Slashdot Mirror

Options for "DNSBL filtered 'secured'" DNS servers:

A.) Norton DNS (198.153.192.50 and 198.153.194.50/198.153.192.40 and 198.153.194.40/198.153.192.60 and 198.153.194.60) -> http://nortondns.com/ & you can even see how it updates every few minutes vs. known malicious sites-servers, here -> http://safeweb.norton.com/buzz as well as get a GOOD read on how/why it works, etc.- et al, here https://dns.norton.com/dnsweb/faq.do

It filters vs. MANY threats online & IS UP TO DATE as is possible I'd imaging (see those links, you'll understand WHY I state that). It's part of WHY I use it as my PRIMARY DNS here...

---

B.) ScrubIT DNS (67.138.54.100 and 207.225.209.66 ) -> http://www.scrubit.com/ & here is a good read on how/why it works via its FAQ's as well -> http://www.scrubit.com/index.cfm?page=faq

---

& of course

C.) Open DNS (208.67.222.222 or 67.138.54.100) -> https://store.opendns.com/get/home-free

---

EACH IS FREE, & WORKS vs. threats online of MANY kinds, doubtless via a form of DNSBL they use for filtering those threats out!

(E.G.-> Phishing/Spamming, Malware hosting sites/servers, Maliciously scripted hosts-domains etc./et al & more...)

* Personally speaking - I use ALL 3 of them, "in combination". Yes, I am using that latter term loosely is why I quoted it!

(Mostly as "failovers" for one another, in case my primary can't resolve a host/domain name to an IP address, & w/ Norton DNS as primary, I can "fall back on" the others listed above...)

I do so, in a "layered triumvirate formation" in BOTH my IP stack DNS settings in Windows (OS/software-side), as well as in my LinkSys/CISCO router here (hardware-side))...

APK

P.S.=> DNS has issues though, period - it needs SOMEKIND of "Revision" for IPv4 @ least...

See - I don't know if Moxie Marlinspike's DNS solution for SSL protection via a browser addon's the answer either, ala http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22DNS%22+and+%22Moxie+Marlinspike%22&btnG=Search&gbv=1&sei=zwPhTs2wOMrL0QGTs-StBw

OR

If OpenDNS' tool here is either!

However: They're better than nothing!

(It's that, or use the "secured DNS" (filtered rather via DNSBL) that I use, & the way that I use them in layered/phalanx style defensive formation noted above, if not ALL of them in "layered-security"/"defense-in-depth" style... in combination simultaneously, along with other means (like I use in a custom HOSTS file vs. online threats mostly))!

(Especially if DNS servers are set into "recursive mode", as I am SURE YOU OF ALL PEOPLE REALIZE, that DNS's VERY susceptible to DNS redirection poisoning (over port 53 via UDP/TCP, iirc)...

So - lastly:

Yes, I also know who you are Mr. Nagle, especially via your RFC I complimented you on this past week here no less on -> http://tech.slashdot.org/comments.pl?sid=2556266&cid=38265686 )!

Yes - I respect that in fact.

I.E.-> Not everyone, especially on /. here, does something to "help the human condition" via good works as you have.

... apk

Options for "DNSBL filtered 'secured'" DNS servers:

A.) Norton DNS (198.153.192.50 and 198.153.194.50/198.153.192.40 and 198.153.194.40/198.153.192.60 and 198.153.194.60) -> http://nortondns.com/ & you can even see how it updates every few minutes vs. known malicious sites-servers, here -> http://safeweb.norton.com/buzz as well as get a GOOD read on how/why it works, etc.- et al, here https://dns.norton.com/dnsweb/faq.do

It filters vs. MANY threats online & IS UP TO DATE as is possible I'd imaging (see those links, you'll understand WHY I state that). It's part of WHY I use it as my PRIMARY DNS here...

---

B.) ScrubIT DNS (67.138.54.100 and 207.225.209.66 ) -> http://www.scrubit.com/ & here is a good read on how/why it works via its FAQ's as well -> http://www.scrubit.com/index.cfm?page=faq

---

& of course

C.) Open DNS (208.67.222.222 or 67.138.54.100) -> https://store.opendns.com/get/home-free

---

EACH IS FREE, & WORKS vs. threats online of MANY kinds, doubtless via a form of DNSBL they use for filtering those threats out!

(E.G.-> Phishing/Spamming, Malware hosting sites/servers, Maliciously scripted hosts-domains etc./et al & more...)

* Personally speaking - I use ALL 3 of them, "in combination". Yes, I am using that latter term loosely is why I quoted it!

(Mostly as "failovers" for one another, in case my primary can't resolve a host/domain name to an IP address, & w/ Norton DNS as primary, I can "fall back on" the others listed above...)

I do so, in a "layered triumvirate formation" in BOTH my IP stack DNS settings in Windows (OS/software-side), as well as in my LinkSys/CISCO router here (hardware-side))...

APK

P.S.=> DNS has issues though, period - it needs SOMEKIND of "Revision" for IPv4 @ least...

See - I don't know if Moxie Marlinspike's DNS solution for SSL protection via a browser addon's the answer either, ala http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22DNS%22+and+%22Moxie+Marlinspike%22&btnG=Search&gbv=1&sei=zwPhTs2wOMrL0QGTs-StBw

OR

If OpenDNS' tool here is either!

However: They're better than nothing!

