Domain: emergingthreats.net
Stories and comments across the archive that link to emergingthreats.net.
Comments · 8
-
Give your ISP/BSP a call & see... apk
Because I strongly wager that IF, for instance, I was running DNS servers @ an ISP/BSP, I'd be using things like this -> http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
(That's a DNSBL vs. malware/threats online in general I convert to HOSTS file format, & is an example of what ISP/BSP's use for blacklisting bogus sites/servers/hosts-domains)
It's also possible they're setup "recursively" & call out to "higher" level DNS servers than theirs & THEY have the hosts-domain for this malware blocked out already!
Don't discount THAT possibility, because this thing's "running amok" out there (per this article).
* Now, on ISP/BSP "level 1 support" being aware of what's PROBABLY done @ the "NOC" level? Low... but, perhaps they can connect you to someone who DOES control that much so you can inquire on if it was filter blocked or not!
APK
P.S.=> Good luck, but I do wager that's what happened on YOUR end... & you MAY wish to try those filtering DNSBL based DNS servers I noted in my init./1st post:
Norton DNS:
198.153.192.1
198.153.194.1
198.153.192.60
198.153.194.60
198.153.192.50
198.153.194.50
198.153.192.40
198.153.194.40OpenDNS:
208.67.222.222
208.67.220.220ScrubIT DNS:
67.138.54.100
207.225.209.66From my initial/original post here where I noted them & in FAR greater detail than I did here, so others could look into using them also -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38586216
... apk
-
Glad it's working 4U (you'll like this I think)
Based on your success using a HOSTS file for added speed - you can also get more "layered-security"/"defense-in-depth" added as well, & here are some of the sites I use online to populate my HOSTS file vs. various online threats (all current, updated regularly, & reputable):
http://hosts-file.net/?s=Download
http://winhelp2002.mvps.org/hosts.htm
http://someonewhocares.org/hosts/
http://www.malwaredomainlist.com/hostslist/hosts.txt
https://spyeyetracker.abuse.ch/monitor.php
https://zeustracker.abuse.ch/monitor.php?filter=all
http://amada.abuse.ch/palevotracker.php
http://www.malware.com.br/cgi/submit?action=list_hosts_win_0000
http://www.safer-networking.org/en/download/
http://www.malwareurl.com/
http://mirror1.malwaredomains.com/files/
http://hostsfile.org/hosts.html
http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples* There you go - that'll "get you started" on the road to not only FASTER websurfing, but also SAFER websurfing as well...
APK
P.S.=> Now, as far as "integrating" them into your HOSTS file?
Those sites offer various tools for that (I have built my own over time & you can even use tools like MS-Access for the hard part, deduplication for unique entry data via SELECT DISTINCT queries if need be, but I think the best tool offered on 1 of those sites is a PERL deduplication script (you have to have PERL installed though) as far as the tools offered by others from those sources.
Thus, You may wish to look into the FREE tools offered on those sites, if not compare them as well, & just for the purposes of import, deduplication/normalization, + more as well!
So - enjoy & continued good luck to you (as well as "salutations" for trying a custom HOSTS file & experiencing what you have, thusfar)...
... apk
-
I hear you (worked for Fortune 100/500's & oth
That IF they were "breached"? You'd DEFINITELY hear it from the rooftops (healthcare & insurance data)... & from what I saw in 1 place?? THERE WERE VERY vulnerable!
(E.G./I.E.-> I was hired to secure their code doing SFTP data transfers & using
.NET (ASP.NET/VB.NET code mostly))...So, sure, I did MY end of it: However, WHEN I complained that "sure, I am locking the doors, but you folks are leaving the windows wide open", more-or-less (leaving endpoints unsecured mainly, the DBA & coders did THEIR work properly)?
Heh... when I pointed it out to the network engineers (mainly the then CIO)? Man - I got FIRED for it!
I couldn't believe it man... I wasn't WILLING to "sign off"/put my rubber stamp on things UNTIL those things were done alongside securing code &/or processes... what use is THAT, when the barn doors may be locked, but the WINDOWS ARE WIDE OPEN, I ask you?
I think you get my point!
(E.G.-> The then CIO (a paper MCSE type, very little experience) had setup, for example, TREND micro antivirus from a central server ALL WRONG, was not working & 6++ months OUT OF DATE no less, & systems there were crawling with keyloggers for example!).
I pointed out tools that help secure endpoint workstations nodes (CIS Tool, multiplatform no less & highly esteemed + useful &/or MBSA by MS) to help with that, & in automating it! Logon scripts &
.reg file merges + centralized group & security policy tools in Windows can automate the rest... any GOOD network engineer/tech KNOWS this too!Still - It got me fired, & for trying to show them WHERE & HOW + WHY they were wrong in terms of security... & because I would NOT "sign off/put my rubber stamp of approval" on a job that I did MY end of, but not the other end of it (networking stuff in security).
APK
P.S.=> NOW - As far as other things he OUGHT to have been doing & going along the lines of what YOU noted, about "being in control of security"? DNSBL's good stuff as well!
Ones such as this one (pretty reliable, there are others like it I utilizing & convert to HOSTS data here also) -> http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
I pointed stuff out like THAT too, but... Think they took my advice? No...
However - In the end though??
The CIO & THE CTO got fired (from what I understand, for using AVG freeware in a corporate environs no less... very, Very, VERY unprofessional, & also iirc, against the law too!))...
Yes folks - That's what you get with "fake-it-till-you-make-it/paper MCSE's" @ the wheel out there in mgt. in the art & science of computing though... I am sure you've seen it too!
... apk
-
Custom HOSTS files can achieve the same
Here's an EASIER trick, with a FREE "Tool" you already own, that's only a single text file filter for your IP stack: A custom HOSTS file, that yields the same results!
