Monday, December 15, 2014

Hosts file and PAC filter on Windows 7

New Way Of Handling Hosts File On Windows

Somebody wrote to me saying that my hosts file installer is no longer suitable for Windows Vista, 2008 Server, Windows 7 or if you are crazy enough to use it there - Windows 8.

This is absolutely correct.  The UnxUtils way of using my hosts file on a Windows system is only for Windows XP and for use with something like Homer to act as a pseudo HTTP server (phttpd).  The reason I don't provide anything else is because I depend on somebody else's program to handle incorporating my hosts file on Windows 7 systems now.

If you use Windows 7, use Alex Kowalski's hosts file maintainance program which I provide download space for.  Here is the Hosts file page which shows where the links are:

Hosts File Page

Down at the end you see these two links:

APK's 64/32 Host File Engine Program
APK's 64/32 Host File Engine Instructions

My hosts file is primarily used by Linux people.  They use dnsmasq, Marco Peereboom's adsuck program or similar.  I am the only one using my phttpd.  But all of these people expect the hosts to be remapped to 127.0.0.1.  There is no 0.0.0.0 on Linux like there is on Windows.  On Windows 0.0.0.0 is normally used as an inter-process server.  On Linux and Unix they use a special file construct called pipes for processes to communicate with each other.

Will I remap the entries to something else other than 127.0.0.1?  No.  I depend on Alex Kowalski's program to do that for me.  The reason I mention this is because somebody wrote to me about this 4chan comment on hosts files (which you will note has Alex Kowalski's comment - APK):

4Chan comment on hosts files

What is my statement on using 0 versus 0.0.0.0?  I defer to Alex Kowalski on that issue since it is his APK 64/32 Hosts file engine that automatically does the conversion from 127.0.0.1 to what ever he uses.  Frankly I am surprised somebody wrote to me about it.  You can NOT use my shell file to install a hosts file on anything newer than Windows XP anyway.  Even if you give the script a temporary over-ride you have lots of programs like wget, rm, etcetera, the script calls that do not have the over-ride.  IOW, attempting to use my script file on Windows 7 will fail.  Even if you can seem to get it to work (I couldn't) use APK's Host File Engine Program instead.  His program does much more than just install a hosts file.  I will say you must use some other AV program on Windows 7 than the one provided by Microsoft with a hosts file.  The AV program supplied by Microsoft will remove every entry in a hosts file.  You need another AV program that doesn't do that.


New Way Of Handling PAC On Windows

Here the special instructions for putting the PAC filter on Windows 7.  You don't put it on there the same way you do it on XP.  You should change it to put the all of the files which can be used for Firefox in your account in an etc folder.  You also need an extra special folder for Internet Settings and it is mandatory for the Chrome browser.  For example for a user named hhhobbit and assuming your system drive is C: you will have these folders (substitute your user name for mine and it should be just alphabetic or alphanumeric characters):

C;\Users\hhhobbit\etc
C:\Users\hhhobbit\OneFile

You put all of the files in the etc folder.  You need to edit all of the proxy files and change the blackhole from 127.0.0.1 to 0.0.0.0 unless you intend to install Homer in roughly the same area, e.g.:

C:\Users\hhhobbit\Homer

I don't advise that and didn't even try it due to too many problems.  Like I just said, you should change the blackhole to be 0.0.0.0.  Use the Error Console in Firefox for debugging.  Unlike a hosts file it is done only once on one line in the PAC filter.  Then you copy which ever of proxy_en.txt or proxy_fr.txt file that you use to the OneFile folder.  WARNING!  This is the only file you should have in that folder.  You set your Internet Settings browsers to use that file.  Why have just one file?  The Chrome browser parses evey darn file in the folder.  Worse yet, it sucks up those settings and puts them in places I cannot find.  It doesn't know how to handle the debug statements.  The proxy_en.txt and proxy_fr.txt files have the debug statements removed. The debug even if it is not used causes unexpected "Object Unexpected" pop-up messages.  I have even uninstalled Chrome completely, removed all the files Chrome left manually, and then manually cleaned the Registry.  Why?  Because Chrome parses every file in the folder.  The debug causes it to pop up "Objected Unexpected" messages.  I then reset Internet Settings to use the OneFile folder and used it that way successfully with Opera and Safari.  I have even waited as long as 4 months.  But the instant I reinstall Chome, back comes the "Object Unexpected" messages if you did it wrong the first time around.  I am beginning to suspect that Google sucks your Chrome settings up into the cloud and puts them right back the way they were when you reinstall.  Hasn't Google ever heard of a clean state reinstall to get rid of problems?  There are times when a history should not be done!  This is one of them.

