Wednesday, January 16, 2013

PeskySpammer

PeskySpammer

    PeskySpammer, I have added the recent two messages you have sent via user hash-user to both the PeskySpammer.7z zip and to the PeskySpammer folder:


   I at first sent this message only to my colleagues to prove to them that even though bots may be sending the bulk of the messages, you people know about it.  Here are the salient points so people understand them.

   No matter how you send them using my domain SecureMecca.com domain, I get them:

1. Your bots sending email messages pretending to be a hashed user at securemecca.com (e.g., EF24A232D@securemecca.com in the "From:" field) will end up in the postmaster's email box (me, hhhobbit, the only user at the domain) if the "X-Apparently-To:" or "To:" domain mail servers deem it necessary to bounce a message back to the purported sender. If they do that I am the one that gets the bounce (always).  They should not do this with bot email messages and I will have pseudo-code in a moment for them to avoid it and the proper course of action.

2. If you send it directly to any user including the "hash-user" in the MDL and WackoBot messages linked to above, again, the postmaster which is the one and only user at the domain (me), gets the email message.

3.  No matter how you slice it or dice it, I get these email messages and have taken actions I deem as appropriate.  I would encourage you to not allow any of these patterns in your bots sending patterns (from or to) vis-a-vis me:  hhhobbit, henryhertzhobbit, securemecca.  There is a problem with that.  Any time you abuse others that share similar mail handling arrangements as mine you are going to piss the hell out of them.  So although you think you know how email works you don't!  Because you do not understand how email works you will continue to make a lot of people like me mad as hell at you!  I am pretty sure I am not the only one.


Significant Others

   I don't know what domains block me, but byu.edu was and probably still is blocking access to my securemecca.com domain but not to this blog.  Why?  There is one of two possibilities.  First, despite people saying that they have both a black-listing and a white-listing approach you really cannot have both.  White-listing means you black out the entire world and then start adding the hosts or IP addresses  you want to allow,  Many banks like the local Zion's bank use the white-list approach.  If it isn't explicitly allowed it is denied.  They don't allow you to see any more at Zion's bank than is absolutely necessary to get the job done.  You might think my PAC filter does white-listing but the GoodDomain rules are really to make sure that it doesn't block security downloads.  Those paired with Bad rules also block phish.  For example, if you pretend to be Bank Of America for example, my PAC filter will stop all hosts with "bankofamerica" in them except for bankofamerica.com.  So I guess the PAC filter is a limited form of white-listing.

    White-listing  works fine for a bank but not too well for an educational institution.  For educational sites you need some pretty hefty black-listing and Comcast's (was Damabala) is so sensitive that they have blocked my mass emailing of user's in my contact list.  I don't know how you teach a bot sensor what the difference is but I am beginning to suspect Comcast's actions may have got my domain in the black-lists.   But it is actually more likely your activity that got it there.  Why?  There is an awful lot of incompetent admins that look at email and think it always comes from the "From:" email address.  Weill for all of yours it comes from what is identified as the "X-Originating-IP:" in my email messages.  Ergo, your activity is getting mine and lot of other innocent people's domains blocked, many times without them knowing it.  Now others should know why I prefer mail that has been signed with the other person's OpenPGP key.  When I see that I am pretty much assured the message (which can optionally be enciphered) came from that other person.  What you doing demonstrates this point so overwhelmingly I don't understand why people don't get a POP / IMAP email account and use it as their primary email account.  They should use web-mail for signing up for various things to keep their POP email accounts for only personal contacts.

   Where is the FBI and other police organizations in all of this?  Well, it seems the prosecution of Aaron Swartz which bordered on prosecutorial misconduct has ground to a screeching halt.  Maybe the FBI will pay attention to you but I doubt it since you are so small.  Despite that and despite me calling you a spammer, you have filled my email box with: low order phish (fake pharmacies), high order phish (steal financial information like user names and passwords or money or both), links to malware, and malware attachments.  I have listed ithem in order of threat from least to most.  The attachments have usually been in the form of files pretending to be PDF files that were zipped but when unzipped were files ending in ".pdf.exe".  Usually the detection by the AV companies was deplorable.  More than once all 40+ of the Anti-Virus programs at VirusTotal.com failed to detect it.

Mail Admins

One mail admin cleverly added a test of doing a reverse IP to host lookup.  Well, not exactly what is needed but then he did the gross faux-pas.  He sent the message back to the "From:" saying they didn't match.  Why are you sending the boomerang to me?  I didn't send the message.  Thinking is in short supply here.  Here is the pseudo-code for showing how it should be done:

Find the MX hosts for the From domain.
if there are no MX hosts for the From domain then
    drop the message like a hot scalding potato
else
    Find the IP addresses for the MX hosts
    if the sending IP address is not one of the MX IP addresses
    then
        drop the message like a hot scalding potato
    else
        do what you want with it
    end if
end if
(Note:  I modfied this pseudo-code on 2012-April-12 to handle the parked hosts or even hosts that are not in DNS that PeskySpammer uses.)

