Best practise ?
I was reading it was better to route to 0.0.0.0 than 127.0.0.1. Something to do with 0.0.0.0 failing without waiting for a time out. probably makes little difference in practise but I am curious to know the "right" way :]
Attempting to prevent Malware from infecting computers is an important duty of a systems administrator. If you are attempting to secure systems then anti-malware applications, restricting the use of vulnerable third party applications and browser extensions are all important. But attempting to prevent – or at least contain – …
I get the impression that this may well make a significant difference if you're running your own locally-hosted server or, based on some anecdote I've seen on various forums, if you've got a weird OS. But at least according to MVPS, any difference is a myth:
http://www.mvps.org/winhelp2002/hostsfaq.htm#Personal
...and despite some considerable Googling on my part, I haven't found anyone who has conducted any sort of proper test, only anecdote. On the other hand, if you have an absolutely gigantic hosts file, using 0.0.0.0 does technically reduce it's size a bit.
AdBlock Plus addon for Firefox:
- https://addons.mozilla.org/en-US/firefox/addon/1865
Blocking malicious sites with Adblock Plus
- http://adblockplus.org/blog/blocking-malicious-sites-with-adblock-plus
"... another layer of protection..."
.
This post has been deleted by a moderator
IPCop + URL Filter + Adv Proxy
This setup handles it.
IPCop | Services | URL Filter | Custom blacklist | (Remove all the crap except first column) paste in list | Save and Restart
URL FIlter other things...
Block categories
ads: adult: adv: aggressive:
agressif: alcohol: audio-video: automobile/bikes:
automobile/boats: automobile/cars: automobile/planes: chat:
cleaning: costtraps: dangerous_material: dating:
downloads: drogue: drugs: dynamic:
education/schools: finance/banking: finance/insurance: finance/moneylending:
finance/other: finance/realestate: fortunetelling: forum:
forums: gamble: gambling: games:
government: hacking: hobby/cooking: hobby/games:
hobby/games-misc: hobby/games-online: hobby/gardening: hobby/pets:
homestyle: hospitals: imagehosting: isp:
jobsearch: leo: library: liste_bu:
mail: military: mixed_adult: mobile-phone:
models: movies: music: news:
phishing: podcasts: politics: porn:
proxy: publicite: radio: radiotv:
reaffected: recreation/humor: recreation/martialarts: recreation/restaurants:
recreation/sports: recreation/travel: recreation/wellness: redirector:
religion: remotecontrol: ringtones: science/astronomy:
science/chemistry: searchengines: sex/lingerie: sexual_education:
shopping: socialnet: spyware: strict_redirector:
strong_redirector: suspect: tracker: tricheur:
updatesites: violence: warez: weapons:
webmail: webphone: webradio: webtv:
Custom Blacklist
Blocked domains (one per line) * Blocked URLs (one per line) *
Custom whitelist
Allowed domains (one per line) * Allowed URLs (one per line) *
Custom expression list
Blocked expressions (as regular expressions) *
File extension blocking
Block executable files: Block audio/video files:
Block compressed archive files:
Local file redirection
Enable local file redirection:
Network based access control
Unfiltered IP addresses (one per line) * Banned IP addresses (one per line) *
Time based access control
Block page settings
Show category on block page: Redirect to this URL: *
Show URL on block page: Message line 1: *
Show IP on block page: Message line 2: *
Use "DNS Error" to block URLs: Message line 3: *
Enable background image:
To use a custom background image for the block page upload the .jpg file below:
Advanced settings
Enable expression lists: Enable log:
Enable SafeSearch: Log username:
Block "ads" with empty window: Split log by categories:
Block sites accessed by it's IP address: Number of filter processes:
Block all URLs not explicitly allowed: Allow custom whitelist for banned clients:
URL filter maintenance:
Blacklist update
The new blacklist will be automatically compiled to prebuilt databases. Depending on the size of the blacklist, this may take several minutes. Please wait for this task to be finished before restarting the URL filter.
To install an updated blacklist upload the .tar.gz file below:
Blacklist editor
Create and edit your own blacklist files
Backup URL filter settings
Include complete blacklist:
Restore URL filter settings
To restore a previously saved configuration upload the .tar.gz backup file below:
Stupid computers running Windows 2000 that can't be upgraded and in which nearly everything must run as Administrator. There was an article about it a ways back from me as well as much discussion and debate in the comments. I've since taken further precautions, but let's be honest here: how many folks (especially at home) do you know not only run as administrator, but click "yes" every time the "would you like to run this app" box comes up?
I agree that in an even halfway-well-run and up-to-date corporate network it’s not a practical threat…but not everyone gets to work in those environments. So many networks I know are band-aids on top of band-aids on top of other band-aids held together with tape.
Still, as people move away from the 2000/XP era into a work where running things as limited users becomes more common and practical, DNS blackholing becomes more valid as a defence as a result.
Pint because it's Friday.
Baulked at the idea of getting a list of bad domains onto my ISA server with the budget available (ie none). However found a program named on the site that does it and our network is now getting a bit more secure.