Actually the only people I know using the PAC filter are all on Linux and the rest just look at the rules and if they like some of them, they stuff them into their company's proxy. expect most of these users to be smart enough that they can handle it all with just what I say here.

Friday, September 19, 2014

Are we being hacked by the Chinese?

I wrote a response to a comment made about this article that said the US Senate was invenstigating the Chinese break-ins that occurred at TRANSCOM in September 2014:

Fierce Government IT - Chinese Hackers

I wrote this reply to callmebc's comments (it may not be exact because the original is gone - they deleted it):

You can be skeptical about the Chinese being behind it but you should not be skeptical about it being done. It IS done. I am an independent security analyst that cannot work due to actions by the FBI going on eighteen years with no end in sight. But I have even pulled down a banker trojan from a Financial Institution (eurobankaz.com) about one month ago. We need to get Windows systems out of the POS cash registers at brick and mortars and work upward from there. APT (Advanced Persistant Threat) can be avoided by shifting to Linux (not nearly as secure as OpenBSD but more user friendly) and using Thunderbird or other email programs that don't render HTML making phish a thing of the past.

I got the very same malware that did in Google several years back and it WAS of Chinese origin right down to the hashing function that could only be theirs.

securemecca.com
securemecca.blogspot.com

Since the editors deleted my response here it is.  I do have the malware that did in Google and will provide it to Fierce Goverment IT upon request.  I also have malware that used the same RealTek certs used in Stuxnet.  The visible proof is here:

Realtek certs used in Stuxnet

That malware will also be provided to Fierce Govenment IT upon request.

Henry Hertz Hobbit   (Intenet Name)
David Alexander Harvey   (Legal Name)

Saturday, May 10, 2014

No to all HTTPS

Letter to Google

   Google, people probably always want to use port 443 (HTTPS) for logging into GMail. They also want to use it for their blog.  They even may want to use it for Google+ which I need about as much as a hole in the head.  Ditto for Facebook, Twitter, Linked-In, et al.  I don't need any of those "ant-social" web-sites.  They have turned people into anti-social idiots in the real world.
   But forcing me to use HTTPS for your search engine all the time is inappropriate.  I am generally searching for the usage of some new hosts in tracking, ad-servers and malware.  You are second on that with DuckDuckGo being the primary.  For what ever reason, you seem to be trying HTTPS first on the link which causes all sorts of problems when I click on the links.  I could care less that the NSA tracks this activity.  If they are using Windows and get infected by the ad-ware I find that is their fault.  I get the high octane malware stuff in my email box almost every day.  They can have that too because I give it to your VirusTotal service with comments I hope help people learn what is happening.
   In case you are wondering, DuckDuckGo just uses the URLs as-is  But there I can also use DuckDuckGo as either https://DuckDuckGo.com or http://DuckDuckGo.com, which ever is most appropriate.  It is just that my ISP (Comcast / Xfinity) kept snooping on my activity, supposedly to protect my Linux systems from Windows malware.  So I usually use HTTPS with DuckDuckGo to foil them.  But I am having extreme difficulties testing for whether I have a tracker / ad-server off of your links.  Invariably the links are not using HTTPS.

   So please make it so we can use HTTP for your search engine when that is appropriate.  Over 90% of the time I could care  less that the NSA knows what I am searching for.  Again a warning is in order.  When it looks like I am searching for porn I am usually looking for malware, an ad-service, or a tracker at a porn site.  Despite common wisdom to the contrary, porn sites still up the chance of Windows malware considerably.  So if I am looking for info on reklama.vaseporno.eu it may be their ad-service, a tracker or given where it came from, maybe malware.  Even if it just their ad-service or their tracker it still gets tossed into my porn bin when I add it to my hosts file.  After all, it is not a generic ad service.  There is no malware I know of at it. But there is no reason to hide the search from anybody.

