Feeds

Time to blacklist blacklists

Plenty of ways to overcome 'minor inconvenience'

Choosing a cloud hosting partner with confidence

Blacklists have their place for detecting and identifying malicious content and activity, with the whole signature-based malware detection industry effectively being built around the concept that blacklists are reliable mechanisms.

The only problem is that they aren't.

They certainly are an important element of security models, but the last couple of decades of security research has shown that they quickly become ineffective in the face of a rapidly evolving threat.

Early in the life of antivirus tools, simple signature based detection was enough. An internal blacklist could identify all known pieces of malware because they did not evolve or spread very rapidly. When polymorphic malware began to exhibit better software development, the need for heuristic detection engines became more urgent. Most antimalware software now has a combination of blacklisting and heuristics in use to assist in identifying malicious activity (when they aren't busy deleting critical system files or being compromised by their own analysis engines).

Having an exhaustive blacklist helps companies claim that they detect many tens of thousands of viruses and malware, when in reality it may be many different versions of a few key pieces of malware, just different enough from previous versions to require a brand new blacklist signature.

Moving on to blacklists of known spam-generating IPs and malware-serving sites, we start to see significant problems emerge with this particular approach to protection.

Many mail server administrators will have encountered at least one period where they have found their IP on an RBL (Real Time Block List) alongside IPs that have seen to be spewing spam across networks (or they could have just had AOL mailing list subscribers who find it easier to report as spam than unsubscribe from something they manually subscribed to). With the use of dynamic IP addresses and virtual hosts, many have found that if they have a bad network neighbour, they can be hit with the same blocking (we've had it happen a few times) from indiscriminate RBL maintainers.

Even important registries are not immune from arbitrary blockage and ongoing annoyance from poorly developed RBLs.

The problem of misidentification becomes even worse when blacklists of websites that are hosting malware and phishing attacks are maintained. Microsoft, Mozilla, Opera, McAfee, and Google are just some of the large bodies that have invested significant resources to the creation, maintenance, and use of website blacklists to warn users of potential malicious activity on websites (and in some cases prevent access).

Anyone who spends even just a little bit of time involved with researching and observing the patterns and pace of website attacks, hacks and defacements will know that websites are essentially fragile entities and it doesn't take much for a well-trusted site to become a malware-spewing nightmare.

Like trying to use DRM to restrict the spread of copyright infringement, using blacklists / blocklists to limit access to sites will only stop the honest, and the casual attacker (extremely casual attacker) from getting people to see their site. Any attacker that is remotely serious about their work will have plenty of ways to bypass and overcome the minor inconvenience that the blacklists pose.

If any further evidence was required, a security researcher (Kuza) has published a small set of techniques that can be used to bypass these website blacklists. The set of techniques published reflects just a small number of the many different ways that it is possible to avoid these lists, not least of which is the fact that it takes time for a site to be added to a blacklist.

The response that Kuza received from Microsoft when he reported his techniques for phishing detection avoidance is actually quite an intelligent response - "[it] is not a security feature".

The only problem with this is that many, many people (including a lot of 'security' people who should really know better) consider these lists to be just that - a security feature.

It is time that people became aware that these lists are a small tool of their protection arsenal, and not the major innovation that their creators and maintainers describe them as. It is also time that people became aware of the problems that these lists can cause when improperly developed and maintained (and even when they aren't).

This article originally appeared at Sūnnet Beskerming

© 2007 Sûnnet Beskerming Pty. Ltd

Sūnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sūnnet Beskerming provides global reach with a local touch.

Beginner's guide to SSL certificates

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?