topic Re: Blocking a site hosted malware in General Topics

Blocking a site hosted malware

cenders — Mon, 25 Feb 2013 20:55:45 GMT

A new "parked domain" company and come to surface, and they seem to own a LOT of domain names, none of which brightcloud has correctly classified as "parked domain". The server in question is hosting a piece of malware called seedabutor.b. Our AV is catching it, but I'd love to just block the whole server instead of handling this each time I see a mispelled URL that lands on that server.

One of the URLs is http://calgaryheral.com/

Another is http://calgaryhomeshow.ca

Now you can see that while they seem to be the same server, they are on different IP addresses. So blocking by domain or IP isn't going to do it.

So, what can I do to block this specific strain of malware from coming in each and every time?

Looking forward to your guidance.

Regards.

Re: Blocking a site hosted malware

torm — Mon, 25 Feb 2013 21:58:04 GMT

I would say it would be best if you could block the malware with antivirus/anti spyware profiles. For that to work, Palt Alto needs to have a signature for that specific malware.

I search through the threat database but did not find anything named seedabutor. If it doesn't exist under a different name, you could contact support and have them make a signature for it

Re: Blocking a site hosted malware

mikand — Tue, 26 Feb 2013 06:37:40 GMT

Basically what you can do (with the PA device):

1) Enable IPS and AV for all flows. At least with a profile such as:

Critical: Block

High: Block

Medium: Block

Low: Default

Informational: Default

2) Enable SSL-termination (so the above IPS and AV inspection will also be on SSL traffic).

3) Enable URL-filtering and only allow already classified domains/URLs (by category). You will most likely need to enable dynamic lookups (against the urldb "cloud") since the downloadable db is only like top 10000 (or so) of each category.

4) Enable using a dynamic blocklist. This way you can have a box on your network which downloads and/or generates a txt-file with ipaddress which the PA box then will have a schedule for how often it should fetch this txt-file from this server and put it in a specific rule which you configured to block access. Either if there already exist a site which publishes recommended ip addresses to block and the particular bad sites are already included or if you do this on your own by using whois or such (for example if these sites is registered by the same user or so).

5) If possible also limit which filetypes will be allowed to download from Internet (and since you have SSL-termination also SSL/HTTPS stuff will be covered by this). Preferly by a whitelist ("only these filetypes are allowed, drop any other").

6) If PA didnt create a public threatid for these bad files you could contact your SE or the appid team and ask them to do so. If possible you can also create your own signature (depends on how dynamic the bad files are).