Author Topic: Chopped off URLs  (Read 11499 times)

0 Members and 1 Guest are viewing this topic.

November 15, 2009, 12:40:11 am
Read 11499 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I much preferred your older way of doing things in the lists.  I could see the complete URL.  Now I don't have that.  It usually gets chopped off on the right.  For example, I could not verify whether or not to remove myart-gallery.com. Since what you had didn't work (I gave it an ID of 1) I don't know whether it is still active or not. Could we get the reverse PTR record removed to make way for the entire URL?  Either that, or is there some flat ASCII list where I can see the entire list of URLs?  Actually I would prefer that since I could use them to make new PAC filter rules.  Right now I am considering rules for:

install.exe
install-###.exe
install####.exe
installer.#.exe

I am still thinking about the REGEXPs that would be needed.  Some would be pretty convoluted and I worry about false positives.  In that case I can always make the rules opt-in.   This still falls into the philosophy of detailing the bad that I don't works very well.  By coming up with a rule I don't even need to know where the threat is - I can just kill the host without even knowing what it's name or the URL it uses is (hackers are highly predictable).  I am constantly having to remove not only one but sometimes several PAC filter rules stopping the malware to get at it now!  If anybody has ideas for other anti-malware rules, drop me a line at hhhobbit GNAT SecureMecca.com or post them here (preferably both).  Don't give me host names.  Look for patterns that are used over and over no matter what the host name is.

Thanks

November 15, 2009, 12:03:42 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Please explain. I don't understand what you are talking about.

Quote
I much preferred your older way of doing things in the lists.
Nothing has changed.

Quote
I could see the complete URL
Where exactly can't you see complete urls?  Nothing has changed.

Please give detailed examples.
Ruining the bad guy's day

November 17, 2009, 04:52:14 am
Reply #2

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I apologize.  I just tried several and it expands so I know I probably got all of it.  But when I have problem is when I see a "php?id=" and it cuts off the id number or something else like that.  This is critical for some hosts since sometimes without the proper ID number you don't get the malware but instead get redirected to some place like Yahoo.  I didn't notice the expanding before but I do know that frequently the URLs give by you and MalwareURL.com don't work.  Some of that may be just that they are gone, but with these ID numbers you frequently need them.

I think you misunderstood my other query.  Let me give an example so you can see what I mean.  The blog by Gary Warner for the month has a lot of hosts in them, all of them being up to know good but now they seem to be gone (the ones listed):

http://garwarner.blogspot.com/

Taking the first list, I first notice that all of the hosts are dead.  But that doesn't matter - it is grist for my pattern matching mill.  Out of it comes these two rules for Nacha:

GoodDomains[i++] = "nacha.org";
BadHostWordStarts[i++] = "nacha\.org";

Now those rules allow you to go to Nacha, but not any of those dead hosts like nacha.org.fstpproid02.com.  What if there are more hosts like this one we don't know about yet?  I have always been stopping the ones for FaceBook (and somehow lost the one for youtube which means it needs to be put back in):

GoodDomains[i++] = ".facebook.com";
BadHostParts[i++] = "facebook";

Those rules allow me to go to www.facebook.com but will stop visits to these hosts:

facebook-image.net
www.facebook.com.asqwaze.eu
www.facebook.com.qweasi.eu
www.facebook.com.qweasx.eu

What that does is stop the pretenders without me even knowing who they are.  What would be nice to have is MDL's entire list of bad URLs to look for other similar patterns.  That way, just like here I can stop the nonsense without even knowing the name of the host.  IOW, I am pretty sure Dr Warner has all these hosts shut down (they don't appear in DNS any more), but what about the ones we don't know about any more.  I will put that missing "youtube" rule back in.  For example, it would have stopped these hosts you have without me even knowing they exist:

youtube-b.com
youtubegiris.com

Well, it will after I put that "youtube" rule back in that I seemed to have lost.  Now do you know what I am getting at?  But if I have the entire URL lists (not just the host names) I am very good at inducing patterns that stop something bad without me even knowing what it is in advance.  Another example:

GoodDomains[i++] = ".adobe.com";
GoodDomains[i++] = "foxitsoftware.com";

BadURL_WordStarts[i++] = "flash-plugin";
BadURL_WordStarts[i++] = "flash-hq-plugin";

I don't care what the name of the host is.  If it isn't Adobe or Foxit, I don't want their flash plugin.  Now do you understand?  What I am looking for is not just single snippet URLs, but a big list that would give me patterns that would stop unknown threats.  A lot of this depends on human thinking.  What is wrong with myFriendlyScanner.com as opposed to NastyTrojanInjector.com?  People would of course avoid the second host but some would be suckers for the first host.  Just take a look at the Malware URLs in my PAC filter and you will see it is rather thin at the URL level:

http://www.SecureMecca.com/Downloads/proxy_en.txt

The comments are on the right.