Sunday, January 24, 2010

Priority Changes

Priority Changes

The following set of priorities have been the order that determined what I blocked for quite some time, first informally and then formally:

1. Malware (Maliciels)
2. Trackers (Traqueurs)
3. WebBugs and any other bad things that are hard to classify (spam)
4. Ads, especially egregious or in-your-face ones

The new order of priority now (2010-01-25 UTC) is:

1. Trackers (Traqueurs)
2. WebBugs and any other bad things that are hard to classify (spam)
3. Malware (Maliciels)
4. Ads, especially egregious or in-your-face ones

There are quite a few reasons for this change, but fundamentally here are the major reasons for the change in priorities:

Reason 1:
I have detected numerous hosts within the past few months that have a JavaScript that unrolls itself that calls another host to do a pseudo-scan (it uses a flash file) of your computer. It then injects the Trojan Rogue Malware (that pretends to be Anti-Malware) that is hard to get rid of. Frequently you have to just reinstall your OS. Here are the initial results of scanning the file at VirusTotal for one of the many variants of these scripts:

http://preview.tinyurl.com/yd9q9jd (3/41)

They stayed there stubbornly with only Authentium, F-Prot, and Sophos detecting them for well over a month. I suppose if one of those are the AV program you use then you are in fine shape. I finally submitted a sample of the scripts plus quite a few other malware samples to various AV companies on 21 Jan 2010. I scanned it one last time at VirusTotal before I submitted it to them:

http://preview.tinyurl.com/ybny2xo (4/41)

So if you have Microsoft's AntiVirus you are also now good to go on this one. The problems for a hosts only blocker is that they can't enumerate all the hosts where the problems are at. How many more hosts have the problem that I don't have in my file? Tens of thousands of hosts have the problem and I estimate less than 30% are in all of the blocking hosts files combined. But what about using my PAC filter to block them by URL pattern? You want to block "index.html"? How about "index.php"? You will block well over 99% of the Internet! What about the scripts? Their names seem to be nonsense letters all over the wall. I will say that it is now three days later after that last scan and it has not improved at all. None of the AV companies have contacted me except one that did nothing with the last batch of samples I gave to them. I don't think they will do any better this time around. If they don't think it is a problem, why should I consider it to be a problem? If the scan stays the same way after 1-2 weeks it is time to move on where my efforts will be more useful. This is not an isolated incident. It has been going this way for years now as the AV companies focus most of their attention on the more glamorous worms as the low profile Trojans do the job quietly and discreetly.

Reason 2:
Microsoft's UAC has made it almost impossible to update either a hosts file or the PAC filters. At first I thought with Windows 7 having a Windows XP virtual the problem would be resolved. Well, it isn't. The XP virtual only exists in Windows 7 Professional and Windows 7 Ultimate. Neither Windows 7 Home Premium or Window 7 64-bit have it. I estimate that well over 90% of the Windows 7 systems will be Home Premium. If you ask me, Microsoft have finally put in so many obstacles into helping people to protect their systems with blocking hosts files or a PAC filter that it has finally become impossible to do it. Fine. That means they believe they have all the protection that they need. Who am I to question their judgement? It is time for me to move on to other things that will help Ubuntu Linux users (I don't currently use Ubuntu) from being tracked. It is just that Ubuntu Linux has moved into the lead of Linux distros used.

Reason 3:
I will continue to put patterns in that would help block malware but in general, malware hosts come and go so fast it isn't worth it. Most of the malware hosts I encounter any more have a life-span less than 24 hours. When I can detect they are hosted on a PC in a DSL IP address block I will block the entire swath of PCs in that address space with a BadNetworks rule in the PAC filter. But since nobody can put the PAC filter on unless they are using Windows XP, Windows 7 Professional, or Windows 7 Ultimate the efficacy of this effort is dubious.

Reason 4:
What I encouter the most are ads and trackers. If you use Firefox, AdBlock Plus with the EasyList or other language subscriptions if they replace it or it and the other language filter in addition if it is a supplement handle the ads fairly well. EasyPrivacy does a good job with trackers. But as some people found out with the New York Times outsourced ads infecting their Microsoft Windows systems, there are holes in any pattern filtration scheme. I suppose the only people that got their machines infected were Microsoft XP owners and those with Vista or Windows 7 pre-release were immune. But I know the hosts they used and they stubbornly resist any attempts to find either patterns or IP addresses (unlike ABP, the PAC filter can block by IP address) to block them. Almost any good blocking hosts file would have prevented people from going to the New York Times in that time period from having any problems. For trackers both the PAC filter and ABP's EasyPrivacy do a good job but occasionally I add stuff EasyPrivacy already has. I don't add it because they have it. I find out they had it after I have already added it. I have no idea if they use my stuff that they don't have, but they are free to do so as long as they do not violate the GNU Public License. After enough time we will both discover what the other knows. It is just that you can't see everything and I see things they don't and they see things I haven't encountered yet. So for EasyPrivacy vs. PAC filter I would say that we are about equal but good complements to each other. Frequently they have something I don't and vice-versa. Just remember that I also have BadNetworks and the PAC filter works with Chrome, IE, Opera, and Safari (just don't turn on debug in either Opera or Safari). For ads, the PAC filter cedes a lot of ground to what I use which is EasyPrivacy+EasyList and Liste FR. But you have to remember I also use a hosts file to cover a lot of that territory. It still isn't comparable though. ABP can block the hidden stuff while at the same time allowing the rest of the content from the host through. But what if your browser of choice is Chrome, IE, Opera, or Safari? The PAC filter comes to the rescue. It is better than the alternative which is nothing. There are many things where I allow the host through but stop something bad from happening in the PAC filter. Also, if you know of something that I don't and inform me I will look at it and incorporate it if it meets these criteria. Why are ads a lower priority than WebBugs? Because in and of themselves ads do not normally contitute a threat. WebBugs and those scripts are a threat. Besides, I have nothing personally against tasteful ads. They frequently enable people to host a web site that otherwise would not be possible without those extra funds.