Spyware Listening Post
The goal of the Spyware Listening Post is to collect information about trojans and spyware we aren't aware of through sample collection methods. We are accomplishing this by relying on great projects like David Glosser's MalwareDomains.com
project and our existing Emerging Threats Spyware Signatures to funnel known traffic to analysis points to identify the unknown.
How it works is this: we ask you to send hostile requests for known bad domains to a collection server rather than to localhost. We will return a 1 byte text file for each request to minimize bandwidth. The logs from those requests will be the source of new information. More information about how to contribute to this data collection effort is available at the Malware Domains page
. If you do not use this tool you are encouraged to use whatever tools you do have available to redirect spyware traffic and infections to listen.emergingthreats.net.
What we are learning:
1. Information about the url’s and parameters being used by known spyware. We can confirm existing signature accuracy and add new signatures based on new information
2. Identify new User-Agent strings
3. Identify new binary names and url's to be submitted to AV and ccontent filtering firms
4. We can follow the trail of requests to new domains and add those to the Malware Domains
5. We learn more about what, who, and how the bad guys work.
The collected information is sanitized. We will not release the source of any hit, nor do we track which sites are submitting traffic. This is a very safe way to contribute information about badness that will directly result in new signatures.
To use the spyware listeningpost we recommend using the block list available at MalwareDomains.com
, and use a zone file like below for each of those domains:
$TTL 86400 ; one day
@ IN SOA dns01.emergingthreats.net.
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
@ IN NS dns01.emergingthreats.net.
@ IN A 126.96.36.199
* IN A 188.8.131.52
@ MX 10 mail.emergingthreats.net.
Put this in place for your blockeddomains.hosts file as recommended at MalwareDomains.com