(It's that, or use the "secured DNS" (filtered rather via DNSBL) that I use, & the way that I use them in layered/phalanx style defensive formation noted above, if not ALL of them in "layered-security"/"defense-in-depth" style... in combination simultaneously, along with other means (like I use in a custom HOSTS file vs. online threats mostly))!

(Especially if DNS servers are set into "recursive mode", as I am SURE YOU OF ALL PEOPLE REALIZE, that DNS's VERY susceptible to DNS redirection poisoning (over port 53 via UDP/TCP, iirc)...

So - lastly:

Yes, I also know who you are Mr. Nagle, especially via your RFC I complimented you on this past week here no less on -> http://tech.slashdot.org/comments.pl?sid=2556266&cid=38265686 )!

Yes - I respect that in fact.

I.E.-> Not everyone, especially on /. here, does something to "help the human condition" via good works as you have.

... apk

I don't *think* you guys understand HOW I utilizing a HOSTS file, because of what you said about it being "monolithic" - I don't use it as a "DNS substitute" for all addresses possible online (because I would even find THAT HILARIOUS to try to do from a HOSTS file)!

FOR SECURITY:

I just do NOT setup local ones @ home (no point to burn the extra CPU cycles, & thus, electric power, or RAM + other forms of I/O used in them).

I do so for security, and just because of things like:

1.) This issue (it has a patch by the way) & vs. this, & the other numerous troubles in BIND over time, which are numerous (another 'case-in-point'/e.g. is "the Kaminsky Flaw" & other redirect/dns-poisoning attacks that have happened over time the past few yrs. now).

2.) I currently BLOCK OUT 1,624,230++ KNOWN BAD SITES/SERVERS/HOSTS-DOMAINS in it that are KNOWN to serve up malicious exploits of various types in it, mostly... this is for security purposes, & specifically what's called "Layered-Security"/"Defense-in-Depth" security.

FOR EXTRA SPEED:

A.) I "hardcode in" about 250 of my FAVORITE sites into it (where I spend 99% of my time online), but, I don't attempt to "resolve the entire internet" via HOSTS either (which is what it sounds like you're thinking)... Doing this results in FASTER ONLINE WEBSURFING PERFORMANCE & is faster resolutions of hosts-domain names to IP Addresses, by far, than calling out to a remote DNS server, by orders of magnitude, & runs LESS RISK of being infested via redirected/DNS-poisoned ones too as noted above.

B.) For blocking out adbanners, which have housed malicious script code in them MANY times in the recent past & before that even (last 8 yrs. or so I have records of this in multiple occurences for example), & for the fact that adbanners take away bandwidth & speed YOU THE USER PAY FOR OUT OF POCKET!

In fact, for websurfing? By feel alone, I can basically get as fast as any FIOS connection because of this, & getting ALL of the possible bandwidth I paid for...

By the by: I do utilize DNS servers (albeit, 'external' ones/non-local to my computer here):

Norton DNS:

https://dns.norton.com/dnsweb/homePage.do

Open DNS:

https://store.opendns.com/get/basic

ScrubIT DNS:

http://www.scrubit.com/

In a "truimvirate formation" (w/ in my Windows IP DNS settings + Hardware Router firewall)

Why?

Simply because they FILTER OUT known malicious sites threats too (phishing, spamming, & other malicious things like scripts for attack or that serve malware etc.).

* Anyhow/anyways: HOSTS work, & for extra speed & security online!

(It just works... especially mine since it's been built since 1997 for the above, & gets stronger every 15 minutes - plus it uses 0.0.0.0 for faster parsing, & I cut the local DNS cache in Windows (slows down on larger HOSTS files) & cache it like any file is cached, via the local kernelmode diskcache subsystem for reads/subsequent re-reads...!)

APK

P.S.=> I have it FULLY automated too, every 15 minutes it's being fed with data to block out adbanners + known malicious servers noted above from a pristine TEMP/SCRATCH copy from 17++ reputable & reliable sources for that in fact!

I don't lift a finger to do it - pure "automagic" operations & has been since oh, roughly/approximately 2002 or thereabouts!

(E.G./I.E.-> From 1997-2002 I built it using MS-Access for removal of duplicates, then Delphi app 2002-2010 which was FINE for the smaller lists of that data the way I built it's deduplication/normalization algorithms).

Now, it's built in a system that my nephew & I co-wrote in Python (I stuck by it because it's set deduplication/normal

I am not sure if you are joking or not, but they still make Ghost. Although I use Ghost 8 frequently at my job for drive cloning, the latest version is Ghost 15, you can buy it at any reputable electronics/software retailer. http://us.norton.com/ghost/ Newer versions of ghost can ghost drives to virtual disk image files, so they can be opened in virtualization software.

It hasn't gone away - http://us.norton.com/ghost/

If there's a virus, it must be Windows.

That's an invalid assumption, assuming it wasn't a troll. Here's a list with some for linux: http://us.norton.com/security_response/threatexplorer/azlisting.jsp?azid=L

Here's some for osx: http://us.norton.com/security_response/threatexplorer/azlisting.jsp?azid=O
There's fewer viruses for other OS's, most likely owing to the lower install base of the same. Even black hats are interested in ROI.

If there's a virus, it must be Windows.

That's an invalid assumption, assuming it wasn't a troll. Here's a list with some for linux: http://us.norton.com/security_response/threatexplorer/azlisting.jsp?azid=L

Here's some for osx: http://us.norton.com/security_response/threatexplorer/azlisting.jsp?azid=O
There's fewer viruses for other OS's, most likely owing to the lower install base of the same. Even black hats are interested in ROI.