What else you do from there is up to you but bouncing messages for bot sent messages creates more problems than it solves.  This is especially true for me if the mail filtration strips the URLs or attachments.  Since I don't have the original sending IP address it is just useless clutter filling up my email box.  I can block URLs and identify malware but that is about it unless I have the sending IP address which I do extract and keep in several lists.  Okay, so a bot sent you some email making it look like it came from my domain.  I already know that to the tune of up to and even over a hundred messages per day.  They have even gone as high as about a thousand messages per day.  And the FBI still doesn't care?   Yup, that is the norm these days.  I hope the Sheriff department in Georgia has not only the link you stabbed into their server removed (they have removed it) but any other damage you have done to them undone.  In short, some of your actions PeskySpammer make me think you are rank amateurs.  Either that or stupid is in vogue right now.  Actually it is probably both.

Posted by at No comments:

Saturday, October 6, 2012

Malware Phish Spam of the Day

   This post is just to picture what ever these hackers spammers are sending to me at any given period of time for the past few schemes to help people be on guard against it and protect themselves.

Fake PayPal Scheme (2012-10-16)

(click on picture to enlarge)

   This isn't theirs and the saved message shows that instead of saving the message proper I must save the attached HTML file instead.  It is impossible to fill out the form and submit the information in Thunderbird on Linux.  Looking at the HTML file ... Well, the css style sheet is at 200.217.207.56.  Here is where your information goes:

        http://sochifito.cl/reactivation/w.php

By itself the URL is harmless.  But combined with the HTML file which I viewed in both Opera and Firefox on Linux it is rather nasty.  Both Opera and Firefox show the actual URL when you hover over the Submit button.   I have no idea what it does on Windows.  I imagine Outlook will do the usual of being helpful and hide this URL.  I take an even dimmer view of every web-mail and many POP email programs hiding the email address.  Rather than helpful (not) short hand names just give me the darn complete email addresses in an email program.  But if you fill in the form and click on Submit your PayPal account is gone.  My advice?  Never fill in these forms!  Close everything, open up your browser and go to PayPal directly to check things out.  Why?  Because PayPal does send things to you in email.  It is just that for me, I don't have a PayPal account.  When I did, it was not attached to the email address where this message was delivered.  In the body of the message it states: "Open and complete this form to avoid account termination."  That is a panic inducer.  Do not panic!  Take your sweet time and close things and then close your email program, your tabs in the browser, then the browser itself.  Then open up the browser again and go to PayPal directly.  Invariably you will find your PayPal account is just fine.  Oh yes, submit the email message to PhishTank.  This one must have been specially crafted for me.  When I tested the URL at PhishTank it was fine.

   If you want to see all of the schemes they have used in the past as well as currently here is the folder for the schemes / pictures:


How do you protect against them and many other things?  Use Firefox and add NoScript:


That would defeat this scheme completely and many others as well.  It will help keep your Windows machine from getting infected (unless you allow the thousands of infected hosts to do scripting).  It can also keep Linux, Macintosh, iPad, iPhone, and Android free of junk.  In fact I know a major University Mathematics department that mandates this combination for all operating systems under their control.  There was some bickering at the start but now many of the Mathematicians are even using the same setup at home.  It works.  I was blocking all of the PHP scripts they had as of 2012-10-15.  You can not block an index.html file.  I am monitoring the block of their second host with this private rule which may be useless because it may cause FPs (but have none so far):

BadURL_WordStarts[i++] = "js\.js";

But NoScript stops everything they have for web-sites where you don't allow scripting to be done.  Now do you understand why Firefox + NoScript is such an important security move for you to implement?  Use Firefox + NoScript!  It may be painful but it works.


Fake eFax and NACHA (2012-10-24)

(click on picture to enlarge) 
    I have had a small smattering but ever since they removed securemecca from the list of sendable addresses, all I get is bounces.  For a few days they sent fake porn web-sites.  If they are like the previous ones the hosts won't stay in DNS very long.  There were precious few eFax, and Intuit scams for the previous few days where they had hacked hosts. I do capture what URLs I can but I have been rather busy lately and there were so few it just wasn't worth it.  But for these latest eFax and  NACHA you are on your own.  Why?  If you enlarge the above picture you will see a "nacha-directdeposit-HASH.pdf.zip file.  It is attached to the message.  Since I do not have the actual file (yet) I do not know for sure but can assure you that from past experience it is not a normal PDF file.  It has a JavaScript exploit in it, and they zipped the file to obfuscate it from the AV companies.  If you look at one of the headers at least one AV product doesn't like it (probably Sophos).  Hold on!  I have the file.  It will indeed whack you but it isn't just for the NACHA scam but also for the eFax scam.  Do not open these files in Adobe Reader!  Use Evince instead:
Configure your browser and email readers to use Evince for embedded PDF files.  Since Evince does not interpret the JavaScript instructions in the PDF file do anything with it you are much safer.  The only legitimate purpose for JavaScript is for forms files.  AFAIK, you can save the file to the desktop, but I would never trust a forms file through the email.  As for what do with it in the browser on a web page I would much rather just download the file and open it in either Evince or Adobe Reader myself.  Other than this warning there is very little that I can do.

