Botmasters are exploiting new techniques to avoid detection by security experts and law enforcement agencies, let’s consider, for example, that many attackers are using SSL to protect malicious traffic between C&C and infected machines.
A researcher has started a new initiative to track the certificates used by bad actors in malicious operations and publish them in a blacklist, dubbed SSL Black List.
The SSL Black List is part of the project started by a Swiss security researcher at Abuse.ch who has participated in the last years to the investigations on the principal major banker Trojan families and botnets.
Each item in the list associates a certificate to the malicious operations in which attackers used it. The abuses include botnets, malware campaigns and banking malware.
The archive behind the SSL Black List, which actually include more thank 125 digital certificates, comprises SHA-1 fingerprints of each certificate with a description of the abuse. Many entries are associated with popular botnets and malware-based attacks, including Zeus, Shylock and Kins.
The project is the work of a Swiss security researcher at Abuse.ch who for years has provided resources for tracking many of the major banking Trojan families and botnets.
“The goal of SSLBL is to provide a list of bad SHA1 fingerprints of SSL certificates that are associated with malware and botnet activities. Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule format. SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock,” wrote the researcher in a blog post which introduce the initiative.
I have already explained in a previous post that Google is very active in the prevention of any abuse of stolen or unauthorized digital certificates, early this year announced its Certificate Transparency project, a sort of a public register of digital certificates that have been issued.
“Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.” states the official page of the project.
Unfortunately still many certificate authorities aren’t providing to the public logs.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.