Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Host file black lists

Published: 2009-05-27
Last Updated: 2009-05-27 19:47:59 UTC
by donald smith (Version: 1)
0 comment(s)

Henry Hertz Hobbit who maintains a black list of "bad hosts" wrote in today with some host file links
and comments on them. I have included most of his comments with very little editing
(I removed a few names and comments about other list maintainers and corrected a bit of the grammer).
I have NOT verified all of the lists than Henry discusses below. Our users should be warned that
I have seen poorly maintained lists block legitimate sites in the past.
We have had some less attentive or overly aggressive list maintainers use our hosts
list as a block list even though it clearly states  "DO NOT USE AS A BLOCK LIST"
and then blame isc.sans.org for the listing, http://isc.sans.org/ipsascii.html.
Other handlers have written some excellent diaries about blacklists addressing issues
such as Spam blocking by RBLs, Blacklists and politics,
and making the right choice in black list selection:
http://isc.sans.org/diary.html?storyid=3194
http://isc.sans.org/diary.html?storyid=3042
http://isc.sans.org/diary.html?storyid=1309

For more information on host based blocking this site has a good descriptions,
some lists that are on Henry’s lists and some additional lists didn’t include in his set.
http://www.malwarehelp.org/how-to-effectively-prevent-malware-hosts-file.html


From Henry Hertz Hobbit:
"Two old venerable lists are MVPHosts and hpHosts.
http://www.mvps.org/winhelp2002/hosts.htm
http://hosts-file.net/

MalwareDomainList is here with their lists and they block ONLY sites with malicious
content (no ads or trackers / spies):
http://www.malwaredomainlist.com/hostslist/hosts.txt
http://www.malwaredomainlist.com/
http://www.malwaredomainlist.com/mdl.php

The French connection consists of what I would call the MVPHosts file with a Français twist
(there are some trackers that are quite prevalent if France that don't exist any place else):
http://sysctl.org/cameleon/hosts
http://sysctl.org/cameleon/

Another list that has the most comprehensive lists that may need some pruning:
http://rlwpx.free.fr/WPFF/hosts.htm

This list primarily don't belong on the desktop but into something like this:
http://www.peereboom.us/adsuck/

And then there is my list which includes many of the hosts that MalwareDomainList lists.
http://www.SecureMecca.com/hosts.html
http://www.HostsFile.org/hosts.html

But I provide something far more powerful called a PAC (Proxy Auto Configuration) filter
that blocks unknown threats:
http://www.SecureMecca.com/pac.html
http://www.HostsFile.org/pac.html
http://www.SecureMecca.com/Downloads/

Now I have heard you need an IQ of 130 plus or higher to use the PAC filter. 
If that is a problem so be it.  But consider the following points.

1. hpHosts (hosts-file.net) blocks approximately 3700 typo hosts. 
I block them with just two hosts in the hosts file (ownbox.com and www.ownbox.com)
and these two rules in the PAC filter:

// OWNBOX FE TYPO
BadNetworks[i++] = "216.65.41.185, 255.255.255.255";
BadNetworks[i++] = "216.65.41.188, 255.255.255.255";

Now that cuts it down to size, doesn't it?  There is a lot of other power reducers and
falling through the cracks rules in there!  Otherwise my file would be almost as large
as the list at rlwpx.free.fr/WPFF/hosts.htm.

2. If you enable the PAC filter on Windows in IE you will have your eyes opened.
I had full debug on that way once and found the PAC filter was even working at the level
of tellimg me I sent a print-out to the network printer!  But debug really should only
be used in Firefox with debug mode set to debugNormal.  Do not turn debug on in Opera or
Safari (they kill it), or IE (you will have pop-up nightmares).

3. The REGEXPs are precompiled for speed.  It is faster in debug mode than John LoVerso's
original was without any debug.  But then I noticed some of his ad patterns are pretty convoluted. 
But if you have to interpret them every time ...

4. I notice patterns that occur frequently enough that I block yet to be discovered
hosts with patterns like these:
BadHostParts[i++] = "antispy";  // VOTRE CHOIX
BadHostParts[i++] = "antivir";  // VOTRE CHOIX

There are of course some white-list rules to counteract the bad rules
(and now you are back to blocking in the hosts file):
GoodDomains[i++] = "antispamfilterblocker.com";
GoodDomains[i++] = "antivirusyellowpages.com";
GoodDomains[i++] = "pcantivirusreviews.com";

5.  Even if hosts make it past the rules for the hosts and there is no host block,
for some of the malware there are patterns and I block them as I discover and
mentally count them and consider the count high enough to go into panic mode
(and I think a lot of people are already there now):

BadURL_Parts[i++] = "av2008";
BadURL_Parts[i++] = "av2009";
BadURL_Parts[i++] = "sms.exe";
BadURL_Parts[i++] = "smsreader";

Oh yes, HostsMan is available here:
http://www.abelhadigital.com/ "

UPDATE: Steven, another blacklist maintainer, pointed out this article he wrote about blacklists, host files and PAC files.

http://mysteryfcm.co.uk/?mode=Articles&date=12-08-2008
 

0 comment(s)

WebDAV write-up

Published: 2009-05-27
Last Updated: 2009-05-27 17:50:15 UTC
by donald smith (Version: 1)
0 comment(s)

SusanB wrote in today to tell us about a really good write-up on understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV vulnerability by Steve Friedl of is available here.
http://unixwiz.net/techtips/ms971492-webdav-vuln.html
This was written because Steve and some of others at unixwiz.net found Microsoft’s "guidance confusing for users who were not IIS experts".  This includes a very good flowchart that should assist anyone who is confused, detailed descriptions of WebDAV, remediation ideas, and links to other WebDAV references.

0 comment(s)
Diary Archives