Ever set up a multi/handler and get an odd IP hitting it? Probably forgot about it as internet chatter? Think again, you might have just been caught

AV Tracker - http://avtracker.info/ is a site that tracks the different IP addresses, hostnames, computer names and user agents that AV and other “Submit-your-malware-here” drop boxes use.

Peter Kleissner and his team provide

  • ranges that the hosts use
  • a dynamic text file with the IP addresses listed if you want to add it to some auto updating block list
  • a line by line IPTABLES block config
  • and even C code to add into your binary to make sure it doesn’t talk out from one of those addresses (I could be reading it wrong, still a beginner in C)

The team has been criticized a lot by AV vendors, enough so the took down the site in January of this year. But it came back June 5th.

I use this site to help me know when the Incident Responders are on to me for my pen testing jobs. I do not wish to get in the debate of how a tool could be used.