Fake NACHA and BBB Schemes (2012-11-08)

(click on picture to enlarge)

   Some of these have been coming the past few days.  They masquerade as a PDF file from NACHA, the BBB and perhaps other organizations.  If you enlarge the above picture, you will see they have  something like ACH-Report-${HASH}.pdf.zip.  For what ever reason, Microsoft and others have seen fit to blast the 7-zip format as being inherently less safe than the zip format.  This file illustrates just one of the many reasons 7-zip is safer than zip.  Why?  The user would have to save the 7-Zip file and unzip it.  Unless you have 7-zip (free from http://www.7-zip.org/ ), WinZip or something else you cannot open it.  But Windows happily will open this file.  What do you get?  A humongous file name that ends in not ".pdf", but ".pdf.exe".  The scans look like this at the best:

Scan of exe file from previous (2012-11-09)

(click on picture to enlarge)

   As you can see, the detection rate is deplorable.  Of course I sent it on to ClamAV.  That doesn't matter because the AV companies are now swamped.  Now do you really want to continue using a mix of Windows + Outlook or Windows + web-mail?  It is your choice but there is nothing I can do about the situation other than report it and urge you to at least use Thunderbird and POP mail. Notice that I can see the attachment but more to the point, Thunderbird doesn't oh so helpfully unzip that sucker and more to the point, the message as it is shown fools nobody since the images and other stuff are gone, at least on Linux.

No Read Scheme  (2012-12-01)

(click on picture to enlarge)

   This scheme seems to be linked to Thunderbird and Claws Mail users on Windows.  There is no rest of the file.  If there was and it was HTML, then Claws Mail users on Windows would not see the rest unless they plugged in the HTML viewer.  Thunderbird users on all platforms would also not have saw the HTML rendered page.  But in this case, there was no "rest of the file."  This link and the line leading to it was all there was.
   What should you do?  Do NOT click on the links!  So what did I do given the fact that all of them I have looked at so far are PHP scripts?  Remember that these run on the server, not on the connecting machine.  Well, I am running Linux, not Windows.  You say they will stab in an add-on in Firefox?  Remember, I have to copy the string in Thunderbird and then manually paste it into the URL box in either Firefox or Opera.  But before I did that I started WireShark running.  Then I went to them.  All of them either savaged the server so bad that it showed the hacking or they did nothing.  I attribute the do nothing to those queries for what my OS and browser were.  Maybe if you are not running Windows they do nothing.  Do not click on any links in email from dubious origin!  That advice is also valid for Linux users.  After all, since they did OS and browser checks they could have stuffed something into the user's browser data folder (~/.mozilla and ~/.opera on Linux for those browsers).  Yes the browsers have settings to prohibit add-ons from being installed but both JavaScript and especially Jave can do it.
   So am I some sort of god with teflon coating that protects me?  No.  I have taken the strongest settings for all browsers and do NOT store passwords in them.  But I am sitting on months worth of backups for both the browsers and the bookmarks:


If I get into something sticky I close the browser (use Quit, not the X button), blow away the user browser folder, then restore an old fail-safe backup.  If I am still suspicious, I can just blow it all away.  Then I start the browser creating a new user browser data folder.  I then import the latest bookmarks, add on the few add-ons that I have:  Cookie Safe, ABP, and Better Privacy for Firefox.  If that is not necessary then I just update them.  Then I create a new fail safe backup.  How long does it take me to recreate it all sans the bookmarks?  Less than four minutes.  Restoring takes less than a minute.  I did that after I did the above tests.  Better safe than sorry.  But unless you have to test it, do not click on the links!  I just wished that one piece of advice did it all for security.  Unfortunately, it doesn't.  But not clicking on links goes a long way in securing you from email borne threats.

Citibank Scheme (2012-12-13/14)

(click on picture to enlarge)

   Like all of the other fake schemes, I could not coax anything bad out of the links in the first email.  Only one of the links tried to go on but the others were removed.  My statement remains to use Firefox with NoScript which stops it even if you are reading your email in Outlook, as long as you set Firefox to be your primary browser.  But before that be a little more discerning and don't click on the links.  Just close everything down and go to Citibank if that is what you have.  Since only the crackers are reading this now ... I will bring this to an end.  Everybody seems to be protected.

Facebook Scheme (2012-12-19)

(click on picture to enlarge)
 
   Unlike the previous, these have no random sock it to you.  If you haven't been there before, then you will probably get infected.  They achieve it by using a Fake Facebook message with a visible link showing Facebook's URL but the real hidden URL contains the word "dating" in the host name.  Here is the scan at Virscan.org for the initial onslaught:
 
 
They seem to use another host named domainsstressadd DOT net to do black-listing to prevent you from getting multiple samples.  I have been getting lots of these both directly and bounces from sends to non-existing mail drops.  As usual, securemecca.com is not sending the messages.  Hacked WIndows machines with SMTP agents installed on them are sending the messages.  Suggestions for how to handle the problem are:

1. Delete the message with extreme prejudice and click on NOTHING in the email message.

2. Do not have a Facebook account.  If you don't have a Facebook account then you will know the message is not genuine.  It will either be a phish or as it is in this case, malware.

3. If you have a Facebook account, settle down and log out of email and close your POP / IMAP mail program if that is what you got the message in.  If you had Thunderbird you would have the malicious URLs shown to you.  If you are using web-mail (Yahoo, GMail, et al) then sign out.  Close all of the tabs in your browser, then clear the caches and information.  Now close the browser.  Open the browser again and go to Facebook directly via either your Bookmarks / Favorites.  Your account will probably be just fine.

