- I am connected to the Internet through Comcast. I have already been flagged for having a bot machine and even had my ftp access to the SecureMecca.com web-site blocked. Fortunately I was able to still upload to HostsFile.org but the ability to analyze a lot of this stuff is gone and I cannot do it any more. I can assure Comcast that my two Linux systems are not bots. I shut almost all other user processes other than some xterms down and fired up WireShark. Even the normal chit-chat of ARP was held down because I use an /etc/ethers file. Nothing but the local GnuPG check packets were found except for the one machine that did a check for OS updates. They are clean. Some may think I resent what Comcast has done but I think it is a good interim measure even though it would not protect against the z-bot file I got in my email box two days ago (2011-03-05). It is better to have that than what I provide which nobody uses.
- I never did like blocking hosts that were just normal hosts that had an infection, especially when many times my PAC filter rules alone would have made it so they could go to the web-site safely.
- It was just too much to keep up with. I primarily served as the mop-up crew by analyzing all of the hosts they removed, many time discovering malware still there, and frequently it had very low detection rates. There were also hosts that met my criteria that didn't match MDLs. For example, I block ads and trackers whereas they don't so I need to know whether to keep them or not. Given the massive amount of malvertisement I would advocate that people either use what I have (PAC filter + blocking hosts file) or one of the browser ad-blocking programs I will give below to not necessarily block the ads but to protect your machines. In reality I think it is time for Windows users to either use a Macintosh or put up with the constant thrashing us Linux users have and switch to it. The computer is not an end in itself for me. I use it to achieve my ends.
MDL Blocking host list
I will continue to peruse their URLs for patterns for the PAC filter:
All MDL Downloads
But you may want to check out the BLADE project that tries to block out all malicious downloads:
BLADE Malicious URL Project
I think that Comcast's Dambala anti-bot software, BLADE and other things are pretty ambitious. The PAC filter at SecureMecca.com / HostsFile.org is at best only 15% efficient at stopping malware. It gets a lot better if you disallow the download of all *.exe, *.msi, and *.scr files in the PAC filter but just like the newer malware that disables a proxy, it is trivial to disable the PAC filter. I am glad that Symantec's NAV did flag the PAC filter as a potential problem. It isn't but I have found a few of them that are malicious out in the wild.
There is one big problem in all of this. The malware is coming so fast and furious that some myths need to be dispelled. First, I am getting tired of hearing this day zero garbage. That may have been what it was five plus years ago. But about one to three years ago it became week zero, then month zero. I would discover malware and give it to the malware companies via my back route channel that frequently had less than 6/42 of the AV programs at VirusTotal detecting it. Many times none of them detected it. After giving the malware to ClamAV and via the back-route channel the detection would slowly crawl its way up to only half of them detecting it taking well over two weeks to achieve it. In short what was really protecting most Windows users was just the random chance of not encountering the bad stuff in the first place. With many millions of web sites and only a few thousands infecting you, actually that is usually a pretty good gamble until you hit the bad one that you will be okay. But what happens when you hit them and they are at the low probability end of detection or when they come down via malvertisement? In the case of the ad servers being corrupted with malware, the damage can be pretty extensive with millions of machines running Microsoft Windows getting infected! I have three possible solutions for you in the reverse order of what I actually do:
- Purchase either Windows 7 Pro or Windows 7 Ultimate. Do the bulk of your work on the computer in interacting with the Internet in virtual mode. That way when you get infected, hopefully you can shut down and toss all of the changes to the OS away. You still have to put up with booting to the hard mode to update your AV software, and Symantec's NAV is updating at least hourly if not more often.
- Use a Macintosh. I realize that they have embedded spying on them but at least you get rid of the Windows malware. To date I keep seeing nothing but POC malware for the Mac and have got none of the malware for Linux. Both Macintosh malware and Linux malware exist but they are the least of your problems. Personally, I don't understand why Apple won't take that tracking out of their systems. That would make it possible for them to pursue many lucrative government contracts. Maybe they already have taken it out. In which case the only objection you can have is cost. But everything you get works and works well. Most people love the GUI the Macintosh has.
- Use Linux. There is no tracking but I cannot for example get my printer to work any more with Linux. It is an old mossy HP LJ-4P with a parallel interface. I have nothing but USB on my machines now. So I have a USB to parallel gender bender cable. It works with the XP (all I can afford), but it doesn't work with Linux. I have no money for a new printer. I also hear that the new version of Ubuntu is replacing the Gnome GUI that I standardized on. There is always a flux with the newer versions of Linux and I deeply missed the plain old hexedit that worked in the xterms. But it is free and the Windows malware problems go away. In case you haven't guessed it yet, this is the option that I have chosen.
Google Chrome browser AdBlocker
Firefox AdBlock Plus
If your browser of choice is Internet Explorer, Opera, or Safari, then you can still use the PAC filter to good effect. I would advise that you not turn the debug on in Internet Explorer, and you can can not turn it on in either Opera or Safari. If you use Microsoft Windows you can also purchase Ad Muncher but they don't do much to protect against malware and I still do it, but usually only in the PAC filter..