Sunday, March 30, 2014

Setting up email

Where The Spam Comes From

  Recently I read a piece from eSet (makers of NOD32).  They claimed that there were 10,000 hacked Linux machines sending out spam and malware.  Could this be the hackers I originally dubbed PeskySpammer and renamed PerniciousMalware that put in 500+ spam per day in one of my email boxes plus occasional malware I asked myself?  No, it cannot be that because you can see yourself that the majority of the IPv4 addresses used are in DSL and cable IP blocks.  You don't believe me?  Here you go:

Public PeskySpammer folder
Originating IPs
Left 0 Pad Filled Originating IPs

  Just look them up in whois.  I stopped keeping records of these about six months ago.  But if you ever wanted proof of what was sending the spam and malware all you had to do is seize the machines at the sending IP addresses.  On the machines which would be running Microsoft Windows you would find specially crafted SMTP engines that only send email.  How do they get around where it was sent from?  They pretend it was sent from some place else.  That is how I first got them.  They were pretending to send from ficititious users at my domain.  It took me over a year to get email admins to learn NOT to boomerang messages to me.  Evidently thinking has gone out of style. Whether the hackers realized that Yahoo and other domains have email set up wrong from a practical point of view but probably correctly from the old RFC is unknown.  It does argue that things need to change and immediately.  There will be more on that in a moment.

Are The Linux Machines Hacked?

  Probably.  But which would you want to send spam from?  A tiny number of Linux boxes (10,000 is tiny) which you can easily map out the IP addresses and take them out of the loop with blocks at major IMSPs (Internet Mail Service Providers)?  Or do you want a huge flotilla of Windows boxes where the machines sending spam come and go regularly in such a way that a preventitive measure based on the originating IP address is almost useless?  The infected Windows machine route will win hands down.  But lets probe the weaknesses of Linux.  The very first one for me is actually not security.  Because of that stupid X-Windows DB I am almost always staring at 640X480 at install time.  Gone are the days of hacking the X Config file and being on with my business.  But I work from Linux and it is a compromize.  Maybe OpenBSD would be a better choice.
   Linux systems have so much software that is hacked into place and the software changes so furiously that it is almost impossible to eradicate problems.  This is especially true for the servers.  But my two machines named GandalfTW and Sauron aren't servers and they eye each other suspiciouly.  They will allow a hello and are you there (ICMP ping) and that is about it.  I don't even let one do print server duty and instead rely on the JetDirect card in the old HP printer to handle things.  Getting that configured took a lot of work.  Yes, it has an old parallel printer interface.  But with this much complexity I have this nagging feeling I have too many holes in my systems.  Blowing down the protection of IPv4 with IPv6 (no NAT, no firewall) doesn't help.  But I do have two routers in place.
   But then I hear that there is an SSL bug in Macintosh, iPhone, and iPad.  I can remember Apple taking over six months to fix a simple problem several years back.  Did they really fix the iPhone in 2-7 days and Macintosh in less than two weeks?  Unbelieveable.  Then the boom was lowered.  Many versions of Linux also had an SSL security flaw.  At least some Linux distors do make use of OpenPGP signing to make the downloads trusted or not.  But is my kernel the real deal or did the NSA hack a SHA1 certificate and give me a modified kernel?  I am paranoid.  I am paranoid enough or too paranoid?
   But the coup-de-grace was when kernel.org was hacked and they sat there saying how super secure SHA1 was.  Pshaw.  I have malware with SHA1 and I know others do too where they hacked the SHA1.  Still, it is more likely that the certs were stolen as in this case:


But it is not Stuxnet!  The cert passed muster until the keys were revoked.  What am I saying?  There are ways around encryption.  But coming from SSL and hitting serious security stuff gives one the idea that SHA1 is powerful.  Not one serious AV company depends on SHA1.  They have shifted to SHA-256 years ago.  My OpenPGP keys have SHA-256 as the preferred Digest algorithm:

Cipher:  TwoFish, Camellia256, Camellia192, Camellia128, BlowFish, Cast5, 3DES.
Digest: SHA256, SHA512, SHA1, SHA384

I used to have 4096 paired RSA keys and SHA512.  It was fine with a dual core and quad core machine.  It was a little too much for older single core machines.  But I get 3DES whether I want it or not.  I don't want it.  Note that both BlowFish and Cast5 precede it and iPhone and Android systems can handle that.  SHA384 is non-standard so I have no choice but to bump SHA1 up in pecking priority.

