Blocking Ransomware download Domains
-
Just read about the new ransomware 'PetrWrap'. Article saying that blocking domain 'french-cooking.com' prevents the malicious code in mail attachements to download additional code (doing the encrypt).
What is the best practice to block domains like this? Sure SquidGuard is not suitable because there is no http traffic in this case.
Should i block this with firewall rule? But the IP behind 'french-cooking' domain is changing fast.
About malware domain blacklists. Which one is the best? But also these are good only for http traffic (squidguard) so cannot give protection against any other download method than http? Or can they be integrated into the firewall somehow?
So what is the best way? Thanks!
-
Using the DNS forwarder with domain override will do the job? Is it a proper way?
https://ejnetwork.wordpress.com/2014/08/04/blocking-domains-with-pfsense-using-dns-forwarder/ -
You could create a dummy DNS entry for that host name. Point it to some unused RFC 1918 address. Then it won't go anywhere else.
-
You could create a dummy DNS entry for that host name. Point it to some unused RFC 1918 address. Then it won't go anywhere else.
Where to create the entry?
-
Ok, got it this way:
https://forum.pfsense.org/index.php?topic=132892.msg730573#msg730573 -
Ok, got it this way:
https://forum.pfsense.org/index.php?topic=132892.msg730573#msg730573That shows how to force DNS requests to the firewall. Once there, you have to provide an address or the request will use the address provided from whatever DNS you use. On the DNS Resolver and Forwarder pages, you can use host overrides to assign the dummy address to the host name.
-
Proper "poor man's" way would be creating host override DNS entry in Resolver/Forwader and pointing to your local web server (with 'french-cooking.com' vhost). That way you:
- will impede dropper from obtaining it payload
- will know (from access logs on your web server) if you have infected machines on your network.
Real proper way would be implementing IDS/IPS system, but that is another story how to do.
-
https://ransomwaretracker.abuse.ch/ has DNS and IP blocklists that you can automatically import into the pfBlocker plug-in, which will create and update aliases, which can then be used in your firewall block rules for ingress and egress.
-
Thank you Guys.
https://ransomwaretracker.abuse.ch/ has DNS and IP blocklists that you can automatically import into the pfBlocker plug-in, which will create and update aliases, which can then be used in your firewall block rules for ingress and egress.
I know its off-topic, but can i safely install/use the latest pfBlocker plugin (2.1.1_8) for an older pfsense release (2.3.2-RELEASE)?
-
This post is deleted! -
@Finger79
I get a 503 error when hitting https://ransomwaretracker.abuse.ch/ from pfBlockerNG and the web. Temporarily down? Are there other ransomware tracking feeds for pfB? I didn't see any that specifically listed ransomware.