Mainly these 3 (which integrate into your IP stacks' settings & hardware router/firewalls too) - Each has a writeup on how/why/when/where they work too:

---

Norton DNS:

https://dns.norton.com/dnsweb/faq.do

OpenDNS:

https://store.opendns.com/get/basic

ScrubIT DNS:

http://www.scrubit.com/index.cfm?page=faq

---

* EACH does a heck of a job supplementing online security (in addition to my custom HOSTS file + Firewall rules tables I noted in my prior post I am replying to now)...

APK

P.S.=> It's ALL about "layered-security/defense-in-depth" first of all, but the nicest part? Well... THAT, is the added SPEED this layered security setup of mine yields (in addition to hardening the TCP/IP stack vs. attack, mostly via this -> http://msdn.microsoft.com/en-us/library/ff648853.aspx )...

... apk

Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/
ScrubIT DNS -> http://www.scrubit.com/
OpenDNS -> http://www.opendns.com/

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

STILL, DNS HAS PROBLEMS... MANY PROBLEMS OVER TIME & EVEN RECENTLY BEYOND THAT OF THIS ARTICLES' POINTS:

---

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack

Which is a ZEUS botnet variant, albeit for "smartphones" (specifically ANDROID iirc):

http://www.google.com/search?hl=en&source=hp&q=ZITMO&btnG=Google+Search

SO, how to do THAT?

Well, use a custom HOSTS file on ANDROID

(Albeit, a modified one, filled with entries blocking out known bad sites/servers/hosts-domains that serve up malware like this, + their botnet C&C servers too):

ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:

---

Infected Androids Run Up Big Texting Bills:

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills

---

It's easily done too, via the ADB dev. tool (Android Debug Bridge):

---

1.) Mount ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS

2.) Copy over your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so

(Otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

---

* DONE, & "easy as apple pie"...

APK

P.S.=> And, IF POSSIBLE? Also, alter your DNS servers to DNSBL filtering ones!

E.G.-> These 3 are really good vs. malware + phishing exploiters online:

Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/
ScrubIT DNS -> http://www.scrubit.com/
OpenDNS -> http://www.opendns.com/

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

HOWEVER:

This I have NOT tried on ANDROID, as I have with HOSTS files, but since it's doabl

Norton DNS does http://nortondns.com/ can be a GREAT thing to help stall, or even stop, the malware problem online.

They filter on "malware-in-general" such as KNOWN bad sites/servers/hosts-domains, botnet C&C servers, & even bogus DNS servers by default (and their updates every few minutes for continuously updated protection are here http://safeweb.norton.com/buzz with site-checkers & even a removal appeals process etc./et al... IF a site does "clean up its act" etc. )

Another decent set of these are:

---

ScrubIT DNS -> http://www.scrubit.com/

&

Open DNS -> https://store.opendns.com/get/basic (with built in phishing protection even in the FREE basic model)

---

I use all 3 @ once in my NAT stateful packet inspecting Linksys/CISCO router + my IP stack setup for my Local Area Connection here... in layered security fashion!

* Each as a write up on how they work, why they help, & more... enjoy!

APK

P.S.=> Between the layering of Filtering DNSBL utilizing DNS servers listed above, because I use them ALL in "layered-security fashion" in both my routers & IP stack setup here in Windows, in combination with:

---

1.) A custom HOSTS file ( currently with 1,494,865++ entries of known bad sites/servers/hosts-domains, botnet C&C servers, & even rogue DNS servers blocked in it currently & growing "automagically" from 17 reputable & reliable sources for that type of data for HOSTS as well as DNSBL lists here from a Python script that does so for me),

and

2.) IP addressed threats inserted into my router & software firewalls

3.) And lastly, system security-hardening, in depth -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE

---

?

I haven't caught a "malware of any kind" infection/infestation since, oh, around 1996 or so in fact!

"Layered security", the best thing we have going currently, really WORKS!

... apk

PRIME example thereof? Ok: Norton DNS -> http://nortondns.com/ & you can even see how it updates every few minutes, here -> http://safeweb.norton.com/buzz

* The "noobz" others in other posts here described won't know how to work around these things, & thus, they are protected BY DEFAULT!

(It's really GOOD STUFF, & IF you're "security-conscious"? It only takes a minute to switch your system over to use them as your primary DNS... & same in your routers too!)

APK

P.S.=> Yes, there ARE relatively easy ways to "get around/past" DNSBL, but, the point is this:

Most of these "noobz" you're describing won't know them, & it can protect them from being victimized by botnets + their C&C Servers, bognus DNS servers, maliciously coded sites, known bad sites/servers/hosts-domains that serve up malwares that steal folks information & monies too...

Additionally, yes:

DNSBL's can even function to help BIG BUSINESS/The Wealthy too, as well as the "little guy/Joe Public" online!

(Because we are ALL 'consumers of the internet' big business included, & they also get abused by these things as well).

Boggles my MIND that ISP/BSP's worldwide haven't implemented DNSBL's the way Norton DNS does & why - to help stop the "malware plague" in essence, which we're ALL POSSIBLE VICTIMS OF! ... apk

Because a VALID DNSBL can HELP them! How so? Look no further: Norton DNS -> http://nortondns.com/ & you can even see how it updates every few minutes, here -> http://safeweb.norton.com/buzz

These "noobz" you describe won't know how to work around these things, & thus, they are protected BY DEFAULT!

