Blacklists miss 90% of malware blogged IP love
Correlate all the things.
Threat intelligence firm RecordedFuture says popular web blacklists are missing thousands of IP addresses linked to malware data theft.
The Massachusetts company, which boasts it's scored four out of five "top companies in the world" as clients, says correlating IP addresses to malware references yields between a thousand and tens of thousands of bad IP addresses that common blacklist sources miss.
The company's report on the matter (PDF) says that more than 90 percent of the 1521 notably nasty IP addresses linked to two pieces of malware and 67,563 associated with one malicious executable are unknown to net blacklists.
"We compared the 1521 IP addresses against the 258,288 IP addresses currently occurring on the blacklists, and found that only 117 of them were on those list, whereas the rest were unknown and not included on the blacklists," the researchers say.
"In other words, 92 percent of the suspicious IP addresses identified with this method were not identified by current blacklists.
"Of the 117 addresses, 67 were classified as inbound and 50 as outbound, and 12 of the 117 addresses occurred on multiple blacklists."
The researchers examined all sources on the public and dark webs from news sites to blogs and Twitter feeds that mentioned malware between 1 January 2014 and 2 August this year, and cleaved off everything that did not contain suspicious IP address information.
Much of the IP address pool is outbound, meaning it is likely associated with dumping spots for malware exfiltration.
Network graph of 1521 IP addresses (blue) and 198 malware (red) shows some major clusters and several smaller structure
Picking the malware cluster scabs uncovers trojans like Upatre and Dyreza sharing hundreds of associated IP addresses, as do Citadel, Zeus, and CryptoWall.
The researchers provide further case-study analysis on how various known dangerous malware are sharing IP address space and in what countries it is found. ®