Spyware Listening Post

The goal of the Spyware Listening Post is to build a self-sustaining spyware prevention and detection framework. We are accomplishing this by using existing tools such as the BlackHoleDNS? project and our existing Emerging Threats Spyware Signatures to funnel known traffic to analysis points to identify the unknown.

The core of the collection process will be the BlackHoleDNS? project. We will ask users to rather than send violating traffic to localhost as is common now, to send it to a collection server. We will return a 1 pixel gif for each request or a one byte text file. The logs from those requests will be the source of new information. More information about how to contribute to this data collection effort is available at the BlackHoleDNS? page. If you do not use this tool you are encouraged to use whatever tools you do have available to redirect spyware traffic and infections to listen.emergingthreats.net.

What we are learning:

1. Information about the url’s and cgi strings being used by known spyware. We can confirm existing snort signatures accuracy and add new signatures based on new url’s

2. Identify new USER-Agent strings to add to the block lists

3. Identify new binary names and url’s to be submitted to AV and ccontent filtering firms

4. We can follow the trail of requests to new domains and add those to the BlackHoleDNS? lists.

5. We learn more about what, who, and how the bad guys work.

We will make this information available in statistical form for anyone to see. Stats such as most common spyware packages, upticks and trends in traffic and packages, and new tactics, as well as the unique URLs in use.

We believe that in general we’re all losing the fight to spyware and malware. This project we hope will move us into the driver’s seat rather than continue our current reactionary tactics.

Project Admin is Matt Jonkman.

-- MattJonkman - 20 Mar 2007