Monday, August 20, 2012

Microsoft Removes Protection

Alexander Kowalski sent me this link about Windows Defender removing entries from the hosts file:

GHacks hosts file SNAFU

At first I thought that they were doing it to remove redirects of FaceBook and others.  This happens but most often the malware redirects to an out there IP address, not to yourself (127.0.0.1).  But that removal of the remapping of the ad-server ad.doubleclick.net to 127.0.0.1 just kept gnawing at me for the past eight hours.  I finally concluded that there just was no way that Microsoft would knowingly remove a redirect for their competitor Google, especially since it doesn't make you any safer.  I rarely see doubleclick  pretenders.  Even worse, several years back ad.doubleclick.net was doling out malware for about 24 hours.  In any case I don't believe Microsoft would knowingly remove a block of a Google host.  What is doing the removal?  From most things I have read it is the Windows Defender on Windows 8 that is doing the dastardly deed of removing the blocks of facebook.com, ad.doubleclick.net and potentially other hosts.  So if you are using Windows XP or Windows 7, settle down because it doesn't affect you, especially if you are using some other AV package other than Microsoft Essentials.  There is the normal confusion here because of Microsoft's musical chairs games with their product line-up.

Then I thought back when Instant Messenger was being exploited.  Microsoft programmers did a case sensitive pattern match that removed the threat the way it was spelled out at the time - in lower case.  So the hackers made it upper case and the threat continued.  If anything that argues that an ISO-Latin operating system should always be case sensitive.  The programmers would have been really dumb if they had just added the upper case match as well.  But you can see the problems with that with an eight character word.  Each one of the letters can be either lower case or upper case which means you have 2^8 for an eight letter word or 256 possible combinations.  The answer is simple,  either lower case or upper case everything and then pattern match with that case.  But if you had a case sensitive operating system you would have done it properly from the start since only 1 of the 256 possible combinations would have been correct.

So what is Windows Defender in Windows 8 doing?  I suggest that instead of removing only the redirects of Facebook and others to something bad they are removing all of the hosts that are mapped to the IPv4 localhost address 127.0.0.1.  That is about the only thing that explains removing the block of ad.doubleclick.net.  It remains to be seen if they also remove all of the remappings of localhost in IPv6 which is "::1".  They may even do it for the ip6-localnet of "fe00::0".  Okay, here is a wonderful list of hosts to test it with:

MalwareDomainList Block Hosts list

Will somebody that is running Windows 8 RTM please put some of these block hosts remapped to 127.0.0.1 in their hosts file?  When they are mapped to 127.0.0.1 you have removed the danger.  If Microsoft removes the entries they are actually exposing you to the danger of those hosts again.  Do not go to the hosts that are in MalwareDomainList!  Just see if Windows Defender (or what ever it is) removes that entry from the hosts file on Windows 8 RTM.

Don't always depend on the browsers or a bot service by your ISP to protect you.  They are always dependent on security researchers that make those lists.  There is one less of them because I don't handle the malware any more.  Both Microsoft and Comcast have put too many obstacles in my way so I switched to whacking the spam in my email boxes (which you may or may not get) and trackers.  After all, they are the highest threats a Linux user like me faces.

So lets run the tests and if so, will some of you MVP status people step forward and speak?  Being highly commended by Richard Stallman several years back for the work I do carries zero weight with Microsoft.  But those GPL licenses are a god-send for the work I have done and continue to do.  They provide infinitely more protection to me than a Creative Commons license would give me.

Wednesday, August 15, 2012

APK-Hosts-File-Installer

There is is another Hosts File Installer program created by Alexander P. Kowalski.  You can download the latest version here:



This zip file is in the 2012_06_01 folder If you want the older version or to look around you need to go to the top level APK folder.  It is here:



Brief instructions for how it works are at Start64.com.  As you can imagine it is made to work with Windows 7 64-bit and the instructions are tailored around that OS version.  Here are the brief instructions:



As you can imagine, you will need some sort of hosts file to use the program with.  Here are some of them with some information that will reduce the load on the servers if that is possible.  If there is no need to update, why update?  I will give a brief explanation of each.




