9 Replies Latest reply on Sep 17, 2014 5:10 AM by michael_schneider

    Certificates associated with malware added to SSL Blacklist

    bkirk

      SC Mag has an article related to blocking web traffic to certificates associated with malware. 

       

      http://www.scmagazine.com/certificates-associated-with-malware-added-to-ssl-blac klist/article/361264/

       

       

      Has anyone done this in webgateway I would be interested in applying this to my ruleset, using the external list they have in the article.

       

      Thank you,

      Brian

        • 1. Re: Certificates associated with malware added to SSL Blacklist
          Jon Scholten

          Hi Brian,

           

          In the certificate verification ruleset, you could create another rule to look at the SHA1 hash of the certificate and block based on the sha1 hash.

           

          MWG has properties for this:

          SSL.Server.Certificate.SHA1Digest

           

          Additionally, @asabban, created a McAfee Maintained list for certificates "This list contains SHA1 hashes of certificates which are known to be fraudulent and/or used for malicious activities.". Currently it is populated with a few related to google and yahoo.

           

          Best,

          Jon

          • 2. Re: Certificates associated with malware added to SSL Blacklist
            bkirk

            Ok is there an easy way to add this list?

             

            https://sslbl.abuse.ch/blacklist/sslblacklist.csv

             

            Here is a snippet from the list.  When I load this into a external customered maintained list of type string it fails with the following error

            Coordinator error Update of customer subscribed list: preview (com.scur.type.string.139) failed. Not possible to create the list because the content could not be identified

             

            ################################################################
            # abuse.ch SSL Fingerprint Blacklist (CSV)                     #
            # Last updated: 2014-07-21 18:00:01 (UTC)                      #
            #                                                              #
            # Terms Of Use: https://sslbl.abuse.ch/blacklist/              #
            # For questions please contact sslbl [at] abuse.ch             #
            ################################################################
            #
            # Timestamp of Listing (UTC),SSL certificate SHA1 Fingerprint,Listing reason
            2014-07-19 07:33:58,27fc1e59181f38788c4987086c3338c1af107820,KINS C&C
            2014-07-19 07:32:51,be1a584a85c879f8555d984fc36bef69db6d8ad5,KINS C&C
            2014-07-19 07:22:53,82e215a96a60b2effd68d89c35e4aef0f8ca6349,KINS C&C
            2014-07-19 07:22:51,4ec974448fe04ab3697ac708cc6542efd4b3e46c,KINS C&C
            

             

            Message was edited by: bkirk on 7/21/14 1:28:46 PM CDT
            • 3. Re: Certificates associated with malware added to SSL Blacklist
              asabban

              Hello,

               

              there are two ways to add the list.

               

              1)


              To add it as a "subscribed list", e.g. a list that shows up along with its content in the "lists" section of the UI you have to make a local copy of the list and modify it, since MWG cannot understand the format the list is in. If there is a web server running somewhere use a command like this (probably via cron) to mark up the list. It is also important to tell the type of the list, which is done by writing it into the very first line:

               

              $ echo "type=string" > ssl_subscribed_list.txt && curl -s "https://sslbl.abuse.ch/blacklist/sslblacklist.csv" | grep -v ^# | cut -d, -f 2 >> ssl_subscribed_list.txt

               

              It will write a file "ssl_subscribed_list.txt" with only sha SHA1 hashes in it. You can add this as a string list to MWG now:

               

              2014-07-22 11_32_53-Setup.png

              The list shows up in MWG:

               

              2014-07-22 11_33_57-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

               

              You can now easily make a rule that says "SSL.Server.Certificate.SHA1Digest is in list  <your list> => Block".

               

              2.)

               

              Use an external list with cache. The external list basically is a "live lookup" so you tell MWG to fetch the blacklist when an SSL web site is visited. The nice thing for external lists is that you can pre-define the content type and apply a regular expression when the call to the web server is made. Set the cache to 90 minutes or higher to avoid MWG fetching the list too often.

               

              Basically when a user accesses an HTTPS web site MWG calls the Blacklist (or uses the locally cached copy). It uses a regular expression to remove everything but the SHA1 hashes, so a string list with SHA1 hashes comes back and is stored in a user-defined property.


              You can apply a rule like "SSL.Server.Certificate.SHA1Digest is in list <your user-defined property> => Block".

               

              The nice thing is that you generally do not need to make a copy of the list. The downside is that for every HTTPS site request MWG theoretically polls the server. The cache helps here. When the server is down it is possible that MWG will present an error to the user while the "subscribed list" in 1.) continues to work as it resides on the disk and not only in memory.

               

              I will add an example for 2.). I strongly recommend to use option 1. If there is enough interest I can also find out if we are allowed to provide you with a pre-converted list which would come as a "McAfee Maintained" list.

               

              Best,

              Andre

               

              Nachricht geändert durch asabban on 22.07.14 11:42:12 MESZ

               

              Nachricht geändert durch asabban on 22.07.14 11:44:01 MESZ

               

              Nachricht geändert durch asabban on 22.07.14 11:47:13 MESZ
              • 4. Re: Certificates associated with malware added to SSL Blacklist
                Jon Scholten

                Hi Andre!

                 

                For your ruleset you might want to add Command.Name equals CERTVERIFY to the ruleset criteria. If someone places it outside of the SSL scanning cerificate checking rules, then you will get a rule engine error (because there is no cert to filter).

                 

                Best,
                jon

                1 of 1 people found this helpful
                • 5. Re: Certificates associated with malware added to SSL Blacklist
                  asabban

                  Hey Jon,

                   

                  yes thats right. I have talked to the guys who operate the blacklist and they gave me permission to make this into a "McAfee Maintained List". I will prepare the list and some new rules, so you don't need to bother about converting the list on your own.

                   

                  Best,

                  Andre

                  1 of 1 people found this helpful
                  • 6. Re: Certificates associated with malware added to SSL Blacklist
                    bkirk

                    That is great.  I have the current list in my test policy, but am looking forward to using a "McAfee Maintained List" instead of jumping through the hoops to get this list working.

                     

                    Looking forward to your posting.

                     

                    Thank you,

                    Brian

                    • 7. Re: Certificates associated with malware added to SSL Blacklist
                      asabban

                      Hello,

                       

                      I have created a rule set and a McAfee Maintained list. It should be enough to import the rule set which can be found at

                       

                      https://contentsecurity.mcafee.com/ruleset_library?q=50044

                       

                      It should automatically create the McAfee Maintained list. Also it contains the "CERTVERIFY" condition. I have tested it with a sample URL and it seems to work as expected. Please feel free to give it a try and please let me know in case things are unclear or any problems occur.

                       

                      Best,

                      Andre

                      • 8. Re: Certificates associated with malware added to SSL Blacklist
                        darkfell

                        Hi. How can I create another McAfee Maintained list for information on zeus? (https://zeustracker.abuse.ch/blocklist.php)

                        • 9. Re: Certificates associated with malware added to SSL Blacklist
                          michael_schneider

                          Hello,

                           

                          that would be not a list maintained by us but by you - a Customer Maintained list.

                          here is a script (quick and dirty) that you can put into a cron on any web server and build a list:

                           

                          #/bin/bash

                          wget --no-check-certificate "https://zeustracker.abuse.ch/blocklist.php?download=baddomains"

                          echo "type=string" > list.txt

                          cat blocklist.php\?download\=baddomains | grep -v "#" >> list.txt

                           

                          This will produce a new file (list.txt) that can be imported as subscribed list.

                           

                          thanks,

                          Michael