Researcher launches SSL Blacklist

Roman Hussy, the Swiss security activist behind Abuse.ch, has started another project: the SSL Blacklist (SSLBL).

Known for the trackers that keep tabs on command and control (C&C) servers for the Zeus, SpyEye, Palevo and Geodo malware families, as well as the domain- and a IP-blocklists he provides, he was spurred to create this new set of blacklists by the fact that some malware families switched from using HTTP to using HTTPS.

The lists will be updated every 15 minutes, and will provide administrators a list of SHA1 hashes of SSL certificates and IPs associated with malware and botnet activities, to use to block bad traffic.

“SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock. Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule format,” he concluded in the announcement.