These are perhaps the most complete files on the Internet.  Since they are so large, please check the update.txt file (second link) first.  They are 7-zipped so you will need something that supports the 7-zip format to use them.  They are just too large to download the whole files without some sort of compression.
7-Zip is far and away the best compression algorithm.  In addition it cannot be made to expand forever, cannot be peered into on Windows, and you throw the UID:GID of the files away on Unix / Linux.



This list is fairly similar to MVPHosts later on but it does have French specific hosts  added to it and very few comments.  It is hosted at sysctl.org



These are mine.   There is no difference between the files at HostsFile.org and SecureMecca.com.  I use the UnixUtils utility with my own shell scripts to do the updating.  The scripts are used with zipped folders using both the zip and 7-Zip format.  Rather than linking to all of them I will just give the link to UnixUtils, the script that I use, and finally the downloads folders.

Unix Utils Folder
Unix Utils - zipped with instructions
AutoHosts shell script
SecureMecca.com Downloads folder

If you compare the current sizes of 857K for the uncompressed hosts.txt file compared to 178 K (AutoHosts.unx.7z), 341 K (AutoHosts.unx.zip), 180 K (AutoHosts.msw.7z), and 346 K (AutoHosts.msw.zip) you can see that in addition to having all of the constituent files and OpenPGP signatures of the add.Risk and hosts file you still save a lot of network bandwidth. If you just look at the date on the hosts.html file or the hdate.txt file you will save even more if nothing has changed.  They change almost every week.  My script pulls down the hdate.txt file first and if it has not changed nothing is done.  I used to round robin between HostsFile.org and SecureMecca.com.  But the HostsFile.org owner (it is not mine but the files are) mentioned he wanted to take it down.  You cannot see the files in the Downloads folder and there are NO 7-zip files, only zip files on HostsFile.org.  IIS is what is doing that.  SecureMecca.com is on a modified Unix type system.


Hosts-File.net (hpHosts)

Actually, this is distributed across serveral hosts.  Because they may fail due to either DDOS (hosts-file.net had a three day DDOS on the second week of August 2012) or one or more of the servers being down I made it try one server after another until it gets the zip file.  I am sorry but the files in the hpHosts folders are in LF format only since they were made to work only on Linux.  Windows users need to use NotePad++, psPad, or Vim to look at the files to get some sort of idea what you could do with VBS.

hosts-file.net wget files (7-Zip)
hosts-file wget files (zip format)
ckdupe program (Windows)

The ckdupe program will check for duplicates in a hosts file or just spit out all of the host names.  I mentioned that hosts-file.net author who is an MVP has had a DDOS.  He also receives lots of bounced spam where they forge the headers on a PC and have them send out mail pretending to be hosts-file.net.  A spammer is doing the same thing with securemecca.com.  I call the bounces lemons and have been making the host names (lemons) into lemonade (read - they go into my hosts file).


MalwareDomainList hosts file

This is malware specific for Windows.  Since there are so few of them I have most of these hosts in both the Linux and Windows file versions.  They come and go so fast that if you wait much over two weeks they will be out of date.


MVPHosts

This is probably one of the oldest hosts files out there.  I don't know why it is so small but it is what it is.  It is the only hosts file I usually see in HJT logs all over the Internet.  That could be because it doesn't block enough or it is about the only hosts file used.  I have concluded it is the latter.


SomeoneWhoCares.org hosts

An oldie but a goodie.  He does update it.


This is by no means all of them.  I gave you some to choose from just to get you going.  I will say that despite the hosts file at HostsFile.org / SecureMecca.com being much larger than MVPHosts it also blocks more but also depends heavily on the PAC filter for the bulk of the protection.  A PAC filter like AdBlockPlus for Firefox and AdBlock for Chrome has the capacity to wipe out huge swaths of hosts but at the same can reach in and snip out an offending JavaScript but leave the rest of the host alone.  Nonetheless, the spammers are pumping up tha size of my hosts file considerably at HostsFile.org / SecureMecca.com.  I will write more about spam and my conclusions of the only way to bring it down in the next blog entry.  Good luck using the APK hosts file installer!