New security functions
As part of a firmware update last week, we activated new security functions of the firewall. These are focused on protection of users against newly discovered malicious content on websites and on botnet detection.
Until the above mentioned update, the integrated firewall was setup to perform the basic service of rejecting and logging incoming packet which are not part of an already established connection. Such packets are usually part of an attempt to enter the network or scan it.
Data gathered from such logs make it possible for us to prepare statistics of most frequent "attackers" and use them further in our research. However, it does not allow us to protect users from other kinds of problems in which the connection is either already established or comes from inside the network, for example from an infected device.
In order to improve the firewall in this area, we added two new functions:
1/ we started to log communication with known centers of botnets for which public records exists,
2/ we started to block access to addresses that are hosting malicious content active on Czech websites.
We have worked on both these functions closely with the CSIRT.CZ team, which provides us with data for blocking of malware hosting hosts and for botnet centers.
Blocking of malicious content is based on the fact that Czech websites injected with malware usually do not host it themselves, but rather contain an iframe which leads to a server outside the Czech Republic (usually in China or Russia) which serves the malware itself. It this case, blocking the "foreign" address does not influence the original content of the page, but bars access to the malware. It is important to note that the data are always checked thoroughly by the CSIRT.CZ team to exclude any possibility for blocking normal content.
In case of communication with botnet centers, for now we just monitor the situation and in case a problem is found, we will contact the users in cooperation with CSIRT.CZ to help the resolve it. If this proves effective and the sources of data accurate, we might decide to start blocking such traffic.
Lets hope that there will be minimum of the above described traffic and in case it appears that it will be possible to quickly fix the problem.