Critroni Crypto Ransomware Seen Using Tor for Command and Control

Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."

Time to get rid of Tor

[Jay+Maynard]

Tor has only ever been an enabler for spammers and other criminals, making it possible for them to hide their tracks. Time to get rid of it.

Re:Time to get rid of Tor

And bitcoin for the same reason.

Re:Time to get rid of Tor

And cash for the same reason.

Re:Time to get rid of Tor

[CRCulver]

It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter. The considerable soft power that the West gains over the youth in these often hostile or hermetic states is worth the occasional use of the network for financial crimes.

Re:Time to get rid of Tor

And Microsoft Windows ..

Re:Time to get rid of Tor

How's the astroturf doing Mr NSA Agent? Hope you get what's coming, oh and do remember, Snowden is a hero!

Re:Time to get rid of Tor

[vux984]

It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter.

And get uncensored news from buzzfeed

Don't get me wrong, Tor is a great enabler for countering censorship, etc... but advocating that these people need access to facebook and twitter? Honestly. Nobody needs that.

Re:Time to get rid of Tor

[Gothmolly]

And those countries instantly became bastions of freedom? Hint: no they didn't. People think Internet = magical standard of living raiser, and it isn't. It's just another tool to control the population.

Re:Time to get rid of Tor

[jeIIomizer]

And those countries instantly became bastions of freedom?

It didn't instantly fix everything, so it's worthless.

Re:Time to get rid of Tor

Come on, anything can be an enabler, like guns, alcohol, and narcotics. Take guns for example, if banned it would effectively enable the government to do anything they please with no risk of starting a civil war.

Re:Time to get rid of Tor

And get rid of SSL. No-one has any legitimate reason for any kind of privacy after all. The government should know *everything* you do. So should your wife and boss.

Re:Time to get rid of Tor

Tor has only ever been an enabler for spammers and other criminals, making it possible for them to hide their tracks. Time to get rid of it.

^^^^Genuine asshole.

Re:Time to get rid of Tor

Criminals drive on roads. They also drink water. We should ban water.
But there is no risk at all of a civil war. We are far too controlled for that to ever happen. If you think a band of vigilantes or a citizens' militia could ever take down the government of any modern Western power, you are living in an alternate universe where reality is somewhat warped out. Get real. That possibility has not existed for a very long time. Politicians in western countries have no fear of the people.

Re:Time to get rid of Tor

[DarkOx]

And while we are on the subject:

Its true that some protests and the beginnings of the Arab spring stuff apparently began on Twatter and Facespace; I wonder how much of that was going to happen anyway, especially given that in at least 3 of the four major uprisings the secular movements that seemed so popular online certainly have not proven to be what the people ultimately choose to support:

Egypt - went theocracy and is now back to essentially an autocracy that more or less resembles the one they started out with.

Libya - If you're not an Obama apologist is a failed sate, run by gangs or would be tyrants.

Syria - Ramains to be seen if the rebels will even succeed by if they do will probably be Islamist

Tunisia - Well that one might have kinda worked.

  One is left to wonder if much like Slashdot here in the states, were lots of radical (not to be necessarily read with a negative connotation), ideas get expressed on line, but it seems to amount to a lot of political masturbation because it does not get translated into actions that generate any sort of results at the ballot box. In some respects taking a longer view of the pamphleteers of the late 17th and 18th centuries, and the marchers and organizers of the mid 20th century seem to have had much more influence that the 21st century Internet critics. Oh sure the can manage to get a SOPA or PIPPA shot down once in awhile, but can't get it turned into the sort of third rail the politicians will shy away from touching again for even a year.

So is it possible the Internet is actually harmful to these movements, is it keeping people sitting at home posting on Facespace behind their proxies instead of actually out in the street doing something disruptive? Sure the organizing power of these things is clear but real widely supported political movements always have managed to organize before.

Re:Time to get rid of Tor

[ComputersKai]

For voicing opinions safely though...

Re:Time to get rid of Tor

[IamTheRealMike]

There is no need to get rid of Tor: in theory, Tor could have a "hidden service policy" mechanism not much different to the exit policy mechanism. HS Policies would allow a node operator to state that they aren't willing to act as an introduction point for a list of hidden services (or point to lists maintained elsewhere to stop fast-flux type behaviour).

Tor already accepts that not all relay operators will want to support all kinds of behaviour and that some kinds of traffic can be abusive, that's why they implement exit policies which allow exits to ban port and IP ranges. Taking this philosophy to hidden services seems like the next natural step. After all, Tor volunteers are ultimately acting as human shields for other people's anonymous behaviour. Requiring them to shield everything just restricts the number of people who would be willing to donate bandwidth to general privacy but are not interested in enabling botnets.

Re:Time to get rid of Tor

[Mister+Liberty]

Jay Maynard, collaborator anno 2014. There's a tree for you somewhere.

Re: Time to get rid of Tor

Fb and twit were instrumental for on location reports during rebellions ... Saying otherwise suggests that you are ... ignorant.

Re:Time to get rid of Tor

[dskoll]

The problem with Egypt, Syria, Libya and Tunisia is they've suffered over a thousand years of Islam. That has left their population with a fatalistic outlook, their leaders corrupt and their drive and innovation sapped. The Internet is not going to free the billion humans who live enslaved to Islam. Unfortunately, only the people themselves can do that by throwing off the stultifying oppression of Islam, and that's not happening any time soon.

Re:Time to get rid of Tor

[mysidia]

Tor has value, BUT it has no proper place running behind the firewall on the corporate intranet or in the home within the developed world -- it is a huge security risk, and it makes sense to block tor completely.

Tor has value for some people living in tyrannical regimes where free speech has been outlawed and internet users have a jealous government to worry about who may object to what they post or read, and may threaten them or their families based on it.

However.... these users also need some sort of VPN or anonymized onramp to get onto Tor, or else they may be busted for the crime of using Tor.

Re: Time to get rid of Tor

Fb and twit were instrumental for on location reports during rebellions ... Saying otherwise suggests that you are ... ignorant.

I can accept Twitter being useful due to it's straightforward simplicity, but you are the ignorant one if you find any use for Facebook other than to destroy any semblance of privacy.

Re:Time to get rid of Tor

Which OS does this malware run on?

Re:Time to get rid of Tor

[flyneye]

Why doesn't someone infiltrate the forums and out some of the fuckheads buying/selling this so someone can run some "extortionware/revengeware" on their piddly asses? Wouldn't it make great articles? Malware Ring Found Tortured Columbian Style with All Their Assets Missing.
It'd make a great hobby for some bored sociopath or open new Animal Friendly Hunting opportunities for those turned off by killing innocent animals for sport.
Name one person on the planet who would even care, besides their mothers. No? I thought not.
Seasons OPEN!

Re:Time to get rid of Tor

[retchdog]

I think he has... ahem... balls to assert such a contrarian viewpoint on slashdot.

But, yeah, he's a loony reactionary. Just ignore him or laugh at him. "Collaborator" is a bit too generous.

Re: Time to get rid of Tor

[vux984]

Fb and twit were instrumental for on location reports during rebellions ... Saying otherwise suggests that you are ... ignorant.

Instrumental yes. In the same sense that Bic pens were instrumental in me graduating university. However, if there were no bic pens I'd have found something else to use.

Likewise, twitter was instrumental, in the sense that it got used, but if there had been no twitter, they could have just as easily organized from something else.

Re:Time to get rid of Tor

[easyTree]

...demands a payment in Bitcoins".

Seriously? way to reduce your pool of potential customers to those who know how to make a payment in BitCoin.

Is this is an ad for BitCoin?

Re:Time to get rid of Tor

News just in from Turkmenistan via Twitter:

"I like my stapler."

Re:Time to get rid of Tor

Libya - If you're not an Obama apologist is a failed sate, run by gangs or would be tyrants.

Hint: every country is run by gangs.

Re:Time to get rid of Tor

s/religion/government/

Re:Time to get rid of Tor

[jythie]

It is a rather questionable choice since for a non technical person who has never heard of them, figuring out how to acquire some is somewhat daunting.

Re:Time to get rid of Tor

[jythie]

The US put down multiple rebellions back when the military and civilian populations had the same types of guns. Armed citizens does not really change anything, it does not factor in to public policy in any significant way other then fund raising.

Re:Time to get rid of Tor

And weapons.