(It's really GOOD STUFF, & IF you're "security-conscious"? It only takes a minute to switch your system over to use them as your primary DNS... & same in your routers too!)

APK

P.S.=> Yes, there ARE relatively easy ways to "get around/past" DNSBL, but the point is, that most of these "noobz" you're describing won't know them, & it can protect them from being victimized by botnets + their C&C Servers, bognus DNS servers, maliciously coded sites, known bad sites/servers/hosts-domains that serve up malwares that steal folks information & monies too...

AND, yes, DNSBL's can even function to help BIG BUSINESS/The Wealthy too, as well as the "little guy/Joe Public" online!

(Because we are ALL 'consumers of the internet' big business included, & they also get abused by these things as well).

Boggles my MIND that ISP/BSP's worldwide haven't implemented DNSBL's the way Norton DNS does & why - to help stop the "malware plague" in essence, which we're ALL POSSIBLE VICTIMS OF!

... apk

Known maliciously scripted sites/servers/hosts-domains & they DO have removal lists & ways to check on that too on many of them as well, vs. their databases (to see if any you are blocking should be removed). For example, I know of 17 reputable & reliable ones I use, & haul down on average 300++ sites per day to fortify my HOSTS file, & software firewall rules table with, every day (both in the forms of host-domain names & IP Addresses).

In fact - I am blatantly ASTOUNDED this has not taken place worldwide @ the DNS level, via DNSBL's being put into place to protect "Joe Public avg. internet non-geek user" from blundering into sites that ruin their systems, make them slaves of botnets, & steal their information + monies!

All I have seen, other than this child porn one out of "the land down under" (which I DO AGREE WITH, let kids be kids, & don't victimize them - life will do that on its own as it does to all of us to one degree or another eventually)?

Filters protecting "big business only"... that's bullshit to be blunt about it.

(& I've stated this here many times the past few weeks now on posts regarding the MPAA/RIAA & even this filter (this one I agree with though, by all means, though vs. child pornography (disgusting, and WRONG!!!)))

* Especially if these filters are being paid for by tax-payer monies, from ANY government putting them into place... that makes "Joe Public" the owner, not gov't. agencies or "big business only" (who face it, runs the show out there & always has when you come right down to it (the wealthy of the planet in other words)).

However, the thing is? Even the wealthy & BIG BUSINESS would benefit by it as well, since business & gov't. DO get "victimized" by malware makers + botnet masters as well!

The same types of lists also exist for DNSBL (DNS block lists) & a great one to use vs. the types noted above?

Norton DNS -> http://nortondns.com/ & you can even see how it updates every few minutes, here -> http://safeweb.norton.com/buzz

(It's really GOOD STUFF, & IF you're "security-conscious"? It only takes a minute to switch your system over to use them as your primary DNS... & same in your routers too!)

APK

P.S.=> Thing is, I've thought about it, as to WHY THIS ISN'T BEING INSTITUTED WORLD-WIDE @ THE ISP/BSP DNS LEVEL (like Norton DNS does, filtering vs. malware & bogusly scripted sites + bogus DNS servers, as well as botnet C&C Servers too):

About the ONLY thing I can come up with as to WHY this has not been instituted @ the ISP/BSP DNS level, is this:

"It might put PC techies out of a job!"

Well, that's crap: They have PLENTY of other tasks to do during the day (even though it can be up to 85% of their day, I know, I was one in between coding & networking jobs, working for ISP's & such, & much of it was fighting off malwares).

It's like saying:

"Yes, we CAN 'cure cancer', or drive it away to almost nothing... but, that'd put doctors out of a job!"

Again, crap - because doctors, like PC-Techs, have many other "maladies to deal with" during a day's work!

... apk

Things like Norton DNS http://nortondns.com/ can help (they actively implement a constantly updated -> http://safeweb.norton.com/buzz via a DNSBL (DNS Block List) vs. malware threats their distributed antivirus/antispyware systems detect worldwide).

In fact?

I did a post on this the other day here, in my wondering WHY DNSBL vs. malware-in-general is NOT being implemented by ISP/BSP's worldwide in fact:

http://yro.slashdot.org/comments.pl?sid=2295168&cid=36657332

(For the purposes of STALLING OUT malwares-in-general infestations/infections possible vectors of known bad sites/servers/hosts-domains (even bogus DNS servers + botnet C&C servers too)).

* Doing THAT? It would 'cut down' on a good 90% of infestations/infections for 90% of folks that don't know HOW to get around it in the 1st place (hardcoded IP addresses OR HOSTS file circumventions being a couple easy ones), & thus?

PROTECTING THEM FROM INFESTATION/INFECTIONS by rootkits/botnets/virus/spyware/trojans/keyloggers/malware-in-general... & even bogus DNS servers + botnet C&C Servers as well!

APK

P.S.=> Now, in closing/bottom-line/above ALL else:

WHY a DNSBL worldwide has NOT been implemented worldwide @ ISP/BSP levels, "boggles my mind" but...

I do also go into WHY I think it's not being done in the link above too...

(I.E.-> Yes, it can affect PC Techies' jobs - STUPID!!!)

It's like saying "Yes, we can cure cancer or cut it down to almost nothing, but it would put doctors out of a job!"

SO, that "all said & aside"?

Well - what's the lesser of 2 evils?

