Neutrino Exploit Kit and Ponmocup
Neutrino Exploit Kit and Ponmocup Droppers
Although these two bits of malware are different, both are blocked by ThreatSTOP in the same way.
How does ThreatSTOP Block the Infection?
Thanks to work by extremely talented malware researchers the servers that actively distribute this malware to vulnerable visitors (known as droppers) have been identified. We are propagating the result of this work as a block list in both our IP reputation (ThreatSTOP) and RPZ (DNS Firewall) services.
As a result our users stop vulnerable computers that try to visit (often via a number of redirects) these servers from successfully connecting. Blocking these connections prevents the malware from being downloaded and installed on the vulnerable computer.
This is not, and cannot be, a permanent fix. Both malware strains exploit known vulnerabilities, so keeping systems up to date is critical. If a computer is vulnerable, then while it is on a network that is protected by ThreatSTOP it is protected from being exploited. If the user tries to visit the malware dropping site on a different network, say when someone takes their laptop home, their computer can become infected.
Neutrino Exploit Kit
The Neutrino Exploit kit uses a number of vulnerabilities, primarily in Java, to infect vulnerable systems. Neutrino is extremely dangerous as it is under active development and, with the arrest of "Paunch" - the alleged author of the Black Hole Exploit Kit - this malware kit is now in a near monopoly position when it comes to being used by criminals to infect new victims.
The Ponmocup botnet is currently less of a threat as it seems to not download really nasty malware onto infected computers, rather it displays a lot of unwanted ads and does very little more. However, while this is what it does now, there is no reason why it should continue to be so comparatively benign. As an example, there are indications that the Cryptolocker malware criminals are operating "pay per infection" schemes where they pay other botnet masters if they infect machines under their control with Cryptolocker.
How to Protect Yourself
ThreatSTOP and DNS Firewall stop the malware from being installed. Our alerts and log analysis tools tell you which systems tried to contact those servers, and therefore which may be vulnerable to infection. This allows network and systems administrators to update vulnerable devices before they can become infected.
Implementing ThreatSTOP and/or Infoblox DNS firewall, both of which are available for a 30 day, no obligation, trial, is the simplest and most effective way to identify any systems in your network that may be at risk.