Warn before entering dynamic DNS site

Discussion in 'ESET NOD32 Antivirus' started by SmackyTheFrog, Jul 26, 2011.

Thread Status:
Not open for further replies.
  1. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    I'm sure plenty of other people have seen malware hosted in dynamic DNS websites. Lots of malicious dropper agents end up referencing them since you can change the host serving the malicious content so rapidly. Since the likelihood that you would be accessing a dynamic DNS website for anything legitimate is very slim, it seems like some kind of warning message in the browser is warranted.

    I've been blocking them by using stub zones for the corporate DNS, but that doesn't really help for home or mobile users, and is frankly a pain in the butt since there are so many of these things out there and is purely reactive.

    Anyway, just a thought. Here's a list of all the ones that have been problematic and I ended up blocking.

    0ze.net
    8f067e3.com
    be.ma
    box.tl
    ce.ms
    co.be
    co.cc
    co.tv
    cz.cc
    d9i4.net
    ddns-dvr.com
    dumb1.com
    dynamicdns.biz
    isgre.at
    m3j2.com
    osa.pl
    rr.nu
    tld.tc
    vv.cc
    zapto.org
    zaxoe.net
     
  2. foneil

    foneil Eset Staff Account

    Joined:
    Dec 7, 2010
    Posts:
    255
    Location:
    San Diego
  3. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    I appreciate the update to the documentation, but is it possible to do something that is a bit more automated to warn users when they are accessing something that is running through a free DNS service? The threatsense back-end seems like the logical place to compile a comprehensive list of these kind of websites that are providing free anonymous DNS for malware purposes.
     
  4. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Some blocking of domains is done, but given the ease at which new sites can be added via DDNS it is not practical to inspect all network traffic searching for DDNS origin points as one would then have to deal with delays for lookup and response, dealing with false positive reports, whitelisting, blacklisting and so forth.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.