Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anatomy of an Attempted Malware Scam

Posted by samzenpus on from the dial-M-for-malware dept.

Dynamoo writes "Malicious advertisements are getting more and more common as the Bad Guys try to use reputable ad networks to spread malware. Julia Casale-Amorim of Casale Media details the lengths that some fake companies will go to to convince ad networks to take the bait."

7 of 139 comments (clear)

  1. Re:127.0.0.1 for Casale by Anonymous Coward · · Score: -1, Troll

    Shut the fuck up you dumb cracka before I stick my 10 inch nigga dick up yo ass.

  2. Thanks, & see URL @ bottom of this reply by Anonymous Coward · · Score: -1, Troll

    "Yes, I am aware that reading more data from the disk is slower. " - by agrif (960591) on Thursday August 05, @06:52AM (#33148240) Homepage

    Good, so you concede my point that a "larger-per-line" in bytes per line entries in HOSTS files' record entries takes longer in using 127.0.0.1, especially vs. 0.0.0.0, and even moreso especially vs 0 (which is still useable in Windows 2000/XP/Server 2003 from the "Microsoft side of things" at least)

    ----

    "However, I would like to point out that the time it takes to read an additional two (or even eight) sequential bytes off the disk is insignificant compared to the potential time wasted in a timeout." - by agrif (960591) on Thursday August 05, @06:52AM (#33148240) Homepage

    Not in a HOSTS file like mine, OR ANY REALLY (because "less IS truly more" in this case, & larger amounts of characters to parse just plain takes more time period in ANY SIZED FILE in line by line reads).

    Heck, on this very note & on this very site (and MS site's too?)? Well - I even questioned a Microsoft Senior Manager on this, a user here named Foredecker on this website (he's the head of Windows Client Performance Division) & he had to concede I am correct on it in fact.

    If you like?

    Ask him yourself if you wish (even though he "battled to the death" with me on that account here and in his blogs) as well as S. Sinofsky, head of Windows development here http://blogs.msdn.com/e7/archive/2009/02/25/feedback-and-engineering-windows-7.aspx?CommentPosted=true#commentmessage & no one can dispute the fact, since they had to concede it to me as well, as you now have.

    Using a smaller line per line format while parsing HOSTS files isn't insignificant, & especially not insignificant in a HOSTS file like mine (which I've been building since 1997 for public consumption by others in fact) which has well over 875,000 or so entries of known bad sites/servers' domain-hosts names in it from many reputable sources such as those noted here ->

    Spybot Search & Destroy

    +

    http://ddanchev.blogspot.com/
    http://www.malwareurl.com/listing-urls.php?page=1&urls=off&rp=
    http://www.malware.com.br/lists.shtml
    http://securitylabs.websense.com/content/alerts.aspx
    http://www.stopbadware.org
    http://blog.fireeye.com/
    http://mtc.sri.com/
    http://www.scansafe.com/threat_center/threat_alerts
    http://news.netcraft.com
    http://www.shadowserver.org/
    https://zeustracker.abuse.ch/monitor.php?filter=online
    http://www.mvps.org/
    http://someonewhocares.org/
    http://hostsfile.mine.nu/hosts0
    http://hosts-file.net/?s=Download

    And others also.

    Still - Fact is, there's no doubt of it, that smaller hosts files result from using 0 vs. 0.0.0.0 (& especially 127.0.0.1) as the line by line blocking method, and I've tested it myself, AND had MS' own mgt. & his boys test it...

    Foredecker (MS senior mgt. & a poster here) had to concede I was correct in fact, & did so here, publicly in fact!

    ----

    "Using "0.0.0.0" is more efficient, but not because of the primary reason you listed, even if that is a contributing factor." - by agrif (960591) on Thursday August 05, @06:52AM (#33148240) Homepage

    See above, because again:

    In a file the size of mine (HOSTS with near 1 million lines)? It matters... plus, I think this guy's post will interest you GREATLY in fact (he doesn't agree with you, though I do) -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33148128 He's been trolling me on the point you made in fact, & I agree with you, so I defend it.

    (Give him a piece of your mind if you like. I think you will in fact, lol!)

    ----

    "I was not aware of your other post, and I apologize for the redundancy." - by agrif (960591) on Thursday August 05, @06:52AM (#33148240) Homepag

  3. Impersonating me? Poor job! by Anonymous Coward · · Score: -1, Troll

    "I've been told it's weird when ACs try so hard. Also futile.

    So disregard everything I said, I suck cocks.

    APK - by Anonymous Coward on Thursday August 05, @06:53AM (#33148252)

    Reduced to attempting to IMPERSONATE me? Not a first here (or elsewhere online either): It's one of the "key indicators" you have a troll on the ropes as well as on the run... & it's right up there with the usual from trolls in ad hominem attacks, or spelling and grammar checks (where there is no "english lit/grammar/spelling" section of this forums, & on tech topics).

    APK

    P.S.=> Even others (as registered users in beerbear) here also do realize you're a lowly troll impersonating me here, see here -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33148404 , so you can give up now troll... apk

  4. Do this math inside then... apk by Anonymous Coward · · Score: -1, Troll

    "Yeah, in a file with that many entries, the extra 8 bytes per line would create a large performance hit." - by agrif (960591) on Thursday August 05, @08:49AM (#33148838) Homepage

    It does in ANY file, but it merely shows itself more in larger HOSTS files (and in relatively largish HOSTS files you must turn off the local DNS client cache in Windows in fact, a bug I reported to MS years ago in fact they still have not corrected). The speed hit compounds itself the MORE line entries a HOSTS file has though.

