdowns of traffic by hour. This can be particularly useful to identify infected devices that are “calling home” when no one is in the office.

We do of course welcome feedback from our subscribers and suggestions from them on additional ways to enhance our reporting UI.

In addition to the layout changes some back end work has been done to improve performance, particularly for our larger customers. The combined result of the back end database changes and the UI changes is that ThreatSTOP’s customers get to see the firewall log data they care about immediately so that they can take action to remediate compromise internal hosts or handle sustained attacks on internet facing devices.

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/


Categories: Blogs