[Note: Thanks to Satnam Narang, a security researcher in 8e6 Labs, for helping out with this post.]

Security software vendors are embracing the concept of site reputation. This is the idea that what a site or host has done in the past should be used to decide whether or not you can trust that site in the future.

Everybody is building the concept into new or existing products and services: McAfee has SiteAdvisor for end-point security; Secure Computing has TrustedSource for spam mail detection; I just talked to a small company called RobotGenius that’s taking an interesting approach to site reputation based on their own heuristic analysis of executables downloadable from that site. We here at 8e6 recently introduced the Bad Reputation Domain category into our web filter to achieve a similar objective.

There are myriad sources of data that can feed a reputation decision. Are the executables hosted on a site malicious? Does the HTML contain hidden iframes (which are generally used for malicious purposes) or does the JavaScript attempt to exploit known vulnerabilities? Does the site’s list of links in or links out include other sites with bad reputations?

All of this feeds a bottom-up approach to assessing reputation, which gives you a detailed picture of the current state of a specific IP or domain. But often, you don’t have any of this kind of data available for a given site. Witness the domain tasting phenomenon, where the bad guys are serving attacks from domains moments after they’re registered, then delisting them within five days.

So the data fed into the reputation analysis of an IP address or domain has to go beyond just what can be determined from a page-by-page, executable-by-executable and link-by-link analysis.

There’s so much more: Who owns the domain or netblock? Where is it hosted? What is the reputation of the other sites and IPs of that owner? How long has the domain been registered? Have prior registered domains resolved to that IP? If so, what was their reputation? [Note: SpamHaus is a notable exception to this limited view of domain reputation. The guys fighting spam have taken a more holistic approach for a couple of years now.]

As an example, let’s look at the Russian Business Network.

The Russian Business Network (RBN) has received some press recently. Bryan Krebs of the Washington Post published an enlightening article on it last Saturday:

“An Internet business based in St. Petersburg has become a world hub for Web sites devoted to child pornography, spamming and identity theft, according to computer security experts. They say Russian authorities have provided little help in efforts to shut down the company.”

The RBN allegedly owns and/or operates ASNs in the netblock 81.95.144.0/20. SpamHaus has a detailed report on the RBN, and they recommend blocking this entire netblock in their drop list. Krebs also provided a mapping of the RBN network with some address data that corroborates SpamHaus. Here’s a Domain Tools whois report on one of the ASNs inside of it.

Let’s look at a the distribution of categorized URLs and domains in the 8e6 Database from servers hosted in that netblock:

• Malcode — 84.08%
• BotNets — 5.22%
• Porn — 4.62%
• ChildPorn — 4.01%
• Spyware — 1.34%
• Phishing — 0.73%

I didn’t omit anything — that’s the whole list. Yikes! There is literally nothing on the network that has any redeeming value. I’m willing to bet that any IT Admin could legitimately make the case to the business folks that access to this whole netblock should be blocked. (We put all 4096 IPs from the block in our Bad Reputation Domains category.)

Now let’s see what McAfee’s SiteAdvisor has to say about the RBN.

I pulled an active porn site from our list of sites on the RBN. SiteAdvisor gives you the green light, and even gives the thumbs up on an executable hosted on that site. I don’t know about you, but I don’t care if that exe doesn’t hit one of McAfee’s signatures … it’s hosted by the bad guys! I don’t want any of my users to be able to download it.

To illustrate a more insidious problem, I looked up a dead IP in the netblock. As expected, SiteAdvisor shows a grey question mark icon and reports that it has not reviewed this site. While that’s certainly true, it’s not particularly helpful. Personally, I would be inclined not to trust whatever showed up on that IP in the future, because, once again, it’s owned by the bad guys.

I don’t mean to pick on SiteAdvisor; I like the concept behind that service. But my point here is that assessing site reputation is much more than relying on locating infected files and mapping links. It requires a cross-discipline approach, optimally involving data from more than one security vendor or research organization. Look for that from your vendors. Ask them who they’re partnered with and don’t accept the argument that one security vendor’s core competencies are enough to secure your entire infrastructure.

Tags: IPs, malware, RBN, reputation

This entry was posted on Wednesday, October 17th, 2007 at 3:22 pm and is filed under 8e6 Database, Domain Reputation. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.