But if a Linux system is truly hacked they can steal your keys unless you put in a symlink to a flash drive where your keys are really at and the hacker always hits it with your flash drive removed.  The key logger gets the pass-phrase.  But I doubt most Linux people ever police their shell startup files.  I do look at my shell startup files which have been altered considerably by me;  FREQUENTLY!  I told you I was paranoid.  But what do you expect of somebody that has now handled well over 12,000 Windows malware.

So is it too much to ask that  Linux people shift from SHA1 to SHA256?  I don't think so.  The less services you run the less vulnerable you are.  That is the way it has been forever.

Lest Windows People Snort

  Windows did not wait for IBM to add owner group and other things to the file system which is also used in the processes.  Back then it was called the HPFS and it became the NTFS.  But here is what would have happened if they had waited:


It isn't just limited to the file system.  Look at voodoo.txt.  If Target, Neiman Marcus, and others had used Linux instead of Windows in their POS terminals scraping would not have worked.  Try it!  The SourceBuffer is invariably out of your process's memory space.  The result?  A segnment violation.  No memory scraping here.  Where did all of those Siemens Nixdorf POS terminals go?  Why did they replace them with Windows?


How To Setup Email

   On to the main reason for this blog entry.  Because of the way that Yahoo (and other IMSPs) set up email I have over 500 spam per day in my mini honey-net.  I don't mind the malware except for those two days I got 500+ malware instead of spam each day.  But really, email should be set up like this as the first step in reducing spam:

1. There are only three email accounts that are extra but for anything other than those three email accounts, your email account, and any other created email accounts, anything sent to any other users than the ones enumerated should be tossed.  Bye, bye mini honey-net!

2. The other three extra users are abuse, postmaster, and webmaster.  Although it may seem nice to not put email for those into the master user's account in case of somebody hacking your computer what if your computer (as opposed to Yahoo's or other IWSP / IMSP) is compromized?

3. The number of domains for places like Yahoo are huge.  I would set it up with some sort of a self balancing binary tree for fast lookup.  For example, if you had a domain named qwerty.com with just master user named keyboard, here is what the users and email box (only one, keyboard@qwerty.com) would look like (email name then email box):

keyboard      keyboard@qwerty.com
abuse            keyboard@qwerty.com
postmaster   keyboard@qwerty.com
hostmaster   keyboard@qwerty.com

Only the emails for those four users at qwerty.com would be accepted and all of the messages for them would be put in the user keyboard@qwerty.com's email box.  Any emails sent to any other user at qwerty.com would be dropped like a hot scalding potato.  That means they would just be discarded.

Once that is done, all of my other comments apply.  But if Yahoo set it up this way I would get less than 2% of what I get now.  Their email servers would get a break.  The people that aren't involved in the spam and malware storm would finally see the odd behavior of their email vanish.  No?  Then look at my other points.  I am pretty sure qmail can do it.  It has the richest set of fillter options of any SMTP server.

Saturday, January 25, 2014

PhishTank

Volunteer Reviewers Needed
   I have noticed that Phishtank has gone from something where I could review the phish they had in one session of about two three hours to impossible.  It is not the only thing that has gone down.  Here was what my and others email spam problem used to look like:

(click on picture to enlarge)

Now it is malware as numerous as spam:

(click on picture to enlarge)

So kiss any idea of any help you will get from "the man".  I have been getting many hundreds of malware per day recently.  I have been submitting what I can at VirusTotal but the number has gone way beyond ridiculous.  I can only assume that if the FBI didn't request it that they are in favor of it.  Ditto for the US and Russian governments, the NSA, and the CIA.  Look, we have millions of stolen credit card numbers at Target and Neiman Marcus at the end of 2013.  Except for the contractors working on the problem they seem to be going it alone.  Right now the world is upside down.