I like simple clear advice like these articles - IT management is not my main job.
I've little knowledge of windows admin but the hosts file should be by default read-only, absolutely non writeable, for users for exactly this reason. Just checked and it is so on my Win2K8 (real machine), win2k (a VM, not that that makes any difference) and Mint linux (also a VM).
Unless you + users are running as admin/root, altering hosts shouldn't be possible. So what's happening??
Wow, we've been doing this for years... Our firewall gets a package sent about once a week updating both known safe and known unsafe domains, and we outright block the unsafe and limit access to unknown (not safe). We also add to the white and black lists regularly, and choose filters based on OU.
I read about similar practices years ago and even tried it for a while. It was high maintenance, and unconvincing.
Personally i'm not fond of a large hosts file - I would prefer it to be empty - for performance, maintenance and security reasons. sadly there are two mandatory applications in our org that require entries in hosts files on all clients. The programmers are assholes about it to boot, so no change forthcoming yet.
I prefer to block before it enters the network with Untangle.com and OpenDNS.com combined.
The problem with blackholing DNS is that many cyber-crooks know about it and they therefore change the domain/subdomain they use frequently. Thus if you just block certain domains - even if you update the domains from malwaredomains.com frequently - you will fail to block the malware for long. A far better approach is to block the IP addresses of the malware providing hosts because typically the crooks use the same host with the same ip address, they just change/add new dns links to it.
As we mentioned on our blog (er yes this is a commercial plug) a few months back - http://threatstop.wordpress.com/2010/05/10/iframe-droppers-and-other-drive-bys-how-threatstop-protects-you/ - we provide our subscribers with frequently updated lists of known bad ip addresses that may be quickly and automatically plugged into the firewall and which block many malware sources. I'd love to say we block all but then you'd know I was a lying marketing droid instead, I believe we stop most of them though but since the crooks unaccountably refuse to give us a list of compromised hosts for us to check against I can't prove it.
MichaelC above would certainly benefit from our system since stats we have analyzed from DShield indicate that about a third of all threat sources change in a week (and about a quarter in less thna 24 hours). Thus by uploading new data once a week he will be missing a significant portion of the threats he thinks he is protecting against.
Don't get me started. That was /not/ my idea, and it has taken me four solid years of fighting tooth and nail to be allowed the opportunity to replace it. There are things which make me rage. There are things which make me cry. Then there are things which make me experience desires to commit war crimes. Actually, only one thing has ever fallen into the latter category, and that is ISA.
While I'm sure that malwaredomains do an admirable job, it's pretty certain that there's no way they can capture all of the fast-flux domains used by modern botnets. When you have 20 million domains like dlxfrglh.com and orutyerou.com and so on, the blacklist becomes huge, unwieldy and seriously impacts network performance.
I know, because I tried this a couple of years ago, and Internet access slowed to a crawl. In the end, I simply ended up bit-bucketing anything to do with China, Russia, and most of Eastern Europe - because on the odd occasion when we did get infected, it nearly always came from, and reported to, one of those places. While I acknowledge that this is not a workable solution for many enterprise-level networks, for SMEs whose business is largely local (and whose networks aren't exactly high-powered) it takes a huge amount off the blacklist, leaving only the US and Netherlands as the main offenders, and that is easily dealt with using a much smaller blacklist. It doesn't eliminate every possibility, but good security practices and proper system maintenance should cover the rest of it.
Oh, and @PC Tech: While I'm as big a fan of Firefox, AdBlock and NoScript as anyone, they are not really a good defence in a network context (no client-controllable solutions are), simply because users can disable AdBlock and NoScript, or in the case of NoScript, simply allow scripts from a suspect domain. I actually caught a few users in my workplace running with NoScript in "Allow Scripts Globally" mode, because they complained it was "too annoying" to have to keep clicking "Allow" in Noscript for each new site they visited! So while it's a reasonable supporting plan to have client-side defences in place, it's a very bad idea to rely on security in the hands of your users!
They've done a good job with the Zeus botnet, and there are commercial alternatives coming on-stream to handle it. Again, Malwaredomains.com isn't the One True Solution. It is part of what should be layered defence in depth.
As to no-script, the debate was had in the comments section of my previous article:
http://www.theregister.co.uk/2010/08/11/sysadmin_noscript/
The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.
Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.
The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.
Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.
The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.
"While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.
Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.
Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.
The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil.
Microsoft is extending the Defender brand with a version aimed at families and individuals.
"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."
The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.
If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.
RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.
This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.
Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.
The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.
This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.
The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.
The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.
The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.
While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.
Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.
In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.
The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.
What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.
The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.
Threat researcher Joey Chen of Sentinel Labs says he's spotted a decade worth of cyber attacks he's happy to attribute to a single Chinese gang.
Chen has named the group Aoqin Dragon, says its goal is espionage, and that it prefers targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.
The gang is fond of attacks that start by inducing users to open poisoned Word documents that install a backdoor – often a threat named Mongall or a modified version of the open source Heyoka project.
Biting the hand that feeds IT © 1998–2022