“Democracy is the worst form of government, except for all those other forms that have been tried from time to time.” (Winston Churchill)
I wrote huge philosophic part here… But then – I realized, that too much ideology already dumped into Net, no need to add.
So – see mr. Churchill quote and add “BlackListing” instead of “Democracy” << this is exactly my point.
And making long story short – in providing protection against malware – blacklisting fail.
Blacklisting – “…a blacklist or block list is a basic access control mechanism that allows through all elements (email addresses, users, URLs, etc.), except those explicitly mentioned. Those items on the list are denied access…” (WikiPedia.org)
So, basically, how it should work:
1. Someone detect that IP x.x.x.x or domain badassmalwarehomepage.com is spreading malware, got Exploit Kit installed or some other malicious activity detected
2. IP or domain list added to blacklist – now all software that work with that blacklist, protected from entering this bad site.
3. Internet Safe! (Yeah… )
And how it works now:
1. Malicious IP or domain detected. It take some time to detect new attack, discover all infectors, gather all evidence and prepare to be reported
2. IP\domain reported. There are plenty of different lists, each have it rules. Take some time to re-check and add to list – otherwise it can be used for malicious purposes.
3. Clients not up to date, lists delivered from time to time, check with list take time and traffic. And bottom line – in fastest way it take 2-3 days to get stuff done. Attacker already got profit, monetized and planning new attack.
Nothing new for many of You, and as I said – it’d terrible solution, but we dont have another now.
But wait – it even worse 🙂
Malware don’t need to have it’s own IP\domain exposed to victims, or even malware researchers, on any level. Let me show You, how.