PUTTING DOCTORS OUT OF THAT PORTION OF THEIR JOBS, by far!

(Because like PC techs? They have myriads of other tasks during the day/week/month/year to tackle, maladies-wise...))

... apk

Things like Norton DNS http://nortondns.com/ can help (they actively implement a constantly updated -> http://safeweb.norton.com/buzz via a DNSBL (DNS Block List) vs. malware threats their distributed antivirus/antispyware systems detect worldwide).

In fact?

I did a post on this the other day here, in my wondering WHY DNSBL vs. malware-in-general is NOT being implemented by ISP/BSP's worldwide in fact:

http://yro.slashdot.org/comments.pl?sid=2295168&cid=36657332

(For the purposes of STALLING OUT malwares-in-general infestations/infections possible vectors of known bad sites/servers/hosts-domains (even bogus DNS servers + botnet C&C servers too)).

* Doing THAT? It would 'cut down' on a good 90% of infestations/infections for 90% of folks that don't know HOW to get around it in the 1st place (hardcoded IP addresses OR HOSTS file circumventions being a couple easy ones), & thus?

PROTECTING THEM FROM INFESTATION/INFECTIONS by rootkits/botnets/virus/spyware/trojans/keyloggers/malware-in-general... & even bogus DNS servers + botnet C&C Servers as well!

APK

P.S.=> Now, in closing/bottom-line/above ALL else:

WHY a DNSBL worldwide has NOT been implemented worldwide @ ISP/BSP levels, "boggles my mind" but...

I do also go into WHY I think it's not being done in the link above too...

(I.E.-> Yes, it can affect PC Techies' jobs - STUPID!!!)

It's like saying "Yes, we can cure cancer or cut it down to almost nothing, but it would put doctors out of a job!"

SO, that "all said & aside"?

Well - what's the lesser of 2 evils?

PUTTING DOCTORS OUT OF THAT PORTION OF THEIR JOBS, by far!

(Because like PC techs? They have myriads of other tasks during the day/week/month/year to tackle, maladies-wise...))

... apk

HOSTS files, combined with firewalls rules tables (for IP address based ones).

It's easy enough to do, the data's out there by the TRUCKLOAD on Conficker and many other known botnets, sites/servers/hosts-domains that serve up malware-in-general (virus/spyware etc./et al).

Here are 15 or so that I use for anyone that's interested in protecting themselves in this manner:

---

http://www.mvps.org/winhelp2002/hosts.htm

http://hostsfile.org/hosts.html

http://someonewhocares.org/hosts/

http://www.malwareurl.com/

https://zeustracker.abuse.ch/monitor.php?filter=online

https://spyeyetracker.abuse.ch/monitor.php

http://www.malwaredomainlist.com/hostslist/hosts.txt

http://www.malware.com.br/lists.shtml

http://hosts-file.net/?s=Download

http://www.malwaredomains.com/

http://securehomenetwork.blogspot.com/search?updated-min=2011-01-01T00%3A00%3A00-05%3A00&updated-max=2012-01-01T00%3A00%3A00-05%3A00&max-results=12

http://www.safer-networking.org/en/download/index.html (Spybot Search & Destroy has an IMMUNIZE feature that works on HOSTS files here)

http://safeweb.norton.com/buzz

http://blocklistpro.com/download-center/view-details/blocklist-pro-blocklists-mirror/1632-hosts.zip.html

---

HOSTS files are the main route I took because they offer not just security benefits, but also speed benefits (very noticeable ones), & even anonymity ones to an extent (vs DNSBL)

HOSTS files, imo @ least, are even easier to deal with than a firewall (software OR router based) rules table if you ask me!

I did so again - Because of layered security they offer (combinations of Norton DNS (dnsbl filtering DNS vs. malware online threats & botnets), & firewall rules tables)) AND SPEED GAINS POSSIBLE TOO, via an easily edited route in a text file (which is all HOSTS are, a filter that works at the fastest & most efficient level there is, the IP subsystem).

I.E -> HOSTS are EASY to edit as well with any text editor also (which, face it, anyone can handle using) to add or even remove (or # symbol comment off temporarily even) data from its internal records list.

It works & on the SIMPLEST PRINCIPLE THERE IS for security: You can't get burnt if you don't go into the malware/botnet kitchen!

(I do so based on the principle of "layered security", especially vs. online threats...)

E.G.-> So, if one protective scheme fails, the others is there to kick in to protect you!

(They all work in combination w/ one another seamlessly-transparently... so, it's basically the same idea I suppose, as folks putting deadbolts, door handle knob locks, & chain locks on a door for 'triple layer security' really!)

It works & on the SIMPLEST PRINCIPLE THERE IS for extra speed, & bandwidth YOU PAY FOR OUT OF POCKET also:

See, nicest part about HOSTS files though, is that it's easy to insert other things (say for blocking adbanners) that speed you up online (via hardcoding your fav. sites into it, host-domain name to IP Address resolved, ea

Here's an EASIER trick, with a FREE "Tool" you already own, that's only a single text file filter for your IP stack: A custom HOSTS file, that yields the same results!

(I think it'd be interesting to see this service, COMBINED w/ what I am about to speak of in custom HOSTS files usage, and benefits to the end-user).

