Author Topic: Dead hosts in your hosts file.  (Read 10567 times)

0 Members and 1 Guest are viewing this topic.

November 15, 2008, 09:20:35 am
Read 10567 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Even though you are doing a good job of putting your hosts file up for others there are some problems.

1. You have an awful lof ot dead hosts in the file.  Here is where you can download some of the dead ones for pruning:

http://www.SecureMecca.com/MalwareDomainList/DeadHosts.7z
http://www.SecureMecca.com/MalwareDomainList/DeadHosts.zip

Pick your own zip poisoning.  Run them through DNS again to be sure they are dead.  BTW, I am miffed you didn't include moi and Airelle in your lists of bad hosts.  Airelle is much better for the French connection than Camelon.

http://www.SecureMecca.con
http://www.HostsFile.org
http://rlwpx.free.fr/WPFF/hosts.htm
(translate the last one yourself - he has buttons for Anglais and Deutsch - Je l'ai lu en Français.)

2.  In regards to rogue malware sites, I have noticed that now Microsoft has entered the fray that they come and go like clockwork, usually from setup and deployment to when they pull the plug is now less than two months and frequently less than a month.  Unless they really are using their DNS servers to put up fake pages for Symantec, et al, there is no percentage in blocking their DNS servers.  But you almost never block the downloaders.  Why don't you? As an example, errorprotector.com:

   Name:   errorprotector.com
Address: 127.0.0.1
   Name:   www.errorprotector.com
Address: 66.244.254.63

   bin.errorprotector.com  canonical name = dwnld1.com.
Name:   dwnld1.com
Address: 67.228.177.146
Name:   dwnld1.com
Address: 67.228.177.143

   Name:   go.errorprotector.com
Address: 24.244.170.177

Now how a person would get to the downloader host now that the front ends are gone is a bit of a mystery, but that didn't stop me from adding two rules to our PAC filter due to the fact that several of the people have banded together to put their downloads all on this one host (which I can't see anything good coming from):

BadNetworks[i++] = "67.228.177.143, 255.255.255.255"; // dwnld1.com_1 - 2008-11-13
BadNetworks[i++] = "67.228.177.146, 255.255.255.255"; // dwnld1.com_2 - 2008-11-13

But you really do need to block the download hosts themselves. This is just one of many downloaders but it is a biggie:

[hhhobbit@gandalf Hosts]$ grep 067.228.177.143 IP2Host.txt
067.228.177.143         archive.easydownloadsoft.com    2008-08-15
067.228.177.143         bin.errorprotector.com          2008-09-21
067.228.177.143         bsa.safetydownload.com          2008-09-21
067.228.177.143         cdn.bestdownloadsoft.com        2008-10-15
067.228.177.143         cdn.downloadcontrol.com         2008-10-15
067.228.177.143         cdn.drivecleaner.com            2008-09-21
067.228.177.143         download-es.com                 2008-08-15
067.228.177.143         download.antimalwareguard.com   2008-08-15
067.228.177.143         download.cdn.errorsafe.com      2008-10-30
067.228.177.143         download.cdn.winsoftware.com    2008-10-15
067.228.177.143         download.errorinspector.com     2008-09-21
067.228.177.143         download.errorsafe.com          2008-09-21
067.228.177.143         download.installprovider.com    2008-09-21
067.228.177.143         download.pcsupercharger.com     2008-08-15
067.228.177.143         download.registrydoctor2008.com 2008-10-15
067.228.177.143         download.sysprotect.com         2008-09-21
067.228.177.143         download.systemdoctor.com       2008-09-21
067.228.177.143         dwnld1.com                      2008-10-15
067.228.177.143         files.drivecleaner.com          2008-09-21
067.228.177.143         premium.bestguardownload.com    2008-10-15
067.228.177.143         sec.storageguardsoft.com        2008-09-21
067.228.177.143         setup.cryptdrive.com            2008-09-21
067.228.177.143         software.protectdownloads.com   2008-09-21
[hhhobbit@gandalf Hosts]$ grep 067.228.177.146 IP2Host.txt
067.228.177.146         archive.easydownloadsoft.com    2008-08-15
067.228.177.146         bin.errorprotector.com          2008-09-21
067.228.177.146         bsa.safetydownload.com          2008-09-21
067.228.177.146         cdn.bestdownloadsoft.com        2008-10-15
067.228.177.146         cdn.downloadcontrol.com         2008-10-15
067.228.177.146         cdn.drivecleaner.com            2008-09-21
067.228.177.146         download-es.com                 2008-08-15
067.228.177.146         download.antimalwareguard.com   2008-08-15
067.228.177.146         download.cdn.errorsafe.com      2008-10-30
067.228.177.146         download.cdn.winsoftware.com    2008-10-15
067.228.177.146         download.errorinspector.com     2008-09-21
067.228.177.146         download.errorsafe.com          2008-09-21
067.228.177.146         download.installprovider.com    2008-09-21
067.228.177.146         download.pcsupercharger.com     2008-08-15
067.228.177.146         download.registrydoctor2008.com 2008-10-15
067.228.177.146         download.sysprotect.com         2008-09-21
067.228.177.146         download.systemdoctor.com       2008-09-21
067.228.177.146         dwnld1.com                      2008-10-15
067.228.177.146         files.drivecleaner.com          2008-09-21
067.228.177.146         premium.bestguardownload.com    2008-10-15
067.228.177.146         sec.storageguardsoft.com        2008-09-21
067.228.177.146         setup.cryptdrive.com            2008-09-21
067.228.177.146         software.protectdownloads.com   2008-09-21

