Malware Domain List

Anything Goes => This and That => Topic started by: dsl on March 01, 2012, 04:03:14 pm

Title: s3.amazonaws.com cloud in MDL list? reasons?
Post by: dsl on March 01, 2012, 04:03:14 pm
I know there is a certian amount of malware originating from s3.amazonaws.com, but as we know there is far more legitimate use for that cloud service than there is malware (I think?). Since we suck in the daily list into our dns servers, I have now received a request to unblock it as one of our depts need to access files to it for business purposes. I can easily unblock it for them and probably will have to as it has become a "business requirement" (whatever that means?) , but it begs the question as to why it was added in the list in the first place? I hope the decision to add it to the list was studious and dilligent in it's reasoning to do so? I'd be interested in knowing the thought processes to add it to the list because blocking it, also means blocking one heck of a lot of legitimate access. I knew once I saw it on the list that it wouldn't last long. It was only a matter of time that a "business requirement" would require me to unblock it, but I was willing to let it be blocked and see what happened. It only took a few days for it to become an issue for us.

Is the infection rate of that cloud so prolific that it warrants being on the list, or is it on the list becauser a "few" pieces of malware originated from there? I'd surely like to hear the reasons as googling isn't telling me much about the security or insecurity of that cloud.

Any replies much appreciated.
Dan. ???
Title: Re: s3.amazonaws.com cloud in MDL list? reasons?
Post by: dsl on March 02, 2012, 03:28:16 pm
hmmm, yesterday the list still had s3.amazonaws.com in it, but today it is gone? I'm not complaining , just noticed that's all. Now I don't need to adjust my script to exclude it, which is what I was in the middle of doing when I double checked the list. Less work for me. Thanks.
Title: Re: s3.amazonaws.com cloud in MDL list? reasons?
Post by: SysAdMini on March 02, 2012, 03:57:41 pm
Another user sent us a message by contact form and asked for removal of s3.amazonaws.com.
MysteryFCM verified all listed Amazon urls and marked them as inactive when he saw that all urls are clean now.

It's always a difficult decision for us how we should manage malicious urls of major web sites.
We have the same problem with other big players like Google, Dropbox or file sharing sites.
There are pros and cons for listing these sites.

Maybe we can setup a whitelist for domains that should not appear in our blocking list.
I would appreciate if MDL users would send us suggestions for a list of domains.
Title: Re: s3.amazonaws.com cloud in MDL list? reasons?
Post by: dsl on March 02, 2012, 06:44:28 pm
Sounds like a plan. I'll try and contribute domains for a whitelist when I come across them.
Thanks for the explanation SysAdmini.

Dan.
Title: Re: s3.amazonaws.com cloud in MDL list? reasons?
Post by: john_ on May 04, 2012, 08:08:15 pm
I have images of my site hosted at s3.amazonaws for speeding up the loading time, now my site will be classified as hosting malicious links ??? ;D

I know dozens of malware hosted on file sharing sites but I don't see for example rapidshare.com on the list :P. The system is far from being accurate.
Title: Re: s3.amazonaws.com cloud in MDL list? reasons?
Post by: dlipman on May 04, 2012, 08:17:51 pm
Example:

http://www.malwaredomainlist.com/forums/index.php?topic=4854.0

That was not the first case I had seen but the one I posted about.

Title: Re: s3.amazonaws.com cloud in MDL list? reasons?
Post by: JPElectron on June 01, 2012, 03:10:16 pm
I just go through and remove any lines matching...

^(.*\.)?amazonaws\.com$
^(.*\.)?cloudfront\.net$
^(.*\.)?dropbox\.com$
^(.*\.)?netdna-cdn\.com$

...after downloading the latest list.

On a related note, would it be possible to provide a plain-text list of just domain names, no other formatting?
The hosts file is easy enough to covert to csv and remove the first column of 127.0.0.1, but it's still a wasted resource to consolidate every bad subdomain into one blocked domain, for example...

subdom1.example.com
subdom2.example.com
www.example.com
example.com

...can really all be consolidated to: example.com - when you are using a DNS sinkhole approach.

Also, and I apologize if this is not the correct place to ask, but I can't reply to http://www.malwaredomainlist.com/forums/index.php?topic=3270.0
 - Have you considered offering a .md5 of each file you offer, that way automated scripts can easily check the .md5 and only if it's changed/different then download the actual list?