Re:Time to get rid of Tor

Criminals drive on roads. They also drink water. We should ban water.
But there is no risk at all of a civil war. We are far too controlled for that to ever happen. If you think a band of vigilantes or a citizens' militia could ever take down the government of any modern Western power, you are living in an alternate universe where reality is somewhat warped out. Get real. That possibility has not existed for a very long time. Politicians in western countries have no fear of the people.

A People's militia can still happen, it isn't the people that overthrow the government; it's the military who will get pissed off with hearing orders to shoot one's own countrymen, it really is that simple.

However, there remains the huge problem of kickstarting this armed rebellion, especially when the nation is drugged up on American Idol and other similar TV crap.

You know your country's doomed when the dumb populace would rather vote for celebrities on reality tv than vote at the ballot box.

Re:Time to get rid of Tor

...and cars too! They enable bank robbers and drug runners to evade police! Let's get rid of hammers because they can be used to break things!

Antivirus

not trying to blame the victim, but I wonder if antivirus or anti-malware software will detect these ransomware programs? Just asking. I guess firewalls might be able to detect the Tor server/connections.

Re:Antivirus

If the Firewall cannot see it, it should be blocked by default, many businesses already do this; the only exception being port 443 which gets MITM'd by use of an installed certificate clientside.

Re:Antivirus

[leuk_he]

All trojans/bots/ransomsware is designed to circumvent antivirus. It is a arms wars between viri and anti-virus. At the moment the viri are winning it :(.

And there is a nasty side effect: real legit tor usage will be detected as malware suspect by antivirus software. So if you have a "good"reason to use tor you might have to disable anti-virus

Re:Antivirus

If a firewall is in the middle, IPS style: Simply have the Firewall deny/drop any packets from to and from any IP associated with the Tor network. Exit and non Exit nodes blocked.

Using bridge nodes? Harder to preempt. But again, if you're in the middle and can see the traffic it shouldn't be too hard to figure out the Tor protocol chatter.

Next up, whitelisting.

Re:Antivirus

[saloomy]

Technically yes, it can be done, but...
1. Where is the list of all IP addresses coming from
2. Who is supposed to manage the white list, or the now very large ruleset in your large organization
3. Who is supposed to whitelist EVERY SINGLE ip address your computer talks to? Track the connections in your ASA, and you will discover that with phones, tablets, and regular users, a 50 man organization will connect to literally tens of thousands of IPs a day. Its unrealistic to whitelist IPs, especially when you can not guarantee targets will not update their DNS records when they obtain new IP addresses.
4. Forget about any P2P application.. not just file-sharing but chat and messaging programs that communicate directly to the client.

Re:Antivirus

You can get the IP address of every Tor node old and current right now. You can scrape it yourself or you can simply download a daily list from the internet. Hell, don't SNORT rules have this by default?

http://torstatus.blutmagie.de/ - You can download a CSV file.

Bridge nodes are still a problem since anybody can basically act as a proxy to the Tor network. Might be able to block communications by traffic analysis.

Management of blocking is automated if it's a blacklist. Whitelist would take a lot of effort, I agree. Not very practical, and if you're running a whitelist type regime then Tor was probably never allowed to connect in the first place.

Re:Antivirus

You're missing the point, your firewall will already be destroyed before the virus even attempts to connect. These viruses use exploits to gain total control and have need to use tor until you're system is already taken. There is some good news though, you can hire Liam Neeson for $300! Your firewall will already be destroyed before the virus even attempts to connect.

Re: Antivirus

This is the wrong attitude. If you MITM https you are part of the problem.

Re:Antivirus

the 'viruses' aren't winning,
the anti-viruses need them to stay alive - we have (please don't laugh) the technology to defeat 99% of this.
it just hasn't been deployed.
process-whitelisting
tpm's

the government isn't interested in securing you 100%, they gag microsoft and others to STFU about exploits.
the anti-virus companies aren't really interested either, all they have to do is keep the bar low and keep swatting the flies.
by doing that they maintain their source of income, if they set the bar too high then there will only be TRUE hacks not all the bullshit we're used to now-a-days.

there's alot more we could be doing to keep our society and our computers cleaner, but until our opsec improves and our government cares...
FAT CHANCE CUZ NOBODY who's supposed to have your back DOES

Re:Antivirus

process-whitelisting
tpm's

Disgusting draconian nonsense. No thanks.

