Author Topic: s3.amazonaws.com cloud in MDL list? reasons?  (Read 12012 times)

0 Members and 1 Guest are viewing this topic.

March 01, 2012, 04:03:14 pm
Read 12012 times

dsl

  • Jr. Member

  • Offline
  • **

  • 10
I know there is a certian amount of malware originating from s3.amazonaws.com, but as we know there is far more legitimate use for that cloud service than there is malware (I think?). Since we suck in the daily list into our dns servers, I have now received a request to unblock it as one of our depts need to access files to it for business purposes. I can easily unblock it for them and probably will have to as it has become a "business requirement" (whatever that means?) , but it begs the question as to why it was added in the list in the first place? I hope the decision to add it to the list was studious and dilligent in it's reasoning to do so? I'd be interested in knowing the thought processes to add it to the list because blocking it, also means blocking one heck of a lot of legitimate access. I knew once I saw it on the list that it wouldn't last long. It was only a matter of time that a "business requirement" would require me to unblock it, but I was willing to let it be blocked and see what happened. It only took a few days for it to become an issue for us.

Is the infection rate of that cloud so prolific that it warrants being on the list, or is it on the list becauser a "few" pieces of malware originated from there? I'd surely like to hear the reasons as googling isn't telling me much about the security or insecurity of that cloud.

Any replies much appreciated.
Dan. ???

March 02, 2012, 03:28:16 pm
Reply #1

dsl

  • Jr. Member

  • Offline
  • **

  • 10
hmmm, yesterday the list still had s3.amazonaws.com in it, but today it is gone? I'm not complaining , just noticed that's all. Now I don't need to adjust my script to exclude it, which is what I was in the middle of doing when I double checked the list. Less work for me. Thanks.

March 02, 2012, 03:57:41 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Another user sent us a message by contact form and asked for removal of s3.amazonaws.com.
MysteryFCM verified all listed Amazon urls and marked them as inactive when he saw that all urls are clean now.

It's always a difficult decision for us how we should manage malicious urls of major web sites.
We have the same problem with other big players like Google, Dropbox or file sharing sites.
There are pros and cons for listing these sites.

Maybe we can setup a whitelist for domains that should not appear in our blocking list.
I would appreciate if MDL users would send us suggestions for a list of domains.
Ruining the bad guy's day

March 02, 2012, 06:44:28 pm
Reply #3

dsl

  • Jr. Member

  • Offline
  • **

  • 10
Sounds like a plan. I'll try and contribute domains for a whitelist when I come across them.
Thanks for the explanation SysAdmini.

Dan.

May 04, 2012, 08:08:15 pm
Reply #4

john_

  • Jr. Member

  • Offline
  • **

  • 31
  • Personal Text
    In God we trust, all others we virus scan
    • Virus removal tools
I have images of my site hosted at s3.amazonaws for speeding up the loading time, now my site will be classified as hosting malicious links ??? ;D

I know dozens of malware hosted on file sharing sites but I don't see for example rapidshare.com on the list :P. The system is far from being accurate.

May 04, 2012, 08:17:51 pm
Reply #5

dlipman

  • Special Access
  • Full Member

  • Offline
  • *

  • 60
    • Multi-AV Scanning Tool
Example:

http://www.malwaredomainlist.com/forums/index.php?topic=4854.0

That was not the first case I had seen but the one I posted about.


June 01, 2012, 03:10:16 pm
Reply #6

JPElectron

  • Newbie

  • Offline
  • *

  • 0
    • DNS Redirector
I just go through and remove any lines matching...

^(.*\.)?amazonaws\.com$
^(.*\.)?cloudfront\.net$
^(.*\.)?dropbox\.com$
^(.*\.)?netdna-cdn\.com$

...after downloading the latest list.

On a related note, would it be possible to provide a plain-text list of just domain names, no other formatting?
The hosts file is easy enough to covert to csv and remove the first column of 127.0.0.1, but it's still a wasted resource to consolidate every bad subdomain into one blocked domain, for example...

subdom1.example.com
subdom2.example.com
www.example.com
example.com

...can really all be consolidated to: example.com - when you are using a DNS sinkhole approach.

Also, and I apologize if this is not the correct place to ask, but I can't reply to http://www.malwaredomainlist.com/forums/index.php?topic=3270.0
 - Have you considered offering a .md5 of each file you offer, that way automated scripts can easily check the .md5 and only if it's changed/different then download the actual list?