"According to the article, the speed boost comes from two things" - by Anonymous Coward on Wednesday June 08, @12:42AM (#36371418)

The gains HOSTS files offer in both speed, & security, are twofold:

---

FOR ADDED SPEED:

1.) Blocks out adbanners & the lag they introduce into webpage loads/downloads for consumption

2.) Hardcoding in your favorite website (to avoid DNS roundtrip lookup & result return time)

---

FOR ADDED SECURITY:

1.) Blocks out KNOWN malicious sites/servers/hosts-domain names

2.) Protection vs. DNS issues (such as the "Kaminsky flaw", or downed/compromised DNS servers that have been "redirect poisoned")

---

They work, they're free, and you can obtain one easily!

(OR, just combine ALL of the ones listed in my 'p.s.' below, & a db import of the file using a SELECT DISTINCT query can do it for example, as a way, or mvps.org offers a tool called HOSTSMAN that does it also (there are others like it as well, I designed one, & so have others)).

You already can do this yourself since any OS that uses a BSD derived IP stack already has one (even ANDROID phones), easily, & populate the custom HOSTS file yourself from the sources noted above!

(I consolidate them all into a single de-duplicated/normalized version, that which currently blocks out 1,429,303++ KNOWN bad sites/servers/hosts-domains, AND, speeds me up VERY noticeably (via blocking out adbanners, a possible threat for years now in malicious code in them & a bandwidth + speed hog OR, by 'hardcoding in' my favorite sites (to bypass DNS lookup & return roundtrip time) also))

APK

P.S.=> Here are some reputable, & reliable sources for said HOSTS file security data (as well as prebuilt HOSTS files for instant download & usage on your parts):

http://safeweb.norton.com/buzz

http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples

http://securehomenetwork.blogspot.com/search?updated-min=2011-01-01T00%3A00%3A00-05%3A00&updated-max=2012-01-01T00%3A00%3A00-05%3A00&max-results=12

http://www.malwaredomainlist.com/hostslist/hosts.txt

http://www.malwaredomains.com/

http://hosts-file.net/?s=Download

http://www.malware.com.br/lists.shtml

http://www.malware.com.br/lists.shtml

https://spyeyetracker.abuse.ch/monitor.php

https://zeustracker.abuse.ch/monitor.php?filter=online

http://www.malwareurl.com/

http://someonewhocares.org/hosts/

http://www.mvps.org/winhelp2002/hosts.htm

... apk

Here's an EASIER trick, with a FREE "Tool" you already own, that's only a single text file filter for your IP stack: A custom HOSTS file!

"They offer a security product for websites, and in the process of designing it so that it didn't add much latency, they inadvertently made it into a CDN that speeds things up. There. Now we all know what the trick is." - by Anubis IV (1279820) on Wednesday June 08, @12:56AM (#36371492)

The gains it offers in both speed, & security, are twofold:

---

FOR ADDED SPEED:

1.) Blocks out adbanners & the lag they introduce into webpage loads/downloads for consumption

2.) Hardcoding in your favorite website (to avoid DNS roundtrip lookup & result return time)

---

FOR ADDED SECURITY:

1.) Blocks out KNOWN malicious sites/servers/hosts-domain names

2.) Protection vs. DNS issues (such as the "Kaminsky flaw", or downed/compromised DNS servers that have been "redirect poisoned")

---

They work, they're free, and you can obtain one (or combine ALL of these, a db import of the file using a SELECT DISTINCT query can do it for example, as a way, or mvps.org offers a tool called HOSTSMAN that does it also (there are others like it as well, I designed one, & so have others)).

You already can do this yourself since any OS that uses a BSD derived IP stack already has one (even ANDROID phones), easily, & populate the custom HOSTS file yourself from the sources noted above!

(I consolidate them all into a single de-duplicated/normalized version, that which currently blocks out 1,429,303++ KNOWN bad sites/servers/hosts-domains, AND, speeds me up VERY noticeably (via blocking out adbanners, a possible threat for years now in malicious code in them & a bandwidth + speed hog OR, by 'hardcoding in' my favorite sites (to bypass DNS lookup & return roundtrip time) also))

APK

P.S.=> Here are some reputable, & reliable sources for said HOSTS file security data (as well as prebuilt HOSTS files for instant download & usage on your parts):

http://safeweb.norton.com/buzz

http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples

http://securehomenetwork.blogspot.com/search?updated-min=2011-01-01T00%3A00%3A00-05%3A00&updated-max=2012-01-01T00%3A00%3A00-05%3A00&max-results=12

http://www.malwaredomainlist.com/hostslist/hosts.txt

http://www.malwaredomains.com/

http://hosts-file.net/?s=Download

http://www.malware.com.br/lists.shtml

http://www.malware.com.br/lists.shtml

https://spyeyetracker.abuse.ch/monitor.php

https://zeustracker.abuse.ch/monitor.php?filter=online

http://www.malwareurl.com/

http://someonewhocares.org/hosts/

http://www.mvps.org/winhelp2002/hosts.htm

... apk

See above on Norton DNS: That I KNOW they do a DNSBL (DNS Block List) for, vs. KNOWN bad sites/servers/host-domain names out there & it's updated, like mine is, every few minutes, here:

http://safeweb.norton.com/buzz

That's about as 'sure' a protective measure from DNS as it gets and no doubt LEGITIMATELY blocked sites/servers/host-domain names that are bad (not just ones that say, the gov't. of a nation doesn't want you to see like China's firewall!)

