Thursday, June 11, 2009

Blacklisted Security Researchers

As a security researcher you often encounter strange and unexpected behaviors visiting known-bad sites. In most cases you're actually hoping something will happen to your unpatched and disposable Web browser as you navigate a suspicious site that was reported to you by a customer or managed service provider.

You arm your system with numerous monitoring agents and wait for the unseen explosion of activity as your VM gets infected from some drive-by-download site. Or maybe not.

In the past I've talked about advancements to the X-morphic Attack Engines used by drive-by-download operators and how they often "blacklist" IP addresses of known security research institutions - such that the "good guys" don't get served the malicious goodies, and can't then discet the code and develop new protection signatures/algorithms.

Until recently I'd never actually seen one of those blacklists of security researchers that the bad guys don't want to serve their crimeware to up close - until now. Yuval Ben-Itzhak over at Finjan managed to uncover one such list from a crimeware toolkit and posted a nice blog about what they found - "Security vendors watch out, your IP address might be blacklisted by cybercriminals".

I guess the question now is whether I can get my home DSL netblock added to the blacklist for safer browsing by the family? Probably not.

No comments:

Post a Comment