Tuesday, June 27, 2006

My blocklist

In September 2005, I posted this message on the Wilders Security Forums:
Ok, since some of you use block lists, this is a block list I compiled in some time (I use this on web sites at work, where content managers can insert links: these are banned, so these are all forbidden to link anywhere on sites); please note that the list does not really include subdomains: an entry for "[site name].biz" automatically means than any subdomain entry should be automatically banned, so for instance "[example].[site name].biz" is not included in the list but should actually be blocked (this is implemented code-wise on sites, feel free to implement this your own way).

The list includes entries from various existing block lists, plus:

- link spam and blog spam sites (sites that were found in guestbooks and forums around the web and which were CLEARLY only used to increase search engine rankings)

- malware-hosting sites (excuding sites that host malware while CLEARLY specifying it is malware)

- sites using exploits

- sites related to known spammers

- some "tracking-cookie" sites (not many)

There are no IPs in the list (I personally forbid to link to IPs without a hostname).

There are more than a few that I personally didn't find on other block lists. I personally checked all of those and they are ALL questionable sites for the reasons specified above.

The list is a simple .txt file with a domain on each line.

Maybe some of you will find it useful. If not, then well, too bad.

Now since this list has become quite a big one and one that took me a long time to create and maintain, I am going to put a permanent link to it (it's on rapidshare). You can find the link on the links section of the blog (under "Malware block list") along with the sha-1 hash of the .txt file. By the way, the latest one can be found here http://rapidshare.de/files/24217548/banned.zip.html (NB: old link. See below).

SHA1(banned.txt)= 14e12e151311cf96916e76e085a7f4b256d609bf

Everyone is welcome to test this (such as adding these domains to his own IE "restricted" zone) and give his own impression, and especially everyone is welcome contributing to this list (frankly, I found both IE-SpyAd and Spywareblaster's restricted domains lists to be somewhat limited, that's why I started this thing).

By the way, recently I started adding IPs as well. So you will find some, but really only a few.

Edit August 13, 2006: updated blocklist at http://rapidshare.de/files/29269253/banned.zip.html

Friday, June 16, 2006

Is the AV industry failing?

Well, it's been a while since my last posting on this blog. In the meanwhile, it seems that the sleazebags described here have been quite busy. First of all, they have been putting their trash all over the place in Google by spamming blog comments, putting fake referers, etc. Second, their latest infection method involves a little bit of social engineering technique as well. And third, they have been making sure that antivirus applications miss their newest trojans, or at least some of them (and by the way, most antivirus engines are slipping lately, I've seen even the best of them -- KAV and NOD32, of course -- missing dozens of threats... I'll send you the samples, but get you acts together, please).

Anyway, here's what I found on a new page of theirs while searching for malware in Google (by the way, the sentence "clicca su si", Italian for "click on yes", yelds dozens of malware sites... these people are so damn predictable...)

The page (horus.dnshighspeed.com/~liberaco/2/temisvoltiolocausto.html... do NOT open if you don't know what you're doing) shows graphics like this:



Soon to be followed by a WMF exploit (pic.tiff) and a funny-named executable (www.google.com... clever, huh?). The www.google.com executable has, of course, nothing to do with the domain, but it's a COM command.



When launched, the www.google.com executable tries to contact first 195.225.177.22 on port 80, then 195.225.177.145 on port 80 and will stay active unless you terminate it. Both those IPs correspond to servers in the Ukraine. See a pattern here? Oh, yes... you guessed right.

And so, what do have antivirus applications have to say about that "nice" piece of executable code? This:



You're not doing very good, guys. So being me overly curious, I'm trying to see what these scammers are up to this time, again. So I let my system try to see what kind of good stuff they have for people who try to execute this "www.google.com".

Well, file downloaded from 195.225.177.22 is a random-named executable called "3e2a8d.exe". Will this one be detected? Nope.



This is awful, just awful. Well, let's see what this "3e2a8d.exe" does. It extracts launches a "ptwx1.exe":



A little better. Of course, by this point, you'll likely have already your system infected and rootkited (some system errors that happened in the sandbox I used really seem to indicate that attempt).

EDIT at 4.02: forwarded to a bunch of security sites and sent samples to a bunch of AV companies. KAV detects the first two trojans, now (after I sent them the samples).

EDIT June 20, 3.09 PM: the main downloader is finally starting getting detected:



PS: also detected by BOClean (I contacted them).

EDIT June 23, 0.28 PM: another one has appeared, and this one is YET AGAIN undetected by all the antivirus engines:



The original page was (DO NOT OPEN!) http://www2521.webattrezzi.com/hurghada/; many more domains linking to this malware have actually been created, I found them in link spammed pages. I'm going to post a list here soon.

EDIT June 23, 0.51 PM: here's a (certainly partial) list of the domains to block. Please note that these are DOMAINS that should include all subdomains under them, you can't put them in your HOSTS file (and frankly, from what I've seen the subdomains are probably so many that you most probably won't be able to):

accettazione.com
adluvio.net
allineare.com
ambrato.com
annuncitutti.com
attesa.net
attrezziutili.com
azionamento.com
bruciarsi.com
buoncodice.com
casadiarte.com
codicecarta.com
dannidicervello.com
datiimportanti.com
delsud.net
devevedere.com
eamicizia.com
festaattuale.com
gbeb.cc
gromozon.com
guerredellastella.com
horus.dnshighspeed.com
imparilo.com
importanti.net
lavostraricerca.com
maniinsu.com
nubibianche.com
nuovoordine.com
nuovosenso.com
potetefarli.com
sanguinante.com
sededolce.com
segualo.com
soddisfare.com
speziazona.com
stampabile.net
superaquota.com
unanuovavolta.com
unoprincipali.com
uomodelferro.com
webattrezzi.com

It's quite obvious that these are targeting Italy. It's also obvious that the authors of these exploit/trojans can NOT speak Italian (some words don't make any sense and they clearly come from an automated traslator).

EDIT June 23, 22.02: added gbeb.cc and gromozon.com to the "domains to block" list above, as I'm not sure it was clear (the previous article underlined that THOSE are respectively the javascript loader and the trojan repository, but it was written in Italian).
microscopic-scrabbly