Malware and botnet operators are always adapting their tactics, trying to stay a step or two ahead of defensive technologies and techniques. One of the methods many attackers have adopted is using SSL to communicate with the infected machines they control, and a researcher has started a new initiative to track the certificates attackers use in these operations and publish them.
The new SSL Black List is a public list of certificates associated with a variety of malicious operations, including botnets, malware campaigns and banking Trojans. The database comprises SHA-1 fingerprints of each certificate as well as the reason why it was included in the database. Right now, the list includes more than 125 certificate fingerprints, many of which are associated with well-known botnets and malware operations such as Shylock, Kins and Zeus.
The project is the work of a Swiss security researcher at Abuse.ch who for years has provided resources for tracking many of the major banker Trojan families and botnets.
“The goal of SSLBL is to provide a list of bad SHA1 fingerprints of SSL certificates that are associated with malware and botnet activities. Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule format. SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock,” the researcher said in a post announcing the new database.
Researchers in recent years have been trying various tactics to help shore up the fragile certificate authority system. Google has forwarded the notion of certificate transparency as a way to make all certificates public. The idea includes a publicly viewable log of any certificate that’s issued, but it relies on CAs to cooperate and submit the certificates they issue. The framework is designed to help address the problem of CAs issuing bad certificates, either by mistake or as the result of a compromise by an attacker.
The SSL Black List is small now, but likely will expand, given the number of malware and botnet operators that are using certificates in their operations.