Author Topic: Look up to the snake on the pole and live  (Read 3893 times)

0 Members and 1 Guest are viewing this topic.

July 27, 2009, 09:59:02 pm
Read 3893 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Look up to the snake on the pole and live
Put on the PAC filter and keep your Windows machine alive

I recently added and am tracking where a ScareWare scheme is going (and I am adding the hosts to the hosts files).  That is what is causing the volatility over at SecureMecca.com / HostsFile.org.

But this whole thing reminds me of the story in the Bible of the people getting bit by snakes (asps) and dying.  So what did Moses do?  He put a snake up on a pole.  All the people had to do if they were bitten was to look at the snake on the pole and they would live.  Most of the people that were bitten didn't look at the snake on the pole and died.

I have put out the PAC filter and spend 60+ hours a week honing it.  On these hosts there are four of them linked together. I used to block the first hosts but the mechanism they used has now been changed and I don't know if they have abandoned them for something else.  They used to put links into hacked Facebook / YouTube accounts and opened up the accounts so the links that directed you to malware showd up in Google's cache. I am blocking the second one in the hosts file but eventually they will change that host name.  But it has been there for over two weeks now.  That host redirects to the third host that is time synchronized with the fourth host, thus preventing you from pulling down the malware directly (a one-time hash string depending on the time/date).  They also time you to prevent you from going to it too freqently and will actually block you. Yeah - fairly sophisticated web stuff. You will be blocked on a second attempt if you don't delay it long enough so studying it has taken some time. They change the third host name every 1-2 days.  My PAC filter has stopped every one of the third hosts (hint - think ideographical rather than alphabetic and that includes Cyrillic).  The fourth hosts have a fairly low life-span, usually less than 6 hours from when they come into DNS until they disappear. They never last longer than 12 hours.  I am beginning to suspect the time span is only 3-4 hours. It doesn't matter because my PAC filter would also stop all of the fourth hosts as well - all of them!.

But like the snake on the pole, the PAC filter is ignored and not used.  Now I can understand the people in this forum not wanting it.  Who wants something that prevents you from getting malware if that is what you are studying?  I sometimes have to drop 2-3 rules and comment out half a dozen hosts just to get at it.  IOW, I eat my own dog-meat. But the PAC filter is just like the snake on the pole - unused and millions of computers are getting infected.  Oh yes, the first time scan of these ScareWare rogues will almost always look like these scans at VirusTotal:

http://preview.tinyurl.com/mcpqaq
http://preview.tinyurl.com/mecp6m

IOW, do not count on your AntiVirus to save you.  After I submit them to ClamAV they improve some but only after 4-5 days which is when this scan was made:

http://preview.tinyurl.com/lbczgb

But by then they have come up with dozens of more binaries that are back at the scan level of the first two scans at VirusTotal that I have given here.  Eventually when the second host goes away I won't be able to track them any more.  That is when the voltility at SecureMecca.com and HostsFile.org will cease - I am putting these transitory hosts that only live 4-12 hours into the hosts file because that is all people want to use.