Thursday, September 3, 2015

Malvertisement

Just a few weeks ago I was reading an article at the Washington Post about people using ad-blockers and how awful they are.  It has even turned out that Microsoft bad-mouths all blocking hosts files that I and others provide.  All we do is block ads they say.  OH?  Microsoft started with Windows 7 to remove any hosts file entry that has a 0.0.0.0 or 127.0.0.1 at that time and continue the practice now with Windows 8 and Windows 10.  With Windows 7 the work around was to install another AV package that leaves that alone.  What is surprising to me is that Microsoft bad-mouths Mike Burgess of MVPHosts and Steven Burn of hpHosts (hosts-file.net).  But several years back Microsoft gave both of them MVP status.  Then the other day DuckDuckGo complained about me having an ad-blocker.  Well DuckDuckGo, that is backed up by both my blocking hosts file and my PAC filter.  But I even have a rule for you in my PAC filter:

DuckDuckGo rule in my PAC filter
(earch for DuckDuckGo, and I did turn off ABP for what they block with you)

Well, I don't target ad-servers per say.  But I do target trackers.  But everything is moot - nobody but me uses my stuff anyway.  We will stay at the big safe sites is what most people say.  Oh really?  Then here is something you should read, an article on Malvertisement from el Register thanks to the Security Space Newsletter that pointed to one of their article.  That article had a link to this one:

El Register Malvertisement Article

Those kind of ads are the ones I am looking at to block.  I block DNSWCD (DNS WildCard Domain) named LinkBucks that the ad blocking plugins don't block in my PAC filter. It works on Windows 7 only with a majestic fight by very knowledgeable Windows people.  There again we have that Microsoft we will fight you mentality.  Another way of saying it is either our way or the highway.  I do volunteer work less frequently now at Phishtank.  But even on Linux which is totatally immune to all Windows binary malware (protecting your user browser data files is your main problem on Linux desktops and laptops vis-a-vis malware) you need some sort of protection.  They can trap the browser with JavaScript.  I cannot use NoScript or something similar.  But the PAC filter still blocks some phishing attempts so I need some sort of protection not from the malware but exploits that lock the browser, etcetera. I take the vanilla dbgproxy_fr (remember I am on Linux) and add the few extra rules that I am testing and then do this:

# grep -v Phish dbgproxy_fr > phistankproxy_fr
# vimi /var/tmp/PhishTank.txt phishtankproxy_fr

I need to add mostly GoodDomains rules but I comment out some other rules and activate additional protection against rar and zip files which have mostly Windows malware but I do get a tiny amount for Android.  Then I set my browser to use the phishtankproxy_fr PAC filter and away I go on Firefox 20. Believe it or not, Firefox 20 on Linux is much safer than the latest and greatest Firefox on Windows except for one MITM (Man In The Middle) https attack.  But one of the BadDomains rules that is usually active is LinkBucks.  It is not an ad-server.  I classify what they do as a tracker with a twist - they also redirect.  So they get Web-Bug status.  But one phisher was using them with his/her phish!  Evidently the phisher wanted to find out which of the phish patterns were working best.  I have had redirects to malware with this tracking service.  But blocking them can lead me to an erroneous conclusion that a URL that is safe is anything but safe.  Ergo, that rule is commented out in the phishtankproxy_fr file.  I also had to shift from OpenDNS DNS servers to Google DNS servers because I kept getting this is a phish now that I have IPv6 as well as IPv4.  I need to know the answer to "is it really a phish?", not protection from it.

So companies stop complaining and look at those ads you are pumping out which I can stop with the in your face ABP (AdBlock Plus) or the stealth PAC filter and blocking hosts files.  You are frequently pumping out malware with your ads and the FBI and NSA are too busy also tracking us to kingdom come to do anything about it.