Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Gustav Part IV - last list

Published: 2008-09-01
Last Updated: 2008-09-01 14:33:20 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

This will be the last list of domain names we publish related to hurricanes Gustav or Hanna.  We believe that everybody understands the issue, so after this diary there won't be any further lists.  Many of the domain names being registered are legitimate and are redirecting to sites that support law-abiding charities.  Unfortunately though, many more are either parked in a "for sale" status, or are associated with IP addresses known to host malicious software, spyware, or other hazardous content.

One of our readers, Greg, performed an analysis on the previous lists and found that a significant percentage of the hosting sites for the domains we listed aligned with sites he tracks for malware, botnet C&C, or organized crime.  Because of the possibility of false positives we won't list the correlations but we encourage you to work with content filtering services like BrightCloud to assist in developing dynamic blocking rules for the protection of your customers and employees.

One more item of note, while doing this research we found that somebody is getting way ahead of the game and has registered most of the future hurricane names found on the NOAA web site.  Why wait for the storm when you can go ahead and own the name now?  Sheesh.

Here's the list of domains related to hurricanes Gustav and Hanna registered over the past 24 hours, according to Domain Tools.  Please examine each site and make your own determination about legitimacy.  Work with law enforcement officials if you suspect fraud or criminal activity.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)
Diary Archives