I am also devoting a lot of time and effort to get rid of Daylight Saving Time which in reality saves nothing. Every time I turn around the TZ (Time-Zone) database on Linux is being updated for this lunacy.
No More Daylight Saving Time
3 comments:
I have arrived at SecureMecca via malwaredomainlist forums after seeing a number of work computers hit by drive-by rouge anti-virus installs, which look like they were manufactured from the BlackHole exploit kit:
http://goo.gl/8b0LZ
Unfortunately I arrive a couple of days after you decide to stop. Although you say you will no longer add to MDL, hopefully you may still add general informations on Security, as you are very knowledgeable in this area.
I have enjoyed reading your advice and plan to act apon it.
Many thanks!
Mr T
p.s.
now where is that "publish your comment button", ah yes need to click allow from NotScripts!
Mister Tee, you can easily merge in MDL's host list with either my hosts file or some other blocking hosts file by using HostsMan. Here is where you can get HostsMan and I give the link to it as well in my next post:
http://www.abelhadigital.com/hostsman
My major contribution by merging MDL in was to double check their removals and I retained those that they removed where there was still a problem. Unfortunately, both time it takes me not being available any more and me being sick much of the time right now (I cannot even hear my alarm clock 90% of the time) plus Comcast's anti-bot software brought all of that work to an end.
Let me clarify the situation so you can see that it isn't completely hopeless. For many of these hosts that MDL blocks you will never see them anyway. Then for every one that MDL has, there are frequently two to five times as many hosts that they don't have yet that you may encounter. The PAC filter frequently shifts into gear and protects you without me even knowing about the host name. Finally since I block lots of ad hosts full time you have protection from malvertisement. MDL removes the block of ad hosts when the infection leaves but there is always the possibility it will come back. There is also some lag time for them to catch up when they start to infect and frequently by the time they block them the threat is gone. But by blocking them full time I and the other primarily AdBlockers protect against these momentary time periods of less than 24 hours when those ad servers begin distributing the malware before the ad servers correct the situation. Do not forget to incorporate my hosts file. There are quite a few ad servers like YieldManager and others that are especially intractable to either patterns and even in my case IP blocking to catch them. I read about the New York Times ad servers infecting a long time ago and people complaining that AdBlockPlus failed. With those particular ad servers I tried for the longest time to find patterns and couldn't find them. They also swapped their IP addresses constantly making IP rules useless. The only way to block them was with a list in a blocking hosts file or your own private DNS server called AdSuck written by Marco Peereboom:
http://opensource.conformal.com/wiki/Adsuck
But primarily the PAC filter does more than you would ever believe to block malware. I was constantly having to move the PAC filter out of the way to download malware. Many times when there were three hosts in succession with redirects that finally got you to the host where the malware was downloaded from the PAC filter blocked every one of the host names without even knowing what their names were. In fact it was rare in those multiple host instances that the PAC filter didn't block at least one of them. Just remember that it is trivial for the malware to disable the PAC filter in Firefox. So check it frequently. It is a little bit more difficult than people believe to deactivate the PAC filter in Internet Settings. Not only that but with the PAC filter enabled in Internet settings with all debug flags I was surprised to be notified that a print out was looked at by the PAC filter. It also guards against links in Outlook and Outlook express as well, yet again with many unknown links. Last, USE YOUR COMMON SENSE. Be careful about opening attachments or clicking on the links in email.
One more comment must be made. I have written about this elsewhere but I will write about it again now. Java has now moved to the fore as one of the more serious software risks. You can easily see that in the fact that the BlackHole exploit kit in the article you pointed to at Symantec used a jar file. If you do not need Java, remove it. Even if you constantly update Java, Firefox leaves all umpteen previous versions of Java plugged into the browser so be sure that even if you must have Java that you remove all of the older Java plug-in versions unless you need them (Tools, Add-Ons). The other part of the BlackHole kits, the obfuscated code, is BAD news. I submitted I don't know how many samples to the AV companies and they don't have a way to detect them reliably. It took them well over a month for the detection levels to rise and by then they frequently did not go to anything harmful any more. Most of the obfuscation scripts I discovered were written in JavaScript, not Java or some other lanaguage. Nevertheless. Java constitutes a serious risk since it has so much more power than JavaScript. If you don't need Java, uninstall it. Even if you retain Java, be sure to remove all of the old Java plug-ins in all of the browsers you have if you do not need the older versions. Use only the newest versions of Java if at all possible. The reason Oracle (was Sun) leaves the older versions there was because frequently companies need the older versions of Java for their custom software. I also use Evince instead of Reader as what to message in the browser just to be on the safe side. Now that Reader has been sand-boxed it doesn't provide that much additional protection. But Evince doesn't execute those errant embedded JavaScripts either. Anything you can take away from the hackers that they can abuse makes you that much safer. So what if Linux or Macintosh has a pitifully low amount of malware? They are immune from the tons of Windows malware and that reduces your risk level considerably. I said reduces, not eliminates.
Post a Comment