    ----

    I'm going to agree with the AC in a sibling thread, though: if your HOSTS file is larger than 10MB*, you're doing something with HOSTS it was never meant to do." - by agrif (960591) on Thursday August 05, @08:49AM (#33148838) Homepage

    First, I'd like to see documentation of that from the RFC's or a MS or PHD in this science (I have dual degrees around this science myself in a BS CSC and CIS minor from another degree in fact)... just as I told that other AC who impersonated and ad hominem trolled me here (he also says that using 127.0.0.1 is not slower than 0.0.0.0 and like yourself? I disagree on that account due to filesize, length of line entries parsing, AND loopback operations (the latter being one we BOTH noted in fact)).

    Secondly - See this:

    ----

    RESURRECTING THE KILLFILE:

    (by Mr. Oliver Day)

    http://www.securityfocus.com/columnists/491

    PERTINENT EXCERPTS/QUOTES:

    "The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet particularly browsing the Web is actually faster now."

    "From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

    ----

    Well, opinions vary, but... as you can see? A respected security researcher in Mr. Oliver Day who works for securityfocus.com agrees with me and for the same reasons I extolled here on HOSTS file usage... security and speed, are better using one.

    ----

    "It may be easier than setting up a proper DNS server, but it's not as efficient." - by agrif (960591) on Thursday August 05, @08:49AM (#33148838) Homepage

    See http://www.google.pl/search?hl=pl&source=hp&q=%22Dan+Kaminsky%22+and+%22DNS%22&btnG=Szukaj+w+Google on DNS servers, and their compromiseability (per Dan Kaminsky, & Moxie Marlinspike's another)... I don't rely on those alone and when I do? I use Open DNS or Scrub IT DNS, since you cannot "hardcode" the entire internet in a HOSTS file after all!

    PLUS, DNS servers eat up CPU & RAM I don't need to be eating up here, when a HOSTS file and Open DNS do the trick for me rather nicely!

    ----

    "(I appreciate distributing a HOSTS file is easier than telling people how to setup a DNS server, though.)" - by agrif (960591) on Thursday August 05, @08:49AM (#33148838) Homepage

    I think they're pretty much cake personally, but to each his own... avoiding setting them into "recursive mode" is a good idea though, see the URL from GOOGLE above, on THAT very note.

    ----

    "I think if you start worrying about efficiency enough to start shaving bytes off of lines, you should consider the efficiency of loading a 10MB file instead of a proper DNS server, which can store this data more efficiently than a plain-text list." - by agrif (960591) on Thursday August 05, @08:49AM (#331

  5. Wrong AGAIN by Anonymous Coward · · Score: -1, Troll

    "I have to admit, though, you getting all huffy about it is just golden and ridiculing you much more effectively than I could hope to achieve." - by Anonymous Coward writes: on Thursday August 05, @01:14PM (#33149068)

    I know what you are wrongly implying but you are CLEARLY WRONG (I've done MUCH BETTER than that): see here -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33148088 , & here -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147750 , & also here -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33148088 !

    You are just wrong & I am RIGHT. The earlier you see that the earlier I can get back to what I do when I'm not educating TR0LLS like you.

    APK

    P.S.=> What's wrong with sucking cocks anyway... apk

  6. Impersonating me a 2nd time troll? by Anonymous Coward · · Score: -1, Troll

    LMAO, that 2nd impersonation of myself again on your part above's pretty poor, as I am not a homosexual (so, sorry to disappoint you), and it's your 2nd time trying impersonating me no less out of your being frustrated into doing so because you don't know enough comp. sci. to punch your way out of a wet paper bag.

    I mean, lmao: First time you impersonated me here, others knew it also -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33148504 so, give up already troll... you LOSE/FAIL, as per usual, vs. myself!

    APK

    P.S.=> Go get a degree in CSC & make something of yourself troll, instead of wasting your life trolling others here... you aren't very good at it, based on your trolling performance here in ad hominem attacks on myself rather than attacking my tech points, your name tossing, impersonating me, and making it VERY simple for me to disprove your WEAK "so-called tech know-how", & with EASE on that latter note all thru this exchange... ah, as per usual? "too, Too, TOO EASY" for me, vs. you (TOO easy)... apk

  7. ADBLOCK'S "Blockable" too, see inside... apk by Anonymous Coward · · Score: -1, Troll

    In addition to what you noted? Arstechnica did that to adblock/adblock plus users:

    ArsTechnica blocking Adblock?

    https://adblockplus.org/forum/viewtopic.php?f=2&t=5266

    However, they could NOT do that to HOSTS files users though!

    Fact is, HOSTS files are better than adblock (especially adblock alone) on that account above alone, PLUS these also:

    10 ADVANTAGES OF HOSTS FILES OVER BROWSER ADDONS ALONE, & EVEN DNS SERVERS:

    http://forums.windowsforum.org/index.php?s=35faafcfc2596ff0fdd2a54a2717153b&showtopic=33716&st=60

    1.) HOSTS files eat A LOT LESS CPU cycles than browser addons do no less (since browser addons have to parse each HTML page & tag content in them)!

    2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).

    3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).

    4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

    5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).

    6.) HOSTS files are EASILY user controlled, updated and obtained (for reliable ones -> http://en.wikipedia.org/wiki/Hosts_file"]http://en.wikipedia.org/wiki/Hosts_file[/url] OR see lists below ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

    7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers, as they are NOT code, & because of what's next too

    8.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.

    9.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE - NOt just a single webbrowser type (e.g. FireFox/Mozilla & its addons exemplify this, such as ADBLOCK)

    10.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - You might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own, & this? This stops that cold, too! Bonus...

    Still, it's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security".

    APK

    P.S.=> The rest of this exchange covers what my naysayers attempted to say to put what's above "down", to no avail though, from here http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 on down in that/this very exchange!

    (I think those of you rea