Wednesday, March 9, 2011

email safety

I don't have to go out and get the malware.  It comes to me!  I received a Zeus trojan in my email not just once but twice, six days apart.  It came as file named "images865392.zip" zipped with password "123456" from the very same gaxeee GNAT gmail.com email address.  When unzipped you have a fille of the same base name but it is an exe, not a zip file: "images865392.exe".  I submitted it to ClamAV and it percolated out from there so that now Avast and AVG are detecting it.  Here is the scan of the Zeus trojan at VirusTotal:

http://preview.tinyurl.com/4fct5pz

Don't expect this to stay around forever.  There are at least dozens and perhaps hundreds of new malware each day and eventually this URL will drop off the chart. Actually, 29 / 41 isn't bad even though six days ago it was 27 / 43. But what was it like when it was first found and what if you are using one of the AV products that does not detect it?  Even worse, it took the ClamAV team almost six days just to finally detect it.  Why does it take so long?  They have too much to do so you are lucky that they got around to detecting it at all. The rather amazing thing is that the second file was exactly the same as the first.  It had the same zipped and unzipped file names, same password, and the two executable files were identical.  Before I got it, who knows how many other people got the same thing?  How many of them unzipped it and let it run?  I don't know but enough of them do it that it was successful. Use some common sense people.  Even if you got an attachment from somebody you know, pick up the phone and ask if they sent it to you.  If you think this is trivial, it isn't.  Almost every spear-phishing attack is only slightly different than this one.  The surprising thing to me is that it still works even though it has been done for years.  It seems like people would be on to this game by now but you would be amazed at how successful this kind of email born attack still is.  Half of the fortune 500 companies in the United States have severe problems and although it may not be their fault for browse-by (as long as they use some sort of filtration) attacks, in this case it is wholly their responsibility.  Even worse are the email messages that immediately run when you click on an HTML link.  Beware of all HTML links in email messages.  Also, unless you use something like Thunderbird or other email programs that make no attempt to render HTML messages, you need to be aware that they usually put in mouse over commands on the link to substitute the real URL with one that displays in the email program that appears safe.  This is also usually done with phish.  Am I fooled?  No.  I use Thunderbird.  Richard Stallman of GNU Corporation uses something else but they both do the same thing - they shows the real links.  I got the same email message that did in Google several years back and it looked positively amateurish to me.

One more thing, even though I told you I will no longer include the MalwareDomainList file, that doesn't mean you cannot merge what MDL has with my or another blocking hosts file.  You can do it with a program called HostsMan.  Here is where you can get it:

HostsMan

Monday, March 7, 2011

New Direction

Although I would like to continue to add MalwareDomainList's (hereafter referred to as MDL) hosts into my hosts file it just cannot be done any more.  Here are the reasons why in their order of importance:

  1. I am connected to the Internet through Comcast.  I have already been flagged for having a bot machine and even had my ftp access to the SecureMecca.com web-site blocked.  Fortunately I was able to still upload to HostsFile.org but the ability to analyze a lot of this stuff is gone and I cannot do it any more.  I can assure Comcast that my two Linux systems are not bots.  I shut almost all other user processes other than some xterms down and fired up WireShark.  Even the normal chit-chat of ARP was held down because I use an /etc/ethers file.  Nothing but the local GnuPG check packets were found except for the one machine that did a check for OS updates.  They are clean.  Some may think I resent what Comcast has done but I think it is a good interim measure even though it would not protect against the z-bot file I got in my email box two days ago (2011-03-05).  It is better to have that than what I provide which nobody uses.
  2. I never did like blocking hosts that were just normal hosts that had an infection, especially when many times my PAC filter rules alone would have made it so they could go to the web-site safely.
  3. It was just too much to keep up with.  I primarily served as the mop-up crew by analyzing all of the hosts they removed, many time discovering malware still there, and frequently it had very low detection rates.  There were also hosts that met my criteria that didn't match MDLs.  For example, I block ads and trackers whereas they don't so I need to know whether to keep them or not.  Given the massive amount of malvertisement I would advocate that people either use what I have (PAC filter + blocking hosts file) or one of the browser ad-blocking programs I will give below to not necessarily block the ads but to protect your machines. In reality I think it is time for Windows users to either use a Macintosh or put up with the constant thrashing us Linux users have and switch to it.  The computer is not an end in itself for me.  I use it to achieve my ends.
Since I am not adding the MDL hosts any more, you may want to add them yourself.  Here is where they are at:

MDL Blocking host list

I will continue to peruse their URLs for patterns for the PAC filter:

All MDL Downloads

But you may want to check out the BLADE project that tries to block out all malicious downloads:

BLADE Malicious URL Project

I think that Comcast's Dambala anti-bot software, BLADE and other things are pretty ambitious.  The PAC filter at SecureMecca.com / HostsFile.org is at best only 15% efficient at stopping malware.  It gets a lot better if you disallow the download of all *.exe, *.msi, and *.scr files in the PAC filter but just like the newer malware that disables a proxy, it is trivial to disable the PAC filter.  I am glad that Symantec's NAV did flag the PAC filter as a potential problem.  It isn't but I have found a few of them that are malicious out in the wild.

There is one big problem in all of this.  The malware is coming so fast and furious that some myths need to be dispelled.  First, I am getting tired of hearing this day zero garbage.  That may have been what it was five plus years ago.  But about one to three years ago it became week zero, then month zero.  I would discover malware and give it to the malware companies via my back route channel that frequently had less than 6/42 of the AV programs at VirusTotal detecting it.  Many times none of them detected it.  After giving the malware to ClamAV and via the back-route channel the detection would slowly crawl its way up to only half of them detecting it taking well over two weeks to achieve it.  In short what was really protecting most Windows users was just the random chance of not encountering the bad stuff in the first place.  With many millions of web sites and only a few thousands infecting you, actually that is usually a pretty good gamble until you hit the bad one that you will be okay.  But what happens when you hit them and they are at the low probability end of detection or when they come down via malvertisement?  In the case of the ad servers being corrupted with malware, the damage can be pretty extensive with millions of machines running Microsoft Windows getting infected!  I have three possible solutions for you in the reverse order of what I actually do:
  1. Purchase either Windows 7 Pro or Windows 7 Ultimate.  Do the bulk of your work on the computer in interacting with the Internet in virtual mode.  That way when you get infected, hopefully you can shut down and toss all of the changes to the OS away.  You still have to put up with booting to the hard mode to update your AV software, and Symantec's NAV is updating at least hourly if not more often.
  2. Use a Macintosh.  I realize that they have embedded spying on them but at least you get rid of the Windows malware.  To date I keep seeing nothing but POC malware for the Mac and have got none of the malware for Linux.  Both Macintosh malware and Linux malware exist but they are the least of your problems.  Personally, I don't understand why Apple won't take that tracking out of their systems.  That would make it possible for them to pursue many lucrative government contracts.  Maybe they already have taken it out.  In which case the only objection you can have is cost. But everything you get works and works well.  Most people love the GUI the Macintosh has.
  3. Use Linux.  There is no tracking but I cannot for example get my printer to work any more with Linux.  It is an old mossy HP LJ-4P with a parallel interface.  I have nothing but USB on my machines now.  So I have a USB to parallel gender bender cable.  It works with the XP (all I can afford), but it doesn't work with Linux.  I have no money for a new printer.  I also hear that the new version of Ubuntu is replacing the Gnome GUI that I standardized on.  There is always a flux with the newer versions of Linux and I deeply missed the plain old hexedit that worked in the xterms.  But it is free and the Windows malware problems go away.  In case you haven't guessed it yet, this is the option that I have chosen.
So there you have it.  I will of course continue to add web-bugs, trackers and ad serversto the filters but if you want to primarily block ads and use either the Firefox or Chrome browsers then I strongly advise that you use one of the plug-ins they have for that purpose in those browsers. If you are doing the first on the Chromium OS, just type in chromeadblock.com and that will install it for your session.  But when you shut the system down the adblock will probably go away.

Google Chrome browser AdBlocker

Firefox AdBlock Plus

If your browser of choice is Internet Explorer, Opera, or Safari, then you can still use the PAC filter to good effect.  I would advise that you not turn the debug on in Internet Explorer, and you can can not turn it on in either Opera or Safari. If you use Microsoft Windows you can also purchase Ad Muncher but they don't do much to protect against malware and I still do it, but usually only in the PAC filter..

I am also devoting a lot of time and effort to get rid of Daylight Saving Time which in reality saves nothing.  Every time I turn around the TZ (Time-Zone) database on Linux is being updated for this lunacy.

No More Daylight Saving Time