Researchers Solicit Sinkhole-Sharing Among Researchers

SAN FRANCISCO -- RSA CONFERENCE 2013 – Renowned malware analyst Joe Stewart and his team are reaching out to researchers from other firms in a research-sharing effort to expedite identifying new attacks and victims.

Stewart and Silas Cutler, a Dell SecureWorks security researcher, here this week announced that they will share their homegrown sinkhole-sharing technology with their counterparts in the industry to streamline attack research as well as to avoid researchers mistaking one another's sinkhole servers as an attacker's domain.

"If you''re not sharing information with other researchers and law enforcement, they have no idea when they see that server if it's really a command and control and it's temporarily broken, or if it's a sinkhole, or what," says Stewart, director of malware research for Dell SecureWorks. "Hopefully, as we get more researchers into this sharing community, there will be less of the blue-on-blue violence where we lose resources because they thought it was something bad."

Stewart is referring to cases of mistaken identity among researchers going after the same malware and attacks. It's not uncommon for one research group to misidentify another's sinkhole server as a real attacker's domain, for example, or report it and get it wiped out by an ISP or law enforcement.

Cutler wrote tools to facilitate sharing between his sinkhole and Stewart's to hep better investigate and identify new attack evidence and victim organizations. "You don't know in advance what you're going to see, and I was seeing lots of different malware hitting [my sinkhole] and lots of traffic. Trying to make sense of that was the most difficult part," he says. "Silas wrote some tools to facilitate this, and then we started getting great data. We can now isolate malware anomalies we've never seen before and easily identify victims."

Stewart says it makes sense to get other researchers on board to set up a shared sinkhole approach rather than keeping and studying that intelligence in a silo. "We want to share these tools with others and we're getting them prepped to go out" in open source, he says. "We're going to present this to others who are doing sinkholing, those with the same mindset toward sharing."

He says he's seeing a mindset shift in some cases for more sharing among researchers, akin to how the antivirus community ultimately had to come together. "If you're trying to use sinkhole data for some advantage and some other company has different domains, it's not like you're competing. If you are, that could be a big problem. We want to nip that in the bud—stealing sinkhole domains away from each other," Stewart says. "That's ultimately more damaging for end users or victims."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.