Re:Antivirus

[goarilla]

All trojans/bots/ransomsware is designed to circumvent antivirus. It is a arms wars between viri and anti-virus. At the moment the viri are winning it :(.

Well it's a reactive business (hopefully) so that's to be expected.

Re:Antivirus

then turn it off. :)

Re:Antivirus

What's wrong with that. It could even be used as a utility that is off by default (or even installed like EMET.)

What I would like is a utility like AIX's trustchk. I install my system and update it, then fire off trustchk to do a scan like Tripwire/AIDE and make a list of OK executables. After that, then set it to only execute stuff on the manifest with something like BSD's security level (where it can be changed up, but moving it back down requires a reboot.)

Unlike Tripwire/AIDE, this would actively block execution of anything that isn't on the whitelist.

Windows does have this functionality (AppLocker.) Linux desperately needs it. It doesn't have to be signed binaries, but a system that one can run a Tripwire like scan, then lock it down once scanned.

Re:Antivirus

[gl4ss]

the firewall - running locally - wont be worth shit, since the code already owns your computer on admin level and can change the firewall rules to whatever.

much easier if the AV just detects the embedded tor executable/process. generally speaking the av would detect this as it detects any other malware... the tricky part comes from that it's harder to see where the actual control and command for the whole network is.

Re:Antivirus

process-whitelisting
tpm's

Disgusting draconian nonsense. No thanks.

More FUD, there's nothing wrong with either of those, as long as the user retains complete control, TPM and even its evil brother, SecureBoot, are only dangerous when you don't have the master keys and cannot instruct how they operate, they can actually improve user security if the user knows what he's doing, they don't need to be disabled because of this ZOMG THEY WANT TO TAKEOVER OUR PCs mentality.

Re: Antivirus

[Redmancometh]

So if I write an application for everyday users I get to pay/request to be added to the whitelist of every AV people use?

That probably wont kill independent software development.

Re:Antivirus

[TMYates]

Antivirus applications would never be an end all solution in any case. There might be a chance they can catch it, but you have to be up to date on the definitions for most to be able to catch it. Some newer systems may be able to do heuristics and catch potential cases that look malicious, but can have false-positives and false-negatives. Even cases where you have the best of everything and are up to date may not completely eliminate risk. This is where Zero-Day exploits (or unpublished exploits) can find their way in and disable or bypass many of these countermeasures.

Firewalls would not be helpful for anything other than blocking known ports to command and control servers. In this case, using Tor would be an advantage for the ransomware as it would block any legitimate use you may have for Tor browsing (not that I would allow it for business use in most cases). You are most likely thinking of something like an IDS/IPS system that can sit on the network and sniff out malicious traffic. Some allow for Deep Packet Inspection with SSL decryption. Even that may not cover all cases. If they use custom protocols or a different method for encrypting traffic, it would most likely render such setup useless after an infection. It may help in the initial detection however.

In the end you can never be 100% covered for anything. I always live by the notion that it is not a matter of IF but WHEN something is going to happen. The best solutions are the simplest. Make sure you have recoverable backups (don't just set them and forget). It also helps to reduce your footprint and exposure as much as possible.

Antivirus

[saloomy]

not trying to blame the victim, but I wonder if antivirus or anti-malware software will detect these ransomware programs? Just asking. I guess firewalls might be able to detect the Tor server/connections.

All a firewall will see is encrypted traffic from the computer in the LAN (inside) initiate a connection to a random computer (IP address) on the Internet (outside interface). Its not able to see what is being sent/received, which is the entire reason for TORs existence.. protecting you from Man in the Middle attacks, which in this case, the firewall would be.

Angler PC malware?

[lippydude]

How is it you manages to not once mention Microsoft Windows in that whole article?

How does the Critroni ransomware get onto the victim’s PC in the first place?

Re:Angler PC malware?

How is it you manages to not once mention Microsoft Windows in that whole article?

How does the Critroni ransomware get onto the victim’s PC in the first place?

#1, learn to read english.
#2, learn to write english.
#3, who gave him a score of 1?

