02-25-2013 12:55 PM
A new "parked domain" company and come to surface, and they seem to own a LOT of domain names, none of which brightcloud has correctly classified as "parked domain". The server in question is hosting a piece of malware called seedabutor.b. Our AV is catching it, but I'd love to just block the whole server instead of handling this each time I see a mispelled URL that lands on that server.
One of the URLs is http://calgaryheral.com/
Another is http://calgaryhomeshow.ca
Now you can see that while they seem to be the same server, they are on different IP addresses. So blocking by domain or IP isn't going to do it.
So, what can I do to block this specific strain of malware from coming in each and every time?
Looking forward to your guidance.
Regards.
02-25-2013 01:58 PM
I would say it would be best if you could block the malware with antivirus/anti spyware profiles. For that to work, Palt Alto needs to have a signature for that specific malware.
I search through the threat database but did not find anything named seedabutor. If it doesn't exist under a different name, you could contact support and have them make a signature for it
02-25-2013 10:37 PM
Basically what you can do (with the PA device):
1) Enable IPS and AV for all flows. At least with a profile such as:
Critical: Block
High: Block
Medium: Block
Low: Default
Informational: Default
2) Enable SSL-termination (so the above IPS and AV inspection will also be on SSL traffic).
3) Enable URL-filtering and only allow already classified domains/URLs (by category). You will most likely need to enable dynamic lookups (against the urldb "cloud") since the downloadable db is only like top 10000 (or so) of each category.
4) Enable using a dynamic blocklist. This way you can have a box on your network which downloads and/or generates a txt-file with ipaddress which the PA box then will have a schedule for how often it should fetch this txt-file from this server and put it in a specific rule which you configured to block access. Either if there already exist a site which publishes recommended ip addresses to block and the particular bad sites are already included or if you do this on your own by using whois or such (for example if these sites is registered by the same user or so).
5) If possible also limit which filetypes will be allowed to download from Internet (and since you have SSL-termination also SSL/HTTPS stuff will be covered by this). Preferly by a whitelist ("only these filetypes are allowed, drop any other").
6) If PA didnt create a public threatid for these bad files you could contact your SE or the appid team and ask them to do so. If possible you can also create your own signature (depends on how dynamic the bad files are).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
