[Peter Kleissner]

http://virustracker.info/ is up and running. Feedback, anyone?

It currently monitors following botnets: MultiBanker, TinyBanker, UrlZone, Infostealer Shiz, Expiro Z and ZeuS Gameover

Within the next weeks I will add other banking trojans and add features like offering the latest samples and displaying more information about C&Cs and infected machines.
With the website there's an automatically weekly updated banking trojan domain blocklist at http://virustracker.info/text/Blocklist_combined.txt

Aloha

[Evilcry]

Nice work Peter, the service comes of great help and offering latest samples sounds awesome.

Just a question, by looking at the Infections-Day graph I see that it starts from 23 Nov. is this correct ?

Evilcry

[Peter Kleissner]

Oh I see the scale description is wrong, thanks for brining that to my attention. Of course it should be October and not November. Fixed it.

Monitoring of the first MultiBanker botnet started on October 4, the other ones were added later over the time. For example I have added monitoring of the current UrlZone botnet (sample from 9/17/2012) yesterday, so we will see a first line by tomorrow.

[Xylitol]

I've also my (lame) tracker http://xylithreats.free.fr/public/ i just add urls of c&c panel when available.
still wonder how you do to collect urls ? sandbox and auto-collecting when a http request is found or it's all manual ?

[nex]

So are you sharing the data collected from the sinkholes or not?

[Peter Kleissner]

There is no data to share as the sinkhole works completely passively. At the current point it only stores the IP and the time stamp into the database for generating the statistics. No POST data is stored at all and no data returned to the infected machines.

still wonder how you do to collect urls ? sandbox and auto-collecting when a http request is found or it's all manual ?

The domains? I have analyzed every single bot and implemented the DGAs and other algorithms into my program that checks everything out. Everything is done on the server completely automatic (the statistic generation, check for new domains, the blocklist, ...). Still there is more work to do as intergrating a complete domain monitoring system and acquiring the latest samples directly from the C&Cs.

[nex]

There is no data to share as the sinkhole works completely passively. At the current point it only stores the IP and the time stamp into the database for generating the statistics. No POST data is stored at all and no data returned to the infected machines.

That's exactly the point. Are you sharing the IP data of the sinkholes with CERTs and affected organizations as we do at shadowserver or are you just another one sitting on the data just for the heck of it (or easy money or ridiculous marketing/self-promotion in lot of cases)?

[Peter Kleissner]

Yes I am sharing the IP data to CERTs and similar institutions. Right now there is just a script missing for exporting a live feed or a daily generated archive.

Btw @all, I have added Bamital to the monitoring system, and Bamital and the old ZeroAccess DGA to the weekly updated blocklist.

[nex]

That's good to hear. There's already too many companies keeping sinkhole data private and selling it as a cheap and ridiculous "threat intelligence" service of some sort, without actually taking any action and blocking people that do from doing it.

[Brian]

Hi Peter,

Excellent job! I added your blocklist to my list: http://www.selectrealsecurity.com/public-block-lists/

Steven, I also added your database. Keep up the great work! :)

By the way, Matteo Cantoni provides some great honeypots: http://www.nothink.org/honeypots.php

Brian