And that is after a substantial amount of pruning of the ones no longer mapped to these IP addresses that used to be at that IP address (almost done - I used to have five times this number of download hosts).

3. There is a better way to block the China and Russia problems (as long as you use a PAC filter):

BadDomains[i++] = ".cn";  // YOUR CHOICE - MalWare
// BadDomains[i++] = ".ru";  // YOUR CHOICE - MalWare

and I am considering Hong Kong after the recent bad reports (not there yet):

// BadDomains[i++] = ".hk";  // YOUR CHOICE - MalWare

Russia is probably going to be activated (but deactivated for me - done with a "// "). If you never go to those countries servers, hey what difference does it make?  You have just stopped all the drive-by (okay, browse-by) hijack downloads in these countries unless they go by IP address.  I can also stop China by IP address for most of them. OTOH, I should give ".fi", ".se", ".no", and ".dk" a GoodDomains status for being almost as clean as ".gov" and ".edu" sites (they already have that status).  Well, maybe Denmark is going too far.

4. Well, I just thought you may want to look into making your host lists a little more complete and up to date.  I am selfish in asking you to do this though.  I am using frequency counts of patterns in your hosts to block by pattern.  So prune away with what I have given you.  I imagine I am going to still have a high frequency count with what I have identified so far.  Most of them are, drum roll please, pornography terms.

5. Oh yes, I do occasionally post some lists of hosts for MVPHosts and others at my blog:

http://SecureMecca.BlogSpot.com

You may find a little teaser there now and again that is useful.  Most of it now concerns trackers and ad pushers now that I have replaced the block of Pornography with a block of Ads (not done yet).  But as a Linux user (99.99% of the time), the trackers are a much bigger security problem for me than the malware pushers (so far - crossing fingers).

November 15, 2008, 10:10:57 am
Reply #1

sowhat-x

  • Guest
Hi hhhobbit

Already since late September it was estimated,that about 35% of the hosts listed had gone dead.
A way more recent scanning that took place,revealed that this number has increased up to about 50%.

MDL's main list itself is currently in a semi-stalled state for a variety of reasons...
check the following thread to get an idea about it:
http://www.malwaredomainlist.com/forums/index.php?topic=2373.0
It's a project based completely in volunteers' contributions,
and thereby lack of time is a major factor...we're not sure yet what it's future might be...

PS:For a regularly updated hosts file / browsable database,
you might wanna have a look here as well...although I bet you're already aware of it:
http://hosts-file.net/

November 15, 2008, 10:25:28 am
Reply #2

sowhat-x

  • Guest
Quote
Russia is probably going to be activated (but deactivated for me - done with a "// ").
If you never go to those countries servers, hey what difference does it make? 
You have just stopped all the drive-by (okay, browse-by) hijack downloads in these countries unless they go by IP address.
I can also stop China by IP address for most of them.
OTOH, I should give ".fi", ".se", ".no", and ".dk" a GoodDomains status for being almost as clean as ".gov" and ".edu" sites
(they already have that status).
Well, maybe Denmark is going too far.

Statistics gathered via geo-locating MDL's listed domains,
showed that by far the 'lion's share' of malicious domains resides in the USA.
(Thanks to philipp for his really excellent work below...)
So,contrary to the popular but misleading belief out there,the fight against malware,
certainly hasn't got much in common with the revival of...'cold war' theories and such,lol...
In most cases,it's merely 'business as usual' to them:
if malware authors prefer to avoid infecting targets in their own countries,
that's just in order to make more difficult the legal prosecution...