4.  You should think seriously about using Firefox with NoScript.  It would stop all of these links (each of my email messages used a different host) cold since every one of them use a PHP script.

That is it!

Posted by at No comments:

Monday, September 3, 2012

Vote Against Spam

What started it All

   It started with a fake pharmacy spammer who pumped in 100+ email messages per day for about three months with them not even knowing they were doing it.  For the past few weeks it shifted to fake ADP/ACH, Better Business Bureau and many other schemes.  At first I was baffled by these until I finally discovered it was neither a spam campaing or phish which I first suspected.  They were dishing out malware using what appeared to be the Blackhole exploit kit in addition to the malware.  If you want to see the pictures of the various types of schemes they are using, they are in this folder (my view of them is much different in Thunderbird than it is in Web Mail (GMail, et al), Macintosh Mail or Outlook mail programs:

Pictures of Spam Schemes

The entire contents are in the folder above the pictures.  What sent all of these messages?  Microsoft Windows PC machines.  I am not talking about the machines using the mail servers the person owning them uses.  These Windows machines are sending email directly and need to be taken out of the loop.  Here are the IPv4 addresses for the infected PCs that were illegitimately sending the fake pharmacy messages which appear to be different from the next set of IP addresses:

Fake Pharmacy Senders (original)
Fake Pharmacy Senders (just IPs)

The newer malware type messages are from these infected Windows PC machines:

Malware / Phish Senders (original)
Malware / Phish Senders (just IPs)

   All I know is that there is a way to make spam almost completely go away.  It requires two changes which will probably never be done.  I have actual malware from this second group that uses hacked legitimate web servers all over the globe.  The 40+ AV programs at VirusTotal were almost completely skunked by the malware which was finally classified as FakeAV by many AV programs after I submitted it to ClamAV for evaluation.  The malware will be available on request only to national police forces and Interpol.  Other spammers can use that to verify that that these spammers are not just spammers.  They are malicious hackers that are infecting thousands more Windows machines via malicious links in email pretending to be something else and using thousands of infected Windows machines to send the email messages in the first place.


Mail Delivery Fix

   The first mail delivery fix would be to require a certificate similar to the one used for https traffic.  A friend said why not just check to see if the IPv4 address matches the host given?  That isn't quite so simple because for each domain you need to find their mail server names (which some don't have), then the IPv4 addresses for each mail server.  Usually you have multiple mail servers with at least two where one serves as a backup.  Each mail server frequently has multiple IPv4 addresses.  So the problem with a reverse IP lookup of the SMTP (Simple Mail Transfer Protocol - what handles the sending of your email from one place to another) gateways for the purported sending host is latency.  When you have a domain which is just specious (either it or its mail server does not exist) it takes a long time to verify it this way.  I am not the first to propose this secure mailer certificate.  Many other people have also proposed it long before I said anything.  Initially I thought Microsoft had proposed this but what they proposed was similar to what Spam Gourmet, Spam Assist, and other services like them provide.  The problem was that Microsoft wanted complete control.  Given their lack of understanding of how to control spam (also called Junk) in Outlook (was Hotmail) they wouldn't be my first pick in leading the charge.  GMail (Google) would be.  But Secure SMTP is not under the user control.  Just rest assured I am not the only one that says that the SMTP system which is now over 30 years old doesn't need a major fix.  Many people much better than me realize it is needed.  I am just adding my lone little voice that says it needs to be done.  But I am also proposing an addition becase Secure SMTP alone will not completely fix the problem.  There would still be spam mailers that continue to send from machines that would be legitimate Secure SMTP servers.  Instead of taking no for an answer they just sell your email address to others.  What defines an email messages as spam (junk)?  The end recipient.  That is next.


DVS (Democratic Vote System)

   What I also propose is something to give the recipient / mail user a way to vote out messages. Look at this folder to see everything saved that went into this idea for having both Secure SMTP and a DVS system:

Pesky Spammer Folder

I used to have most of the files in a private folder but now all of the files concerning this are in this public PeskySpammer folder.  This will help you understant the need for a secure SMTP mail sending service.  It also has some bearing on the situation because what if somebody does have a certificate for their email but there is no way to opt out of messages you do not want that they keep sending to you?  Generally speaking, those links that say remove me from your send to list are really nothing more than "email address verified".  The spammers then sell those new verified email addresses to other spammers.  For these stubborn groups of spammers, only a DVS will eliminate their messages for good.  Secure SMTP won't do the job of getting rid of them.  All Secure SMTP will get rid of are the Windows machines that are sending email direct.  Here is how the DVS should be implemented to work properly:
  • The first part of the DVS is that if you moved a message from your Inbox to your Junk (Spam) folder it would cause your mail client to send a vote against that kind of message to a central clearing house.  This isn't just a vote for yourself.  It is a vote for everybody that has an email account saything that kind of a message is junk.
  • The second part of the DVS is that if you delete a message from the Junk (Spam) folder it would also count as a vote against that type of message for everybody.  But a proper DVS system would instantly and immediately expunge the email message, not just move it into the Deleted folder.  What are the examples of Web-Mail that do this portion correctly?  Yahoo deletes it.  Google not only deletes it but it seems like it implements something similar to the DVS model and makes the deletion of the message a count for every GMail user including yourself.  When enough people do it, it junks those email messages for everybody.  Microsoft's Outlook (was HotMail) does it wrong.  It moves it into the Deleted folder just like it wants to hang on to the spam messages forever.  This has ramifications as to who should be running the DVS system
  • Finally, if you move a message from the Junk (Spam) folder back into the Inbox that counts as a vote that kind of message is not Junk for everybody. It would also be a personal over-ride for yourself assuring you of receiving even more of that stuff I don't want in the future.
   Okay.  who does this almost right?  Google's GMail.  I know people in the PhishTank Developers list, a person in a local mailing list and other computer scientists that have given up on even maintaining their own email and have signed up for GMail and use that as their only email account now.  There are down-sides.  An Argentinian bank wrote to me to get their URL cleared at PhishTank using my GMail account.  Thankfully it was in the Junk folder.  I tried sending three messages. The first was from Gmail to the PhishTank Developer group since I moved my PhishTank membership from securemecca.com to GMail.  It bounced.  The second one was from securemecca.com since I discovered GMail account was not in the Phishtank Developer group.  The last was from my own private email account directly to the technical contact at Phishtank.  Two out of three of the messages were put in Junk at GMail.  That should let you know how bad the spam situation is now.  You cannot even get legitimate email to somebody else even about security matters because the spammers have made it almost impossible to do that any more. Other people keep hopping from one email address to another.  Since I need to save certain things and must have a POP email for my domain I cannot do that.  But making email client programs like Evolution, Thunderbird, Outlook, Outlook Express and other mail clients mesh with a DVS in addition to having Security SMTP could reign this problem in hand.  Until the DVS and secure email gateway are implemented, using services like these (there are others) have the potential to help you considerably.


   I didn't just pick these out of my hat.  These hackers / spammers actually sent to the first one.  It asked for confirmattion.  Not granted.  That helps them keep their email clean.  The second is used by a fellow security researcher.  He allows only selected (white-listed) email addresses and disallows everything else.  Does that tell you what he thinks of the spam situation?
   How can spammers keep off my bad list?  Just remove henryhertzhobbit, hhhobbit, and securemecca from both their to list and from list.  In the case of the from list they are violating numerous national and international laws anyway.  Just like everybody else, I don't go out seeking this garbage.

Posted by at No comments:

Monday, August 20, 2012

Microsoft Removes Protection

Alexander Kowalski sent me this link about Windows Defender removing entries from the hosts file:

GHacks hosts file SNAFU

At first I thought that they were doing it to remove redirects of FaceBook and others.  This happens but most often the malware redirects to an out there IP address, not to yourself (127.0.0.1).  But that removal of the remapping of the ad-server ad.doubleclick.net to 127.0.0.1 just kept gnawing at me for the past eight hours.  I finally concluded that there just was no way that Microsoft would knowingly remove a redirect for their competitor Google, especially since it doesn't make you any safer.  I rarely see doubleclick  pretenders.  Even worse, several years back ad.doubleclick.net was doling out malware for about 24 hours.  In any case I don't believe Microsoft would knowingly remove a block of a Google host.  What is doing the removal?  From most things I have read it is the Windows Defender on Windows 8 that is doing the dastardly deed of removing the blocks of facebook.com, ad.doubleclick.net and potentially other hosts.  So if you are using Windows XP or Windows 7, settle down because it doesn't affect you, especially if you are using some other AV package other than Microsoft Essentials.  There is the normal confusion here because of Microsoft's musical chairs games with their product line-up.

Then I thought back when Instant Messenger was being exploited.  Microsoft programmers did a case sensitive pattern match that removed the threat the way it was spelled out at the time - in lower case.  So the hackers made it upper case and the threat continued.  If anything that argues that an ISO-Latin operating system should always be case sensitive.  The programmers would have been really dumb if they had just added the upper case match as well.  But you can see the problems with that with an eight character word.  Each one of the letters can be either lower case or upper case which means you have 2^8 for an eight letter word or 256 possible combinations.  The answer is simple,  either lower case or upper case everything and then pattern match with that case.  But if you had a case sensitive operating system you would have done it properly from the start since only 1 of the 256 possible combinations would have been correct.

So what is Windows Defender in Windows 8 doing?  I suggest that instead of removing only the redirects of Facebook and others to something bad they are removing all of the hosts that are mapped to the IPv4 localhost address 127.0.0.1.  That is about the only thing that explains removing the block of ad.doubleclick.net.  It remains to be seen if they also remove all of the remappings of localhost in IPv6 which is "::1".  They may even do it for the ip6-localnet of "fe00::0".  Okay, here is a wonderful list of hosts to test it with:

MalwareDomainList Block Hosts list

Will somebody that is running Windows 8 RTM please put some of these block hosts remapped to 127.0.0.1 in their hosts file?  When they are mapped to 127.0.0.1 you have removed the danger.  If Microsoft removes the entries they are actually exposing you to the danger of those hosts again.  Do not go to the hosts that are in MalwareDomainList!  Just see if Windows Defender (or what ever it is) removes that entry from the hosts file on Windows 8 RTM.

Don't always depend on the browsers or a bot service by your ISP to protect you.  They are always dependent on security researchers that make those lists.  There is one less of them because I don't handle the malware any more.  Both Microsoft and Comcast have put too many obstacles in my way so I switched to whacking the spam in my email boxes (which you may or may not get) and trackers.  After all, they are the highest threats a Linux user like me faces.

