Monday, June 11, 2012

Linux Immune To Windows Malware

My ISP is still monitoring my WAN IP in such a manner that it can only be considered wire-tapping.  May I humbly suggest they put their own house in order first?  Here are their recent URLs in my recent run (2012-06-11) at PhishTank that were all phish in their domain. I went to all of them rather than depending on the screen-shot and verified that they all were indeed phish:

http://2301patricia.home.comcast.net/
http://2301patricia.home.comcast.net/~2301patricia/
http://berkower.home.comcast.net/
http://carol.miller7.home.comcast.net/
http://directorking.home.comcast.net/

I have these rules activated not just during Phishtank runs, but all the time:

BadURL_WordEnds[i++] = "\.exe";
BadURL_WordEnds[i++] = "\.msi";
BadURL_WordEnds[i++] = "\.scr";
BadURL_WordEnds[i++] = "\.zip";

But I really don't need them.  That is because I am using Linux, not Windows.  I have nothing to run Windows binaries on any of my Linux systems.  If a Linux distro runs WINE or anything like it I make sure I remove it ASAP.  I take a very dim view of any Windows binary emulation software running on Linux unless the end user adds it.  If somebody wants to load WINE or other emulation software they can but I neither desire nor need the ability to run Windows binaries on Linux.  But if the Windows binary URLs are the in your face type at PhishTank, I have provided a small program that winnows them out of a list of URLs.  That does not mean that Phishtank will use the program which has just been modified to include zip files):

SecondHosters.txt
SecondHosters.7z

The SecondHosters.7z contains the programs and sample URLs.  If your unzip program doesn't support the 7-zip format you should probably just get rid of it and install and use 7-Zip instead:

http://www.7-zip.org

Hopefully we can get a way of shipping the malware URLs off to MalwareDomainList.com and out of the review lists at PhishTank ASAP.

But Windows binary malware does not run on Linux.  Do you hear that Comcast?  Stop spying on me and start taking steps so that I don't keep seeing
these phish URLs not on your customer's PCs but on your own servers.

Tuesday, June 5, 2012

Hosts File Installer

Hosts File Installer

   For years I have created a hosts file.  So far, almost nobody but me has used it.  So when somebody called Alexander Kowalski posited a hosts file installer I was naturally suspicious.  I was even wondering if I was going to get sued so MVPHosts author has been sued so many times.  It went the go arounds since about 1-2 years ago I had a machine crash and burn.  I replaced it with two machines but made both of them multi-boot rather than having a virtual.  Because Comcast (my ISP) posed significant problems in evaluating malware I didn't install any malware analysis tools.  I depended almost completely on VirusTotal as an acid test except for the new style PAC Phish Trojans.  Comcast's anti-bot service kept telling me my machines running Linux 99% of the time were infected.  So I amost completely stopped evaluating malware. Ergo, I was not the best person to evaluate Alexander's software.  So I had to wait for ClamAV and other AV companies to clear it.  Finally, Steven Burn (hpHosts) also cleared it.  It didn't matter because I had already put it up on my server for others to download. The password for both zips is "winrar" - what it was packaged with.  I have to use a zip (both zip and 7-zip are provided) because you cannot download an exe file from SecureMecca.com.  I provided the password as an extra form of placating my Web Service Provider.  The password may be dropped in the future but it will probably always be zipped because Comcast monitors any exe files coming to or going from my machine.


   What Alexander didn't know was all of the other issues that happened at the same time.  One was a flood (literally) of clicker spam email messages in one of my email accounts that had nothing to do with him.  Anyway, this main folder has the original program and a newer version that was uploaded by me on 2012-06-01 (yyyy-mm-dd) in different folders for tracking.  It has the nasty effect that every time it is changed some AV programs detect it as bad again.  I think shifting from WinRAR to Innno Setup may get rid of these problems.  All I can say is that if it is good enough for ClamAV who finally cleared it then other AV companies are going to have to either white-list or tame their heuristics.  I even have Comodo detecting my program for checking for duplicate blocks (hosts having their IP address being 127.0.0.1)  in a hosts file as bad:


I submitted it to Comodo for analysis and less than 24 hours later they had it cleared.  A few days later Comodo was detecting it as bad again at VirusTotal.  It does make me wonder what Comodo is doing.  For heaven's sake, because ckdupe is under the GPL license, Comodo even has the source code to help review it.  Is either Alexander's Hosts File Installer or my ckdupe bad?  No.  But in the case of ckdupe you have the source code.  Alter it to meet your own needs.  I use it on Linux as a check that my hosts file does not have any duplicates in it.  Ditto when I install my hosts file on Windows as a double check.

   I don't use what Alexander provides since I use UnixUtils and my own scripts.  If you use UnixUtils I advise using the merged version:


The reason why is that because I have used Unix since the late 1970s I am used to this way of doing things.  I do provide help installing UnixUtils, and at least on Windows XP, the previous three scripts are plopped on the desktop (impossible with Windows 7). A double click on any of them will tell you if you are up to date, or download the files to install.  Some people complained about the method of copying the 7-zip exe file.  It is not my fault Microsoft uses back-slashes instead of forward slashes.  They should also not use anything in file or folder names other than alphanumeric and the dot punctuation mark.  I don't want spaces, or any other punctuation marks in file or folder names.  For these scripts I use a magical small file named hdate.txt for the hosts file and pdate.txt for the PAC filters.  They are changed every time the PAC filters change (both French and English PAC filters done simultaneously) or the hosts file changes.  I have to admit the Alexander's program is infinitely preferable to my scripts for a novice person.  A similar program that would track their changes and update the PAC filters would be useful if they were used by many people.

