ISC StormCast for Friday, July 19th 2013 http://isc.sans.edu/podcastdetail.html?id=3427

Blog Spam - annoying junk or a source of intelligence?

Published: 2013-07-18
Last Updated: 2013-07-18 04:30:23 UTC
by Chris Mohan (Version: 1)
5 comment(s)
 
Can blog spam be of any real use to security teams? Here’s my take on turning a piece of what some consider internet background noise in to information ripe to becoming actionable intelligence.
 
I get waves of blog spam – comments that posted to a blog site advertising someone else’s wares (including links to malware!), services or attempts to increase search engine rankings – to my small corner of the internet at infrequent cycles. To many of my fellow blog owners this is a source of constant annoyance, but for me I get a little, gleeful smile and promptly dump the user agent [1], body text (extracting any embedded URLs), and posting IP address in to my pile of “all things to observe and search on”.  
 
Once carefully added in to my speed optimized database*, I then sort it, note the duplicate posts and do some passive look-ups on free resources, such as the Internet Storm Center (ISC) IP lookup tables [2], to see if it’s a known or reported as malicious/bad. I then pipe the IP address, domains and URLs into a local copy of Collective Intelligence Framework (CIF), regardless if the passive searching didn’t yield any information, to see if anyone else has run into it. For those unfamiliar with CIF, fellow Handler, Russ McRee, did a nice write up on the basics [3] on the Collective Intelligence Framework (CIF) by Wes Young [4]. CIF pools data from numerous sources and can quickly help identify if any of the collected data points to botnets, infected systems, malware hosts, etc. All of which is an huge informational leap up from an annoying automated posting with an IP address and URL.  
 
With the results from those searches completed, I can then compare those results back to historical data or logs from other sources (firewalls, proxy logs or spam filters [5]). All of this is automated via some ‘internet researched’ code - poorly shunted together by yours truly. After any matches and final results are spat out, it allows me to then make decisions whether to add the IP address, net block, user agent or URL to a block or monitor list. I’m not a fan of trusting my scripts or intelligence feeds to be completely accurate for automatic blocking IP ranges, but don’t worry so much on pushing alerted URLs in to the Suspicious category on web proxy system. I’ve found my human web surfing anomaly detection systems are really good at ring up and moaning if we, that’s the Royal We (meaning me), accidently blocks Google.
 
If you want to go to visually to town with the data, pop the resolved spamming IP addresses in to a geo-IP, the ISC has a page to help with that [6] and show friends, family or the management where the bad IP addresses live. Who says the whole family can't enjoy an evening of PowerPoint together, listing the towns, cities and countries that spam your blog sites. Surely that beats watching re-runs of some random TV show?
 
All this possible intelligence from humble blog spam, so what could you do with that data?
   
As ever, feel free to pitch in any thoughts or comments.
 
 
 
*It’s not a text file – well, not any more …
 
[1] http://www.useragentstring.com/
[2] https://isc.sans.edu/ipinfo.html
[3] http://holisticinfosec.blogspot.com.au/2012/07/toolsmith-collective-intelligence.html
[4] https://code.google.com/p/collective-intelligence-framework/
[5] https://isc.sans.edu/diary/Can+users'+phish+emails+be+a+security+admin's+catch+of+the+day%3F/14578
[6] https://isc.sans.edu/tools/whereis.html

 

Chris Mohan --- Internet Storm Center Handler on Duty

5 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives