Author Topic: Check your SANS write-up for correctness  (Read 4056 times)

0 Members and 1 Guest are viewing this topic.

June 05, 2009, 09:16:10 am
Read 4056 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I noticed that you removed the following host:

topscreensavers.com

Here is the Jotti scan of the lighthouses.exe file I just downloaded from this web-site:

http://preview.tinyurl.com/m3cvz6

Well the language being used is right but that is because it is first in the chain right now.  More to the point though, ALL of these screensaver sites seem to disseminate adware / spyware.  If people really want screensaver jpegs, they can get some of National Geographics for free here:

http://www.SecureMecca.com/WallPaper/

There is no exe, so you have to use the built in stuff for your OS.  It seems to me that Windows 2K / XP / 2003 / Vista  is more than up to the task with what is built in.  At least I am happy with what is on both XP and W2K.  I have several years of the best of the best from National Geographic.  If you don't like what I have, download it yourself from here for free:

http://photography.nationalgeographic.com/photography/photo-of-the-day

Now that is MY idea of a screen-saver / wallpaper.  There is no need for an exe file.  I just want some images that I like and want to use. Maneuver around from there to get what you want.  The other pictures (LDS Temples) are only of interest to people of a particular faith in my area.  But I am wondering why you removed this host.  If it is because adware / spyware isn't high enough on the chart let me know and I will shut up and remember that from now on.  Yes, I will read your criteria again. I am retaining the block of them because they do violate the criteria I have laid down.  Maliciels are maliciels to me.  The difference between spyware / adware and a trojan gets more blurry all of the time. I have noticed the major antispy and antivirus programs have similar problems. There is a toolbar that if you uninstall it, it leaves a resident JavaScript that runs as long as the browser is running, faithfully reporting back to the main server what sites you visit, etcetera.  It runs on all operating systems.  Thus it is truly a Linux / Macintosh spyware, writen in JavaScript.  I block them.  There are several thousand host names associated with the toolbar so I block them in the PAC filter.  The uninstall leaves such a mess the only way to truly clean things up is just to close your browser, then remove your whole browser data folder and go back to a saved safe state.  Be sure to backup your new bookmarks somehow unless they also got corrupted. If I have problems with it, what will a normal person do?  I will tell you what they will do, they will just start over. The mess these toolbars left really was that bad.  Yes, I could edit the prefs.js and other files and stop the resident JavaScript but it left so much garbage that just starting over was the ONLY thing to do given the fact I ALWAYS have that backup.  Yes, if I had the time I could make a program that would have removed them - I don't have the time and Sunbelt and the others aren't going to write their program for Linux / OpenBSD so I am on my own, as are most other 'nix users.

I guess the reason I am saying this is so people know the difference between MDL and my sites Securemecca.com / HostsFile.org, hosts-file.net (hpHosts), and MVPHosts and the other block lists.  That is why my hosts file is a true superset of MDL.  The emphasis there is on SUPERSET.  My file is probably 10x the size of yours. Even worse it keeps growing despite my best efforts to prune more than I add. Both me and MVPHosts block topscreensavers.com.  So does Airelle of France, and Cameleon (also in France):

http://rlwpx.free.fr/WPFF/hosts.htm
http://sysctl.org/cameleon/hosts

hosts-file.net and you don't.  Neither does someonewhocares.org.  All I can say is that I won't install that screensaver program on my machines.

SANS told me they did a write-up on us based on the information I gave them.  I guess they did because a PAC filter user wrote to me and mentioned that is where he found out about the PAC filter. So go read the write up they gave on you at SANS and correct them if anything is wrong.  I haven't saw it so I don't know what they said.  Hopefully it was something good.  Northcutt was the one that requested the info and was using SomeoneWhoCares stuff. Since he was looking for something that stops the ever increasing number of web-sites that are compromised and redirect you to malware injector hosts I told him that SomeoneWhoCares was kind of thin on the malware side. It is fairly good for blocking trackers. So I pointed them to you instead for a malware blocking source and also pointed out HostsMan for those wanting to merge files..  I am off to bed and watching Meet Me In Saint Louis.  Hard workers deserve their rewards, and sleep.

Au revoir

June 05, 2009, 10:50:03 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've re-added topscreensavers.com to hpHosts. It was previously listed, but was obviously removed (most likely because it failed the validation proc)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net