Yep the good old "blackhole" technique, most of the naughty domains are going to 127.0.0.1 which helps if the malware is programmed to go back to a specific domain name, but that doesn't help those malware that is using google or other public available sites, that might have been compromised to get back to its instruction set.
Also there is the fast-flux domains which is usually tied with malware/botnets, that this approach has a good affect on. Again nothing is full proof but if you can reduce your risk and quickly, that is better than sitting there praying for forgiveness after you get owned. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: Devin Meade [mailto:devin.me...@gmail.com] Sent: Tuesday, May 04, 2010 2:44 PM To: NT System Admin Issues Subject: Re: Internet Policies I used a "fake DNS" entry for twitter.com and the others that I found in the ISA log. I made a new forward lookup zone for each one in our Active Dir integrated DNS system. I know it wont block sub-domains but it made the point. It has since been removed. I can use Trend micro officescan if we want to actively block though. Devin On Tue, May 4, 2010 at 1:22 PM, John Aldrich < jaldr...@blueridgecarpet.com> wrote: I was aware of that, but I was wondering what Devin's company used. J Personally, I'd go for either DNS (if there was a blackhole or something easily implemented like that) or web filtering appliance. From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, May 04, 2010 2:20 PM To: NT System Admin Issues Subject: Re: Internet Policies They can be blocked via DNS, via Firewalls, via Web Filtering technologies. -ASB: http://XeeSM.com/AndrewBaker On Tue, May 4, 2010 at 2:11 PM, John Aldrich < jaldr...@blueridgecarpet.com> wrote: How did you block them? Do you have an appliance or did you put in some sort of DNS entries? From: Devin Meade [mailto:devin.me...@gmail.com] Sent: Tuesday, May 04, 2010 1:21 PM To: NT System Admin Issues Subject: Re: Internet Policies Up until last month we blocked all the social networking sites. Now our firm is marketing on them. We are adjusting our policies for this. It will be on a user-by-user basis though. Devin On Tue, May 4, 2010 at 11:38 AM, John Aldrich < jaldr...@blueridgecarpet.com> wrote: What restrictions, if any, do your organizations place on things like IM or social networking sites? I sent out a warning to the office personnel this morning regarding the new "IM Virus" and got an email back from the CEO basically stating "shouldn't that be a violation of company policy anyway?" and I had to tell him, I knew of no policies regarding that; and that in fact, my former supervisor was fully aware of at least one person (who's child is overseas in the military) who used IM on a semi-regular basis. For this reason, I'm working on coming up with a company policy. I've looked at the sample template from SANS as well as another one that someone sent me off-list. I'm planning on incorporating the best of everything I get, so if anyone has any suggested language regarding IM or social networking, please let me have it. J ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
<<image002.jpg>>