So lets run the tests and if so, will some of you MVP status people step forward and speak?  Being highly commended by Richard Stallman several years back for the work I do carries zero weight with Microsoft.  But those GPL licenses are a god-send for the work I have done and continue to do.  They provide infinitely more protection to me than a Creative Commons license would give me.

Posted by at No comments:

Wednesday, August 15, 2012

APK-Hosts-File-Installer

There is is another Hosts File Installer program created by Alexander P. Kowalski.  You can download the latest version here:



This zip file is in the 2012_06_01 folder If you want the older version or to look around you need to go to the top level APK folder.  It is here:



Brief instructions for how it works are at Start64.com.  As you can imagine it is made to work with Windows 7 64-bit and the instructions are tailored around that OS version.  Here are the brief instructions:



As you can imagine, you will need some sort of hosts file to use the program with.  Here are some of them with some information that will reduce the load on the servers if that is possible.  If there is no need to update, why update?  I will give a brief explanation of each.




These are perhaps the most complete files on the Internet.  Since they are so large, please check the update.txt file (second link) first.  They are 7-zipped so you will need something that supports the 7-zip format to use them.  They are just too large to download the whole files without some sort of compression.
7-Zip is far and away the best compression algorithm.  In addition it cannot be made to expand forever, cannot be peered into on Windows, and you throw the UID:GID of the files away on Unix / Linux.



This list is fairly similar to MVPHosts later on but it does have French specific hosts  added to it and very few comments.  It is hosted at sysctl.org



These are mine.   There is no difference between the files at HostsFile.org and SecureMecca.com.  I use the UnixUtils utility with my own shell scripts to do the updating.  The scripts are used with zipped folders using both the zip and 7-Zip format.  Rather than linking to all of them I will just give the link to UnixUtils, the script that I use, and finally the downloads folders.

Unix Utils Folder
Unix Utils - zipped with instructions
AutoHosts shell script
SecureMecca.com Downloads folder

If you compare the current sizes of 857K for the uncompressed hosts.txt file compared to 178 K (AutoHosts.unx.7z), 341 K (AutoHosts.unx.zip), 180 K (AutoHosts.msw.7z), and 346 K (AutoHosts.msw.zip) you can see that in addition to having all of the constituent files and OpenPGP signatures of the add.Risk and hosts file you still save a lot of network bandwidth. If you just look at the date on the hosts.html file or the hdate.txt file you will save even more if nothing has changed.  They change almost every week.  My script pulls down the hdate.txt file first and if it has not changed nothing is done.  I used to round robin between HostsFile.org and SecureMecca.com.  But the HostsFile.org owner (it is not mine but the files are) mentioned he wanted to take it down.  You cannot see the files in the Downloads folder and there are NO 7-zip files, only zip files on HostsFile.org.  IIS is what is doing that.  SecureMecca.com is on a modified Unix type system.


Hosts-File.net (hpHosts)

Actually, this is distributed across serveral hosts.  Because they may fail due to either DDOS (hosts-file.net had a three day DDOS on the second week of August 2012) or one or more of the servers being down I made it try one server after another until it gets the zip file.  I am sorry but the files in the hpHosts folders are in LF format only since they were made to work only on Linux.  Windows users need to use NotePad++, psPad, or Vim to look at the files to get some sort of idea what you could do with VBS.

hosts-file.net wget files (7-Zip)
hosts-file wget files (zip format)
ckdupe program (Windows)

The ckdupe program will check for duplicates in a hosts file or just spit out all of the host names.  I mentioned that hosts-file.net author who is an MVP has had a DDOS.  He also receives lots of bounced spam where they forge the headers on a PC and have them send out mail pretending to be hosts-file.net.  A spammer is doing the same thing with securemecca.com.  I call the bounces lemons and have been making the host names (lemons) into lemonade (read - they go into my hosts file).


MalwareDomainList hosts file

This is malware specific for Windows.  Since there are so few of them I have most of these hosts in both the Linux and Windows file versions.  They come and go so fast that if you wait much over two weeks they will be out of date.


MVPHosts

This is probably one of the oldest hosts files out there.  I don't know why it is so small but it is what it is.  It is the only hosts file I usually see in HJT logs all over the Internet.  That could be because it doesn't block enough or it is about the only hosts file used.  I have concluded it is the latter.


SomeoneWhoCares.org hosts

An oldie but a goodie.  He does update it.


This is by no means all of them.  I gave you some to choose from just to get you going.  I will say that despite the hosts file at HostsFile.org / SecureMecca.com being much larger than MVPHosts it also blocks more but also depends heavily on the PAC filter for the bulk of the protection.  A PAC filter like AdBlockPlus for Firefox and AdBlock for Chrome has the capacity to wipe out huge swaths of hosts but at the same can reach in and snip out an offending JavaScript but leave the rest of the host alone.  Nonetheless, the spammers are pumping up tha size of my hosts file considerably at HostsFile.org / SecureMecca.com.  I will write more about spam and my conclusions of the only way to bring it down in the next blog entry.  Good luck using the APK hosts file installer!