November 19, 2008, 04:51:24 am
Reply #3

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I added about 300 more dead hosts in the downloads zip files in this file:

2008_10_23_rmlist.txt

The downloads again for any who missed them are at:

http://www.SecureMecca.com/MalwareDomainList/DeadHosts.7z
http://www.SecureMecca.com/MalwareDomainList/DeadHosts.zip

This file was the result of looking at what Mike Burgess (MVPHosts) had that I also have (got from you).  Vis-a-vis the counts, what I am primarily going on is what Airelle has collated in his hosts.rsk file and your file rather than  http://hosts-file.net/  .  hpHosts primarily block ads, and although we (me?) also block ads now instead of porn, it is a revelation to look at your host names for patterns.  I can't understand hpHosts though when they continue to block 5,000+ typo hosts individually when these two simple PAC rules I have block all of them:

BadNetworks[i++] = "216.65.41.185,   255.255.255.255"; // OWNBOX FE TYPO
BadNetworks[i++] = "216.65.41.188,   255.255.255.255"; // OWNBOX FE TYPO

I don't know whether they are still active but as of two months ago they were.  They haven't changed in over two years.  A host block really should block something pretty bad.  Airelle's files are here (Airelle est mon numéro un point de l'autorité):

http://rlwpx.free.fr/WPFF/hosts.htm

If you get 20+ hosts with a pattern in them in your list of hosts you know have something significant. It becomes especially valuable if you know you won't get a high degree of false positives (porn - 700).  What my two-three years in blocking porn has done is to hone in on the fact that at porn sites you may be 2-5 times more likely to infect a Windows machine.  At gambling / gaming sites that are not reputable (I am not speaking of betus.com but fly-by-nights that are registered in Gibraltar with the owner in the Cayman Islands) that goes up to 5-20 times more likely to infect a Windows OS.  Yes, the US has the highest total absolute amount, but what about the percentages?  By that I mean what percent of US host names are involved in infecting systems as opposed to what percentage of Chinese or Russian hosts are involved in doing the same thing?  Even so, for China and Russia respectively I have the following counts (from the download of your file about 3-4 days ago) in your file:

China:    1218
Russia:    281

I block them with just two PAC filter rules (we still have to worry about the IPs and I have some pretty big IP blocks I am looking at but how many of them actually go into the Chinese IP address space - yes I can get it from my database):

BadDomains[i++] = ".cn";  // YOUR CHOICE - MalWare
BadDomains[i++] = ".ru"; // YOUR CHOICE - MalWare

That isn't pocket change people.  That is a significant blockable pattern.  It doesn't matter that for myself - I have to mask out the Russia block (still learning Russian, Italiano, Espanol, and Français) when I am looking at stuff in that country personally.  If you never go to Russia or Chinese sites, what harm is there in blocking them?  NONE!  In reality, what are causing the problems in China are basically the same as they are in the USA:

[1] There is too short of a turn around time from when you get a domain name until the host is running.  It should be at least a week.  During that period of time some checking needs to be done.  A lot of these people could be stopped right there.

[2] There is not enough background checking of the person, people or organization getting the domain name.  There is also very little control where the web server has to be - it can be anywhere.  Money talks though and buildings that have embassy like privileges in the USA are highly sought after.  I can already hear the person that let them move into the building. "Duh, I didn't know they were doing anything wrong.  They were such friendly, kind people ..."

[3] There are not enough people or organization to track down the perpetrators for the Chinese hosts (which are usually not Chinese) and shut down the site.  The reason I say they are usually not Chinese is because Chinese penalties are pretty stiff for computer crime and they will enforce them on people in their own country.  It is just that most of these perpetrators are not in China.  What can they do then?  Do something reactively to shut them down once they discover they are bad.  But by then a lot of damage has been done.  Wouldn't it be better to stop them from the outset?

[4] A priority conflict.  Unlike the USA which is open, the Chinese government places a far higher priority on anybody who is critical of their government over tracking down computer criminals.  That doesn't mean they won't track down computer criminals - it is just a lower priority.  Actually thinking about it, I don't know that the priority in the US is all that high either.  Mike Burgess, myself and others have been threatened for blocking what we block.

[5] There is a compelling reason for the Chinese government itself to spy on people in the USA and elsewhere.  Why go to the expense of placing real spies when a bot-net can garner copious amounts of information?  I am not saying they do it and I am not going to say they don't do it.  All I am saying is that it would be an inexpensive way of gathering background information before you send in the real spies in to get a clearer picture of a given situation.  I am sure there are CIA, Mossad, and other agencies that have the same point of view and I can guarantee that at least some of them are doing it!  It is just too tasty of a morsel to pass up!