First, you need the link to Phishtank.  Here it is with the secure login specified since they shift you to that whether you want it or not if you use their GUI to review..  Trust me; it is to your advantage to use the secure route (port 443) since many Internet Service Providers will interpret it as your machine is infected and no, they will not see that you are going to PhishTank.  Okay, here is where they are at:

Phishtank Home


Here are tips mostly in just what pops into my mind order to help you to review the phish:
  1. I frown on the use of Windows for doing this.  There is malware at Phishtank. Even worse there is no button say it is malware which could be used to winnow those entries out.  I have tried to encourage a redesign that has a malware button but we won't get it.  Use Windows only if you really know what you are doing.  Avoid obvious malware links where the URL ends in ".cpl", ".exe" or similar.  Better yet, use some sort of block mechanism that blocks those for you.  But Firefox on Linux is one recommended phish review combination.  Be aware that Firefox doesn't handle iFrames.  Opera has similar problems where it really is a phish but you don't see it.  Either Firefox or Safari on Macintosh will also do nicely as well.  You don't have to use the GUI since Phishtank does provide lists but I strongly discourage the list approach if you are using Windows.
  2. Okay, you ignored me and you are using Windows anyway.  Then I advise skipping those enties where they don't show you a picture.  Just be aware that if it shows Google Docs in the picture and the URL is definitely not Google Docs that does not mean it is still a phish.  Things come and go quickly here.  What it does mean is that you can probably safely snatch the URL and try it out since it at least was a phish.
  3. While working on these I have two lists showing in vim in an xterm.  They are Phish / Not Phish.  They are the list not of the URLs but just the affected hosts when I notice three or more phish at a domain they go into the phish list.  Rather than blaze away calling them all phish, check them every so often during the session.  Do not be surprised that the host goes the phish list to the no phish list even during the session.  The list I use has dates when I added them.  These are helpful but volatile.  Anything older than 5-7 days in your list is probably gone.
  4. If the URL shown to you is using not a host name but an IP (IPv4) address, if it shows what was a phish, then it is still a phish.  The only question remaining is whether it is an active phish or whether it is gone.  What do I do?  If it shows one of the many banks, Google Docs, or other known phish types in the picture I mark it as a phish.  It is never (well, almost never) a legitimate host.  Instead it is a hacked Windows PC.  See the two pictures in this blog entry?  The machines sending the email messages are hacked Windows PCs.  They are not supposed to be doing web-service duty or sending email directly.  Mark them as phish and let us Linux and Mac reviewers put them to bed.
  5. You just got a redirect to Google so the people fixed the problem, right?  Wrong!  Malware links in web pages frequently let only 5% to 15% of the people through to the malware.  Often, they redirect the others to Google or do nothing.  So how do you "fix a phish?"  First, clean the server and install new web-server code.  Second close the entire folder down where all the phish live.  Third, set all the phish links to redirect to your own home page.  Fourth, set it to just give a blank line.  In Firefox this can be viewed under Tools - Web Developer - Page Source.  You will see a grayed out 1, or 1 and 2 which means that many blank lines.  But it is just as likely that the phisher themselves have set the phish to go to Google or some place else 85% to 95% of the time.  The only valid redirect phish fix is to yourself.  It showed Google docs and now it shows Google?  It is still a phish since you and me don't know who did the redirect.
  6. If your filters caused a block and you know this some way, just click on either "I don't know" or preferably just ask for the next entry.  I use my PAC filter but in a file with all of the phish rules stripped out of it.  I then actually have to add some of the GoodDomains phish rules back in but not the pair.  E.g., the GoodDomains ebay rules may be added back in but I don't put the other Bad rules for ebay in.  We shouldn't be testing your phish filtration.  We are reviewing the phish.
  7. I will put more here as they come to me.  Right now I am handling a slug of malware that despite the scam being the same the malware is not.  I am probably getting 5+ different types of malware per day.