Posted by at No comments:

Monday, June 11, 2012

Linux Immune To Windows Malware

My ISP is still monitoring my WAN IP in such a manner that it can only be considered wire-tapping.  May I humbly suggest they put their own house in order first?  Here are their recent URLs in my recent run (2012-06-11) at PhishTank that were all phish in their domain. I went to all of them rather than depending on the screen-shot and verified that they all were indeed phish:

http://2301patricia.home.comcast.net/
http://2301patricia.home.comcast.net/~2301patricia/
http://berkower.home.comcast.net/
http://carol.miller7.home.comcast.net/
http://directorking.home.comcast.net/

I have these rules activated not just during Phishtank runs, but all the time:

BadURL_WordEnds[i++] = "\.exe";
BadURL_WordEnds[i++] = "\.msi";
BadURL_WordEnds[i++] = "\.scr";
BadURL_WordEnds[i++] = "\.zip";

But I really don't need them.  That is because I am using Linux, not Windows.  I have nothing to run Windows binaries on any of my Linux systems.  If a Linux distro runs WINE or anything like it I make sure I remove it ASAP.  I take a very dim view of any Windows binary emulation software running on Linux unless the end user adds it.  If somebody wants to load WINE or other emulation software they can but I neither desire nor need the ability to run Windows binaries on Linux.  But if the Windows binary URLs are the in your face type at PhishTank, I have provided a small program that winnows them out of a list of URLs.  That does not mean that Phishtank will use the program which has just been modified to include zip files):

SecondHosters.txt
SecondHosters.7z

The SecondHosters.7z contains the programs and sample URLs.  If your unzip program doesn't support the 7-zip format you should probably just get rid of it and install and use 7-Zip instead:

http://www.7-zip.org

Hopefully we can get a way of shipping the malware URLs off to MalwareDomainList.com and out of the review lists at PhishTank ASAP.

But Windows binary malware does not run on Linux.  Do you hear that Comcast?  Stop spying on me and start taking steps so that I don't keep seeing
these phish URLs not on your customer's PCs but on your own servers.

Posted by at No comments:

Tuesday, June 5, 2012

Hosts File Installer

Hosts File Installer

   For years I have created a hosts file.  So far, almost nobody but me has used it.  So when somebody called Alexander Kowalski posited a hosts file installer I was naturally suspicious.  I was even wondering if I was going to get sued so MVPHosts author has been sued so many times.  It went the go arounds since about 1-2 years ago I had a machine crash and burn.  I replaced it with two machines but made both of them multi-boot rather than having a virtual.  Because Comcast (my ISP) posed significant problems in evaluating malware I didn't install any malware analysis tools.  I depended almost completely on VirusTotal as an acid test except for the new style PAC Phish Trojans.  Comcast's anti-bot service kept telling me my machines running Linux 99% of the time were infected.  So I amost completely stopped evaluating malware. Ergo, I was not the best person to evaluate Alexander's software.  So I had to wait for ClamAV and other AV companies to clear it.  Finally, Steven Burn (hpHosts) also cleared it.  It didn't matter because I had already put it up on my server for others to download. The password for both zips is "winrar" - what it was packaged with.  I have to use a zip (both zip and 7-zip are provided) because you cannot download an exe file from SecureMecca.com.  I provided the password as an extra form of placating my Web Service Provider.  The password may be dropped in the future but it will probably always be zipped because Comcast monitors any exe files coming to or going from my machine.


   What Alexander didn't know was all of the other issues that happened at the same time.  One was a flood (literally) of clicker spam email messages in one of my email accounts that had nothing to do with him.  Anyway, this main folder has the original program and a newer version that was uploaded by me on 2012-06-01 (yyyy-mm-dd) in different folders for tracking.  It has the nasty effect that every time it is changed some AV programs detect it as bad again.  I think shifting from WinRAR to Innno Setup may get rid of these problems.  All I can say is that if it is good enough for ClamAV who finally cleared it then other AV companies are going to have to either white-list or tame their heuristics.  I even have Comodo detecting my program for checking for duplicate blocks (hosts having their IP address being 127.0.0.1)  in a hosts file as bad:


I submitted it to Comodo for analysis and less than 24 hours later they had it cleared.  A few days later Comodo was detecting it as bad again at VirusTotal.  It does make me wonder what Comodo is doing.  For heaven's sake, because ckdupe is under the GPL license, Comodo even has the source code to help review it.  Is either Alexander's Hosts File Installer or my ckdupe bad?  No.  But in the case of ckdupe you have the source code.  Alter it to meet your own needs.  I use it on Linux as a check that my hosts file does not have any duplicates in it.  Ditto when I install my hosts file on Windows as a double check.

   I don't use what Alexander provides since I use UnixUtils and my own scripts.  If you use UnixUtils I advise using the merged version:


The reason why is that because I have used Unix since the late 1970s I am used to this way of doing things.  I do provide help installing UnixUtils, and at least on Windows XP, the previous three scripts are plopped on the desktop (impossible with Windows 7). A double click on any of them will tell you if you are up to date, or download the files to install.  Some people complained about the method of copying the 7-zip exe file.  It is not my fault Microsoft uses back-slashes instead of forward slashes.  They should also not use anything in file or folder names other than alphanumeric and the dot punctuation mark.  I don't want spaces, or any other punctuation marks in file or folder names.  For these scripts I use a magical small file named hdate.txt for the hosts file and pdate.txt for the PAC filters.  They are changed every time the PAC filters change (both French and English PAC filters done simultaneously) or the hosts file changes.  I have to admit the Alexander's program is infinitely preferable to my scripts for a novice person.  A similar program that would track their changes and update the PAC filters would be useful if they were used by many people.