However: As far as "cryptographically secure" (is there such a thing? I keep seeing encryption broken periodically, latest being IPhone encryption by the russians in fact yesterday):

DNSSEC isn't employed by Norton DNS, not afaik, but... the 13 root servers use it now, afaik (correct me IF I am off here, thanks). The rest of the servers worldwide utilize those... but, if set into recursive mode & unsecured as they usually are? They can be "bum rushed" with port 53 (iirc) misinformation for redirect poisoning!

(My original post has LOADS of evidences of that much over time the past 2-3 yrs. now in fact!)

APK

P.S.=> Oh, on my thanking you YET again, after you admitted I am right on my points on HOSTS files here:

"although you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

Well - Now, I am assuming that "I am the guy" you referred to in your reply I am now responding to!

(Perhaps incorrectly assuming that now on MY end here in this reply to you... but, I do also make that very point in my 20++ points in favor of HOSTS files, & it lightens loads on DNS servers too by lessening their request loads by using HOSTS & hardcoded entries in them for your fav. sites, in addition to proofing you vs. DNSBL or other forms of perhaps unjust filtering @ the DNS level too... bonus!) but...

"The guy raises a good point, through packet mangling you can reroute DNS queries with users none the wiser." - by drinkypoo (153816) on Thursday May 26, @01:33PM (#36253160) Homepage

Thank you... & I don't make just "1 good point", I made 20 of them in favor of HOSTS files over DNS servers &/or AdBlock alone (so good, that apparently, nobody here on /. can disprove them in fact, lol, & ALL THEY HAVE ARE OFF TOPIC ADHOMINEM ATTACKS ON MYSELF, & other illogically invalid off topic attacks!)

This? As-per-my-usual?? It was just "too, Too, TOO EASY - just '2EZ'"... lol!

...apk

It's already here. There's also McAfee, AVG and various others available.

What would be the point of porting the desktop Windows to ARM when MS is already in that market segment with Windows CE?

What would be the point of making a home version of Windows NT when Microsoft was already in that market space with Windows 98? Just as the home PC market was switched from the 9x codebase to Windows XP (i.e. NT 5.1), the mobile market could be likewise switched to NT, finally unifying all three markets (home, professional, and mobile) under one codebase. Microsoft might even be able to pull it off if it includes a subsystem for running CE apps, much like wowexec on 32-bit NT or wow64 on 64-bit NT.

What we don't have is people focused on finding, removing, and spouting a product yet like Norton/McAffee/AVG/whatever.

Oh we don't, do we?

If Viruses did not exist, it would be necessary for AV companies to create them.

The Joker exists because of Bat Man. Bat Man exists because of the crime in Gotham. Both Bat Man and The Joker can use their resources to fight or cause crime.
Darth Vader exists because of the Jedi, the Jedi Order exists because of crime in the Universe. The Force can be used for good and evil.

It's a Yen & Yang sort of thing. Good and Evil are relative terms, subject to interpretation.

Crackers exist because of Hackers. AV exists because of malware in CyberSpace. The Source can be used for good or evil.

Hackers hack on the hardware / environments that they have available. Hackers can turn bad, and become Crackers, and use their but first they must have a genuine interest and exposure to a platform in order to exploit it.

Some platforms cater more to the Hackers, and they are less frustrated with the platform; Thus, less become Crackers for such platforms. Other platforms shun the Hacker, frustration fuels the desire to become a Cracker, and more malware is released which exploits such platforms...

What we don't have is people focused on finding, removing, and spouting a product yet like Norton/McAffee/AVG/whatever.

Oh we don't, do we?

Or you could use the Norton Removal Tool:

http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US

But you carry on your way if you must ;)

I've had this problem myself once.
Thankfully, Symantec provides a removal tool. Many other AV vendors do the same.
A good list of AV removal tools

Try the Symantec Removal Tool. Yep, there's a tool they make specfically to remove the "software."

http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US

Symantec actually make a separate Norton Removal Tool available from their website, which allegedly (this is second-hand info, I don't know this from personal experience) actually works to uninstall Norton. (It's advertised as a tool to help you recover from problems during the installation, incidentally; I wonder if that's an attempt to justify the existence of a tool that should be redundant to the uninstaller?)

HEY!!!!

Symantec is WONDERFUL!!!

I just learned the other day on some TV commercial that they will protect my chicken from the metal band Dokken!!!! What other AV firm can claim their product does that?!?!?!?

http://www.youtube.com/watch?v=5hsKsUu3Qeo

Norton & Dokken

Although I'm familiar with Thawte, I hadn't heard of its "Web of Trust" prior to this article. However, there's a popular browser add-on with the same name, so I thought I should point that out to avoid any confusion, especially since both products are related to Internet security in some way.

Web of Trust is also the name of a Firefox and Internet Explorer plug-in from a company called WOT Services Ltd. (until recently known as Against Intuition Inc.). It helps protect users from harmful Web sites and puts safety rating badges in search results on Google, Bing, Yahoo!, and other search engines, similar to McAfee SiteAdvisor and Symantec's Norton Safe Web (although in my experience, WOT is much more effective). This completely unrelated Web of Trust is not being killed off.

I hope that clears up any potential confusion.

A quick Google search shows Symantec products are not much different: Norton - From Symantec - Problems, Problems, Problems..

Or, Multiple serious problems with symantec endpoint 11 - Please help.

Or, Norton Internet Security 2009 has caused me problems. (Norton.com is owned by Symantec, of course.)

You know there are problems when Symantec provides a Removal Tool.