(I think it'd be interesting to see this service, COMBINED w/ what I am about to speak of in custom HOSTS files usage, and benefits to the end-user).
"According to the article, the speed boost comes from two things" - by Anonymous Coward on Wednesday June 08, @12:42AM (#36371418)
The gains HOSTS files offer in both speed, & security, are twofold:
---
FOR ADDED SPEED:
1.) Blocks out adbanners & the lag they introduce into webpage loads/downloads for consumption
2.) Hardcoding in your favorite website (to avoid DNS roundtrip lookup & result return time)
---
FOR ADDED SECURITY:
1.) Blocks out KNOWN malicious sites/servers/hosts-domain names
2.) Protection vs. DNS issues (such as the "Kaminsky flaw", or downed/compromised DNS servers that have been "redirect poisoned")
---
They work, they're free, and you can obtain one easily!
(OR, just combine ALL of the ones listed in my 'p.s.' below, & a db import of the file using a SELECT DISTINCT query can do it for example, as a way, or mvps.org offers a tool called HOSTSMAN that does it also (there are others like it as well, I designed one, & so have others)).
You already can do this yourself since any OS that uses a BSD derived IP stack already has one (even ANDROID phones), easily, & populate the custom HOSTS file yourself from the sources noted above!
(I consolidate them all into a single de-duplicated/normalized version, that which currently blocks out 1,429,303++ KNOWN bad sites/servers/hosts-domains, AND, speeds me up VERY noticeably (via blocking out adbanners, a possible threat for years now in malicious code in them & a bandwidth + speed hog OR, by 'hardcoding in' my favorite sites (to bypass DNS lookup & return roundtrip time) also))
APK
P.S.=> Here are some reputable, & reliable sources for said HOSTS file security data (as well as prebuilt HOSTS files for instant download & usage on your parts):
http://safeweb.norton.com/buzz
http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
http://www.malwaredomainlist.com/hostslist/hosts.txt
http://www.malwaredomains.com/
http://hosts-file.net/?s=Download
http://www.malware.com.br/lists.shtml
http://www.malware.com.br/lists.shtml
https://spyeyetracker.abuse.ch/monitor.php
https://zeustracker.abuse.ch/monitor.php?filter=online
http://someonewhocares.org/hosts/
http://www.mvps.org/winhelp2002/hosts.htm
... apk
-
Do the same w/ a custom HOSTS file
Here's an EASIER trick, with a FREE "Tool" you already own, that's only a single text file filter for your IP stack: A custom HOSTS file!
"They offer a security product for websites, and in the process of designing it so that it didn't add much latency, they inadvertently made it into a CDN that speeds things up. There. Now we all know what the trick is." - by Anubis IV (1279820) on Wednesday June 08, @12:56AM (#36371492)
The gains it offers in both speed, & security, are twofold:
---
FOR ADDED SPEED:
1.) Blocks out adbanners & the lag they introduce into webpage loads/downloads for consumption
2.) Hardcoding in your favorite website (to avoid DNS roundtrip lookup & result return time)
---
FOR ADDED SECURITY:
1.) Blocks out KNOWN malicious sites/servers/hosts-domain names
2.) Protection vs. DNS issues (such as the "Kaminsky flaw", or downed/compromised DNS servers that have been "redirect poisoned")
---
They work, they're free, and you can obtain one (or combine ALL of these, a db import of the file using a SELECT DISTINCT query can do it for example, as a way, or mvps.org offers a tool called HOSTSMAN that does it also (there are others like it as well, I designed one, & so have others)).
You already can do this yourself since any OS that uses a BSD derived IP stack already has one (even ANDROID phones), easily, & populate the custom HOSTS file yourself from the sources noted above!
(I consolidate them all into a single de-duplicated/normalized version, that which currently blocks out 1,429,303++ KNOWN bad sites/servers/hosts-domains, AND, speeds me up VERY noticeably (via blocking out adbanners, a possible threat for years now in malicious code in them & a bandwidth + speed hog OR, by 'hardcoding in' my favorite sites (to bypass DNS lookup & return roundtrip time) also))
APK
P.S.=> Here are some reputable, & reliable sources for said HOSTS file security data (as well as prebuilt HOSTS files for instant download & usage on your parts):
http://safeweb.norton.com/buzz
http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
http://www.malwaredomainlist.com/hostslist/hosts.txt
http://www.malwaredomains.com/
http://hosts-file.net/?s=Download
http://www.malware.com.br/lists.shtml
http://www.malware.com.br/lists.shtml
https://spyeyetracker.abuse.ch/monitor.php
https://zeustracker.abuse.ch/monitor.php?filter=online
http://someonewhocares.org/hosts/
http://www.mvps.org/winhelp2002/hosts.htm
... apk
-
Re:in the wild
Here are some sites that I have used for malicious sites: http://www.malwaredomainlist.com/ http://www.malwareurl.com/ http://iblocklist.com/lists.php https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist http://mtc.sri.com/live_data/malware_dns/ Also if you use Snort you are able to use the rules created over at Emerging Threats as well as others: http://emergingthreats.net/rules/emerging-drop.rules
-
sidreporter?
sidreporter could be used to gather such security logs more or less respecting privacy.
-
Re:Well the only fool proof way...
I personally use a Switched Port Analyzer (SPAN) port, port mirroring or monitor port. Different manufacturers call it different things but they all have the same purpose. It's been a LONG time since I've used a hub. Managed switches are far better because they don't degrade performance on the network and you can sniff all you want. In a home environment, it won't matter much, but you don't want to dumb down a multi-gigabit network in a corporate environment with a hub!
Snort can do a pretty darn good job at detecting this type of traffic unless it's encrypted. Emerging Threats keeps rulesets just for this purpose!