Monday, January 20, 2014

Ridiculous

   PerniciousMalware (nee PeskySpammer), lets review what I have already given you for pruning your lists.  I am doing this because I may be posting to slashdot to shame some people into rectifying major defects in the way things are being done right now.  So here is the code for doing a first pass clean up of your TO list:

Winnow Users

   What is the result of you, Yahoo and other Mail service providers doing it wrong?  Here is how it looks in Thunderbird:




(click on picture to enlarge)
  
   And here is what it looks like in Yahoo's web-mail interface:

(click on picture to enlarge)

   I call the first one DOS because that is exactly what it is. a Denial Of Service.  There are no fake pharmacy URLs or malware.  In fact the supposedly real world user names are nothing more than the titles of the articles whose contents you put into the messages.  In short, how stupid can you be?  Sending somebody hundreds of messages like this makes me wonder if the FBI requested that you do it.  As bad as you are there are some others this message is addressed to.
   To Yahoo - stop changing your web-mail GUI and take care of your hack-in.  You have been shoving out malware through your ad-servers and I have detected the hackers still have various levels of internal access.  Make it so your paying customers get the email addressed to the users for the given domain with mail for the users postmaster, webmaster, and abuse delivered to the master user.  For me that means only four email accounts.  All other email to other non-existent users should be stapled, mutilated, spindled, and shredded.  This especially includes email like this that isn't even coming from the domains it purportedly comes from.  Search for previous blog entries to learn to handle them.  If you did this your email volume would be reduced to a trickle of what is now.
   To Comcast - after about the fourth time it seems you would have a log that once you talked to Yahoo your check would result in the proper action for me and others like me that are victims of this type of abuse - complain to Yahoo or other Mail Service Providers to fix their problems.  Instead you have blocked me from sending email repeatedly due to your stupid no white-list rule.  If I was rich I would sue you for slander and anything else an attorney would be willing to go after you on.  All I know is you must be stupid to have not figured it out by now. Almost all the mail is coming DOWN to me.  I send out less than 1% of what I receive.
   To the FBI, Interpol, and NSA.  The sending IP addresses are in the saved email messages.  It would be a simple matter to do forensic analysis on one of the machines and track it back to the Russian (sometimes the stupidity of PerniciousMalware makes me disbelieve they could be Russian) or Chinese hackers.  It isn't just spam.  I just made information on their two malware today and will make the malware available to the AV companies on demand (as if they really need it - they are swamped).
   To the Russian and / or Chinese governments.  Find these people and put them where the sun doesn't shine. 
 

Friday, November 22, 2013

PerniciousMalware

I have renamed PeskySpammer PerniciousMalware due to the large amount of malware they keep shoving out.  Will it ever end?  Who knows.

But I do know ever since they sucked in all of the fake email addresses out of their from list and added them to their to list I have had a steady diet of several hundred spam messages per day when they are sending spam and almost a dozen malware per day when they are sending malware.  This has gone on for over a year and a half now.

Let me see if I can explain this to the PerniciousMalware people who don't seem to know how mail works.  Many IWSPs (Internet Web Service Providers) set their customers up with email that is compliant with the old RFC when they get a combo email + web-site.  What that means is that for any user that is not known, those email messages go the postmaster. for the domain  Who is the postmaster for my SecureMecca.com domain?  Me.  But after looking at PerniciousMalware's list of users that they use to send to my domain, I noticed that almost all of the user names are just hexadecimal hashes.  So I wrote a program that PernciousMalware can use to remove not only the fake users at my domain, but it will remove the fake users at all domains.  Here is the folder that contains the programs:

Winnow Hash Users

The 0-Instructions.txt file shows how to make it work and is also included in the zips.

Use the program in good health to remove all of those fake users from your send-to lists.  All you are doing by sending hundreds of spam messages per day is making who ever you are doing it to mad as hell.  So I advise you alter the program (it is covered by the GNU license) in your bot email address gathering to exclude the hexadecimal-hash user-names before they even get added as well.

The hexadecimal-hash users aren't the only kind of bogus users you have but you have to start some place.  I suspect that some of those people may even purchase your wares once the flood of spam becomes just one message every so many weeks.

Finally sending Windows malware to somebody using Linux isn't going to get you anything but more people knowing about it faster and the AV companies detecting faster.  I faithfully make them known to as many other people as time permits.

You are welcome.