As far as the Russians are concerned, their society has basically broken down into a lawless state where criminals are allowed to continue doing business as long as police and other relevant people get their kick-backs.  There is also no doubt in my mind that it wasn't just some disgruntled hackers that were hammering Estonia, Georgia, Lithuania, et al.  We are not talking about some old-world passe way of doing things from the cold war.  There are people in the Russian government that are working with the hackers to carry out these attacks.  That does not mean that the government per-se is in favor of the attacks (nor all that much against it either).  It is just that they have so much other stuff that is going on that is a very low priority to take care of one more thing like hacking and computer crime until it affects them.  The squeaky wheel gets the grease. Most of your attacks are going back to what I term the new Russian mafia.  In reality though, there are far more than Russian nationals involved in the effort. Why don't they bother us, the people trying to stop them?  We don't even reduce the information they gather to make money more than 10% to 33% tops.  They have so many credit card numbers and other pieces of information I would love to see just how intricate their distributed databases are. And there are still people (ministers, etc.) stupid enough to bid on porn stuff at eBay or elsewhere and pay extortion to keep their stupidity quiet. Sigh. How do I know?  Less than 10 people are using my PAC Porn filter (it is still there and many of the rules that are going into the new filter are cascaded into it).  It is not a very pretty picture, is it?  At least now you have a face behind who is doing some of this.  It isn't just what I term the Russian mafia, but they are a big part of it.  It also depends on stupid computer users who have no idea how much information Microsoft Windows stores that they thought was deleted and who think there aren't that many people tracking what they do and where they go with their browsers on the Internet. WRONG!  Anyway, this new mafia (I don't know what else to call them - and they do have some organization) are the ones behind many of those abusive Chinese sites.  What the Chinese need to do is to study the most effective ways of combatting the problem and then increase the people-power and give them adequate training to bring the level of what is going on down.  I know they can do it.  They just have to put some of their brightest people working on it and raise it to the priority it deserves to remove that block I have (and I would love to remove it for them, Russia, and Hong-Kong, the last one commented out for now).

So if you can give me patterns for the US other than the porn-ish ones, I am all ears!  Right now my brain must be fried.  I can't see any patterns other than "antispy", "antivir", (both start of host names for sure) and several others that I can bite into.  But the problem is I don't have a way of knowing just how many false positives I will get either.  In other words, I am not looking for just the lists of hosts (they come and go), but lists of bad hosts that I can pick patterns from that are useful that will extend far into the future.  Most of these criminals are bound to patterns like "codec", et al.  I am just under too much pressure to see the good ones right now.

Remove the dead hosts...


November 19, 2008, 03:37:00 pm
Reply #4

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I removed those files and gave you a stripped file instead.  I am sorry, but it is only current as of 2008-11-08. Here is your hosts.txt file as of that date stripped of both the dead and parked hosts.  I am sorry, but I have heard the argument that parkers infect.  Then don't infect on purpose.  They may infect you if their server suffered a SQL-injection attack or similar and have been compromised.  I don't like the way some of them trap you through a series of chutes leading you to a final ad-server but they just don't infect.  That is why me and Mike Burgess prune them from our hosts files.  I give Airelle the prune IPs.  Thereafter it is up to him.  I have given up on some hpHosts people even knowing what park servers are.  Here is where you can download the pruned file:

http://www.securemecca.com/MalwareDomainList/2008_11_08.7z
http://www.securemecca.com/MalwareDomainList/2008_11_08.zip

I can give you another one at Thanksgiving (US) but you must give me a freeze frame of a week or so where you don't change your hosts.txt file!  This is imperative!  I can maybe look at giving you a PayPal donation but it isn't going to be big.  But we MUST keep MalwareDomainList going!  It is all we have.  I am not kidding.  Look around and you will see some others doing this work as well, but not in a manner that works very well (except maybe for legal briefs) for the nitty-gritty get your hands dirty Computer Security community.  Got to go to work at my day job at the Goodwill store now. When somebody pulled apart a VCR+DVD combo yesterday with the power plugged in my good will vanished. The managers praised him and dissed me.  Mental note - never hire a BYU graduate.  I finally took myself and my cold off the store-room sales floor.  We will see how it goes for today.  I don't hold out much hope.  The resume is definitely headed out the door.  Give me an email message to  hhhobbit drat SecureMecca.com and I will prune the file for you.  This time I will leave the GoDaddy parkers in - they may be parked but go right back to active status right where they are at.  I will also give you the lists just like I did here of the parked hosts, dead hosts, and resulting hosts.txt file.  Fair enough?  I will also give you the Host2IP.txt and IP2Host.txt files.  I just use ASCII files for everything.  After all - I made a database by distributing the files by initial characters into a directory (folder) tree.  That is better than somebody who put all their database files into one folder.  I am sorry, but an ISAM (Indexed Sequential Access Method) is the same whether you use an ext2 or Reiser file system.  It slows down tremendously when you get too many files in one folder.

(hhh)

December 10, 2008, 08:01:27 am
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I can give you another one at Thanksgiving (US)

Would you please send me an updated list ? I've checked MDL for dead hosts and wanna compare the results before I do a cleanup.
Ruining the bad guy's day