You can see all of the files in the Downloads folder even though the web-site doesn't have a link to it (more to keep things simple than anything else).  These folders and the files in them are not visible on HostsFile.org but they are visible on SecureMecca.com.  Here is where the downloads folder is at and you can see all of the files in it:


   I am trying to talk Alexander into creating a blog on how to use his program. I am on Linux over 98% of the time.  It also is not my program - it is his.  When he creates a blog I will add a pointer to it here and create a new blog entry pointing to it.  I am also trying to Alexander out of using WindowsRAR as his packaging program and use Inno Setup instead.  One thing he should do is put his Copyright String in both the program files and the install program.  It would be nice if he put version numbers in the installer but it is mandatory that he should put version numbers in the program itself.  I will still probably put them in date folders as he provides newer versions of the program.  That way you have a choice.  Boy would like an older version of Thunderbird where I could right click on an email message in one of my two POP email accounts and select move to and move it to one of my local folders.  Newer doesn't always mean better.

Why do I create a hosts file?

   The rules for the PAC filter don't come out of thin air.  Also, the cookie block list used in the Firefox add-on CookieSafe came from SecureMecca.com.  But there are times when the PAC filter needs a white-list rule (called a GoodDomains rule) where the PAC filter is effectively disabled.  The hosts file is a back-up block method in those cases which means what SecureMecca.com and HostsFile.org is more minimalist than these block lists:


   Paradoxically, the hosts file at SecureMecca.com and HostsFile.org (identical) is larger than the number one blocking hosts lists on the Internet despite the fact that it is meant as only a backup method for blocking with the PAC filter being number one:


Why is mine so much larger than MVPHosts?  I don't know.  Spam contributes a lot.  So does the malware hosts which come and go so fast that if I can, I create a PAC filter rule that will block the malware host by patterns without me even knowing the host name.  I have a clue for you - porn is not just porn.  The older pornproxy PAC filter trys to block porn.  The newer proxy and dbgproxy files have some porn sounding rules.  That is because there was too much malware with those patterns.  Think of the PAC filter as something that prevents you from accidentally having your Windows machines sucked over into the porn zone.  Write to me and I will give you the names of the programs that block porn more completely if that is what you want.  Be aware of one thing - the porn filters slow your machine down considerably. The PAC filter actually speeds things up.  The porn filters don't block ads but the PAC filter and my hosts file do block trackers, web-bugs (those trapping hosts for example), malware, and ads.  But I think the major difference between me and MVPHosts is that trackers have a higher priority for me.  On Linux, about the only malware I have are JavaScript browser infections..  That is why I block things I know will do that in both the PAC filter and hosts file and have scripts that keep making fail safe backups for the browsers I use the most on Linux, Firefox and Opera:


If I ever get a browser user data folder infection I just do the following:

1. Close the browser
2. Blow away the browser's user data folder (~/.mozilla or ~/.opera)
3. Restore the old backup of that folder
4. Update ABP, Cookie-Safe and anything else.
5 Create a new fail-safe backup.

There are other forms of malware on Linux but mostly those are targeting servers, not a desktop system.  I also block the known spy-ware toolbars.  But on Linux, the real number one threat are trackers.  I have more of them than MVPHosts has, But I don't add *.2o7.net hosts or *.omtrdc.net hosts in the hosts file.  They are in a separate add.2o7Net file you have to tack on.  Why?  Because they are DNSWCD (DNS WildCard Domain) hosts.  They will be in DNS forever.  That is why I block them in the PAC filter.  The PAC filter can block all of them with just two rules. It also has other rules that discover the aliases to the *.2o7.net and *.omtrdc.net hosts (which can and do drop out of DNS when they are no longer used).  That still doesn't explain why mine is bigger.  I will say I will live with dead hosts a little longer  But my hosts file is actually in seperate sections.  I monitor the add.Risk hosts much more often than the trackers, ad-servers and spy-ware (in the main section).  I used to do it with spam as well but lately spam hosts stays alive just as long as trackers and ad servers.

Enjoy the new and improved hosts file installer that Alexander Kowalski has provided!  You can use it with any blocking hosts file out there, not just mine.  Here are some more:


Cameleon
SomeoneWhoCares
http://pgl.yoyo.org/adservers/


Contrary to popular belief, the eDexter pseudo HTTP web server was still available but not at the original web-site as of 5 June 2012:


eDexter


The other alternative is Homer or HostsMan:


Homer
HostsMan


I am trying to talk Alexander into providing a pseudo web server that handles both ports 80 (http) and port 443 (https).  He could make it for pay and I would still tout it over anything else.  HostsMan also provides an alternative hosts file installer.  In fact that is the main thing HostsMan provides.  I never looked at it seriously because all anybody uses that I have created is the blocked cookie list (you need Cookie-Safe in Firefox) and the PAC filter.