Botmasters are exploiting new techniques to avoid detection by security experts and law enforcement agencies, let’s consider, for example, that many attackers are using SSL to protect malicious traffic between C&C and infected machines.
A researcher has started a new initiative to track the certificates used by bad actors in malicious operations and publish them in a blacklist, dubbed SSL Black List.
The SSL Black List is part of the project started by a Swiss security researcher at Abuse.ch who has participated in the last years to the investigations on the principal major banker Trojan families and botnets.
Each item in the list associates a certificate to the malicious operations in which attackers used it. The abuses include botnets, malware campaigns and banking malware.
The archive behind the SSL Black List, which actually include more thank 125 digital certificates, comprises SHA-1 fingerprints of each certificate with a description of the abuse. Many entries are associated with popular botnets and malware-based attacks, including Zeus, Shylock and Kins.
The project is the work of a Swiss security researcher at Abuse.ch who for years has provided resources for tracking many of the major banking Trojan families and botnets.
“The goal of SSLBL is to provide a list of bad SHA1 fingerprints of SSL certificates that are associated with malware and botnet activities. Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule format. SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock,” wrote the researcher in a blog post which introduce the initiative.
I have already explained in a previous post that Google is very active in the prevention of any abuse of stolen or unauthorized digital certificates, early this year announced its Certificate Transparency project, a sort of a public register of digital certificates that have been issued.
“Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.” states the official page of the project.
Unfortunately still many certificate authorities aren’t providing to the public logs.