Last year, some of us were talking about how to explain the power of malnet tracking, and Alex suggested that we call it "negative-day blocking", as a play on the well know phrase "zero-day attack". If a zero-day is a new, never-before-seen attack, against a vulnerability for which no patch exists, then a negative-day block is a defense put in place for a new attack one or more days before the attack takes place -- even if that new attack is a zero-day. We liked the "negative-day" term, and it stuck.
Yesterday, there was a spike of traffic to a shady domain called winthemountain.net. (Which was literally a brand-new domain -- it didn't even show up in the first two "whois" services I checked -- newly registered by the aptly-named "INTERNET.BS CORP" (heh).
At the time of yesterday's research, we'd seen 409 hits in the WebPulse dynamic-rating logs, all of which were flagged in real-time as Malware. (There would be even more hits in the full logs, once the Malnet Tracker auto-added the domain to the database.) So far, so good: if that were the whole story of the attack, we'd have a nice zero-day block. But of course that's not the whole story...
The story of this attack begins back in September, when one of our analysts noted a surge in traffic to an IP address in the 195.3.145.x range, that had a long history of malicious use, having hosted at least three other malnet servers in past campaigns. The analyst duly logged the new server as part of an active malnet again.
For the next month, the server hosted an average of one new domain a day (as many as three domains on some high-activity days). WebPulse's Malnet Tracker dutifully blocked all of them.
Then, on Oct. 11th, the server jumped to a new IP, and the previous IP went dark. The server itself hadn't changed, however, so the Malnet Tracker continued blocking the new domains. (winthemountain.net is the 10th domain hosted on the new IP since the switch.)
Counting from the 11th, when we automatically recognized the new IP as a malicious host, and began blocking all of its domains, we have a "negative-eight-day block" of yesterday's attack. Of course, we could also be greedy, and count it as a "negative-30-day block", since that's how long we've known about this particular malnet...
The traffic in this series of attacks is coming mostly from car-related forums, but there were also gun/hunting, ATV, tech, hobby, and other types of forums involved. (And possibly some non-forum sites; I haven't checked all of the involved sites, since there are a lot of them.)
And that's as far as I got before running out of time. I would have liked to keep digging, to track down a payload, and figure out which ad network has been fooled (or hacked) to include this traffic, but all these meetings won't attend themselves...
(Good thing WebPulse doesn't have meetings or travel to worry about. It gets to spend all of its time looking at data. Lucky...)