You can see all of the files in the Downloads folder even though the web-site doesn't have a link to it (more to keep things simple than anything else).  These folders and the files in them are not visible on HostsFile.org but they are visible on SecureMecca.com.  Here is where the downloads folder is at and you can see all of the files in it:


   I am trying to talk Alexander into creating a blog on how to use his program. I am on Linux over 98% of the time.  It also is not my program - it is his.  When he creates a blog I will add a pointer to it here and create a new blog entry pointing to it.  I am also trying to Alexander out of using WindowsRAR as his packaging program and use Inno Setup instead.  One thing he should do is put his Copyright String in both the program files and the install program.  It would be nice if he put version numbers in the installer but it is mandatory that he should put version numbers in the program itself.  I will still probably put them in date folders as he provides newer versions of the program.  That way you have a choice.  Boy would like an older version of Thunderbird where I could right click on an email message in one of my two POP email accounts and select move to and move it to one of my local folders.  Newer doesn't always mean better.

Why do I create a hosts file?

   The rules for the PAC filter don't come out of thin air.  Also, the cookie block list used in the Firefox add-on CookieSafe came from SecureMecca.com.  But there are times when the PAC filter needs a white-list rule (called a GoodDomains rule) where the PAC filter is effectively disabled.  The hosts file is a back-up block method in those cases which means what SecureMecca.com and HostsFile.org is more minimalist than these block lists:


   Paradoxically, the hosts file at SecureMecca.com and HostsFile.org (identical) is larger than the number one blocking hosts lists on the Internet despite the fact that it is meant as only a backup method for blocking with the PAC filter being number one:


Why is mine so much larger than MVPHosts?  I don't know.  Spam contributes a lot.  So does the malware hosts which come and go so fast that if I can, I create a PAC filter rule that will block the malware host by patterns without me even knowing the host name.  I have a clue for you - porn is not just porn.  The older pornproxy PAC filter trys to block porn.  The newer proxy and dbgproxy files have some porn sounding rules.  That is because there was too much malware with those patterns.  Think of the PAC filter as something that prevents you from accidentally having your Windows machines sucked over into the porn zone.  Write to me and I will give you the names of the programs that block porn more completely if that is what you want.  Be aware of one thing - the porn filters slow your machine down considerably. The PAC filter actually speeds things up.  The porn filters don't block ads but the PAC filter and my hosts file do block trackers, web-bugs (those trapping hosts for example), malware, and ads.  But I think the major difference between me and MVPHosts is that trackers have a higher priority for me.  On Linux, about the only malware I have are JavaScript browser infections..  That is why I block things I know will do that in both the PAC filter and hosts file and have scripts that keep making fail safe backups for the browsers I use the most on Linux, Firefox and Opera:


If I ever get a browser user data folder infection I just do the following:

1. Close the browser
2. Blow away the browser's user data folder (~/.mozilla or ~/.opera)
3. Restore the old backup of that folder
4. Update ABP, Cookie-Safe and anything else.
5 Create a new fail-safe backup.

There are other forms of malware on Linux but mostly those are targeting servers, not a desktop system.  I also block the known spy-ware toolbars.  But on Linux, the real number one threat are trackers.  I have more of them than MVPHosts has, But I don't add *.2o7.net hosts or *.omtrdc.net hosts in the hosts file.  They are in a separate add.2o7Net file you have to tack on.  Why?  Because they are DNSWCD (DNS WildCard Domain) hosts.  They will be in DNS forever.  That is why I block them in the PAC filter.  The PAC filter can block all of them with just two rules. It also has other rules that discover the aliases to the *.2o7.net and *.omtrdc.net hosts (which can and do drop out of DNS when they are no longer used).  That still doesn't explain why mine is bigger.  I will say I will live with dead hosts a little longer  But my hosts file is actually in seperate sections.  I monitor the add.Risk hosts much more often than the trackers, ad-servers and spy-ware (in the main section).  I used to do it with spam as well but lately spam hosts stays alive just as long as trackers and ad servers.

Enjoy the new and improved hosts file installer that Alexander Kowalski has provided!  You can use it with any blocking hosts file out there, not just mine.  Here are some more:


Cameleon
SomeoneWhoCares
http://pgl.yoyo.org/adservers/


Contrary to popular belief, the eDexter pseudo HTTP web server was still available but not at the original web-site as of 5 June 2012:


eDexter


The other alternative is Homer or HostsMan:


Homer
HostsMan


I am trying to talk Alexander into providing a pseudo web server that handles both ports 80 (http) and port 443 (https).  He could make it for pay and I would still tout it over anything else.  HostsMan also provides an alternative hosts file installer.  In fact that is the main thing HostsMan provides.  I never looked at it seriously because all anybody uses that I have created is the blocked cookie list (you need Cookie-Safe in Firefox) and the PAC filter.

Posted by at No comments:
Subscribe to: Posts (Atom)