A quick Google search shows Symantec products are not much different: Norton - From Symantec - Problems, Problems, Problems..

Or, Multiple serious problems with symantec endpoint 11 - Please help.

Or, Norton Internet Security 2009 has caused me problems. (Norton.com is owned by Symantec, of course.)

You know there are problems when Symantec provides a Removal Tool.

See the report yourself: http://safeweb.norton.com/report/show?url=xinhuanet.com

Hello everyone,

I'm one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn't happen again.

We launched the beta of the Norton Community Forums in April 2008. We've been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I'm not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.

We've spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We've also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123

Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or "cover up").

We welcome you to join in on the discussion if you have any concerns that need to be addressed.

Again, we're sorry for the mishap and all the confusion that this has caused.

Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com/

Hello everyone,

I'm one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn't happen again.

We launched the beta of the Norton Community Forums in April 2008. We've been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I'm not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.

We've spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We've also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123

Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or "cover up").

We welcome you to join in on the discussion if you have any concerns that need to be addressed.

Again, we're sorry for the mishap and all the confusion that this has caused.

Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com/

Hello everyone,

I'm one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn't happen again.

We launched the beta of the Norton Community Forums in April 2008. We've been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I'm not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.

We've spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We've also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123

Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or "cover up").

We welcome you to join in on the discussion if you have any concerns that need to be addressed.

Again, we're sorry for the mishap and all the confusion that this has caused.

Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com/

Norton says its Product Information Framework Troubleshooter. Anyway, Nortons excuse sounds legit to me: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

Symantec has (finally) responded with a sticky on the forum from "davecole".

It's a statistical reporting tool that is normally included in patches, however due to an internal screwup, it was not signed. Because it was unsigned, the firewall looked at it quite skeptically.

They also attempt to explain their actions on the forum; from their description, it sounds like a typical Ebaums/YTMND raid. Their admin response was to carpet bomb the forums with bans and deletions indiscriminately. I don't think this is very professional of the admins; it reminds me of how Habbo responded back in the day. When you're the mouthpiece of a company that size, you should know that a overly aggressive response to a raid will do you more PR damage than just letting it go.

Sorry, copied the same link twice. Here's the other:

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123

The first post on the issue, made by a member identified as an employee, can be found here:

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119&jump=true

It is reproduced below for the lazy:

---
Hi everyone,

Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:

        * O LAWD IM CHOKIN ON PIFTS PLZ HALP
        * OH GOD YOU GOT CHOCOLATE IN MY PIFTS
        * If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
        * IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
        * PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
        * I LOVE MY PIFTS.EXE

Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.

Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. "Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them." When searching for information on "pifts.exe," Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.
Message Edited by davecole on 03-10-2009 12:45 PM

4
Kudos!

----

Link to symantec forum post http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39119&query.id=294747#M39119

Says that the patch went out unsigned, then 200 user accounts were created in a short span of time spamming the boards about the update.

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

Symantec has a post on their forums here explaining the situation. They claim that it was an erroneously unsigned update that caused the problem, and the erasure of forum posts was due to spamming of the forum.

From a recent post on the Norton forum:

To my limited knowledge, that program is legitmately delivered in a LiveUpdate package.

The topics are deleted because it appears that somebody is abusing this system and some legitimate posts may be the collateral damage associated with dealing with this abuse.

-Reese Anschultz
Sr. SQA Manager
Symantec Corporation

To my limited knowledge, that program is legitmately delivered in a LiveUpdate package.

The topics are deleted because it appears that somebody is abusing this system and some legitimate posts may be the collateral damage associated with dealing with this abuse.

-Reese Anschultz
Sr. SQA Manager
Symantec Corporation

It's amusing to just refresh the Norton forum and watch as the PIFTS threads are deleted http://community.norton.com/norton/board?board.id=nis_feedback. As I was watching, I was seeing new ones about every two minutes, and deleted about as fast.

not that i've been to Norton's forums or anything, but i would assume by registering on Norton's forum, you agreed to their TOS which probably state they can censor anything they want and ban anyone they want for any reason.

*checks the forum rules at Norton*

Hmm...maybe the argument could be made, but it wouldn't be a very strong argument. To make the argument would require such an insane stretch of their Participation Guidelines that I don't think anyone will accept an official explanation for the deletion of posts.

Honestly, I think it'd be easier to make up with a reason for PIFTS.exe than it would be to make up a reason for deleting the forum posts on it.

Pretty funny stuff - check it out:

http://community.norton.com/norton/board?board.id=nis_feedback

I've seen code like that before. In my days working as a digital forensics dude, the text at the beginning appears to be the text that happens to be part of an image, most likely a jpeg or bmp (but the FF D8 FF jpeg header wouldn't show up, and the BM bitmap header doesn't appear). The last part indicates that it most likely has a gui of some sort that it doesn't want to reveal. There doesn't appear to be any packing involved.

However, what's really interesting is the inclusion of this line: http://stats.norton.com/n/p?module=2667
 
Line 1677.
 
Above that? Hints to the pif engine in the registry. It'd be worth it to check out whats in those registry keys as well.
 
Anywho, looks to be part of the personal internet firewall, but the fact that its rootkitted means that any and above is just conjecture and we're all doo

It seems that it sends data to http://stats.norton.com/n/p?module=xxxx where xxxx is an integer. http://stats.norton.com/n/ requests auth from a tomcat server, for "statistics" Just thought this was a bit odd. Perhaps they have a nice web interface to aid in their world takeover.