Re:Angler PC malware?

[ttucker]

How is it you manages to not once mention Microsoft Windows in that whole article? How does the Critroni ransomware get onto the victim’s PC in the first place?

Most of this shit is installed by tricking the user with phishing style emails and general social engineering to download attachments. Certainly zero day stuff is a goldmine for malware, but under-informed end users are much more consistently available. The stuff that cryto ransom software holds hostage is heavily concentrated in the user's home directory, so no privilege escalation is required. It is good to be proud of your operating system of choice, but it is smug to think that Linux/OSX/BSD/Solaris will do anything technical to protect from such an attack.

Re:Angler PC malware?

[NotInHere]

Most linux distros have software repositories, and when you only use them (no ppas) to install stuff, you are on the safe side. Windows store only includes metro apps. The lack of a proper software repository mechanism is nothing else than an invitation from microsoft to surf the web for software and download it from there. Another part of this problem is dice, which agrees to display "download here" ads on sourceforge, and google, which doesn't want to disable the "download here" ads.

Dice and Google make money from being used to spread malware, and tor is blamed for routing C&C? This is just stupid.
Of course, i've read this, but somehow their efforts were in vain, as I've tried today and got a "free trial windows drivers download now" ad on the vlc download page.

Re:Angler PC malware?

[phantomfive]

Indeed, the rest of us are lucky that there are enough clueless users to distract malware writers. If the focus were on finding all the vulnerabilities in our OS, all of us would be owned.

Re:Angler PC malware?

[NotInHere]

And desktop linux is unfortunately less secure than windows to 0day attacks. I hope wayland fixes this through isolation and privilege separation.

Re:Angler PC malware?

[Rhywden]

You're wrong. The Windows 8.1 app store does include traditional desktop apps. They're rare but the Adobe Reader XI is in the store.

Also, Microsoft can't very well force companies to only publish through their store...

Re:Angler PC malware?

Except that most linux users aren't retards that happy click for Bieber screensavers. No, sorry, this is 99.999% a Windows problem.

Re:Angler PC malware?

[murdocj]

didn't take look for Windows hate to hijack this thread.

Re:Angler PC malware?

> I hope wayland fixes this through isolation and privilege separation.

X already has that with the latest systemd integration.

Re:Angler PC malware?

So does this exact exploit work on Linux then, or is your whole argument founded on Fear, Uncertainty and Doubt?

Re:Angler PC malware?

[NotInHere]

No, not at all. What you are referring to is that X server doesn't need uid 0 to run. But still there is, amongst others, the problem that every x application can keylog you: http://hamsterbaum.de/index.ph...
And taking screenshots from the whole screen or faking user input (also for the whole screen) is also possible for every X application.

Re:Angler PC malware?

[ComputersKai]

Not all Linux applications come from repositories, either.

Re:Angler PC malware?

[Billly+Gates]

Not really
  Java is easy to exploit and almost everyone has an obsolete version with dozens of exploits. Double bonus if the user is running XP as a local admin.

Re:Angler PC malware?

> No, not at all. What you are referring to is that X server doesn't need uid 0 to run. But still there is, amongst others, the problem that every x application can keylog you

Well, on that note wayland is no better. Wayland doesn't really prevent keylogging -- the use of client-side decoration allows a malicious client to create a transparent window covering the entire screen in order to get all input events. Even if that were somehow accounted for, the linux environment provides plenty of other opportunities like malicious use of LD_PRELOAD.

Re:Angler PC malware?

[Arker]

"It is good to be proud of your operating system of choice, but it is smug to think that Linux/OSX/BSD/Solaris will do anything technical to protect from such an attack."

Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.

Is it conceivable that a very similar attack could be written specifically for your OS of choice and do the same job? Yes, it's conceivable, that's right. But it's not in evidence.

More generally, regardless of OS, this attack wont even trigger if your browser is configured sanely. The exploit kits and injectors all rely heavily on javascript. Make sure it is disabled and you have not only defeated this exploit before it even got started, along with all the others, but you have also taken a positive step towards making the web readable again!

Re:Angler PC malware?

[ttucker]

Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.

You are trying to say that users needing to type chmod +x ./latest_flash_player_youtube.sh , is sufficient protection to prevent end users from running things they shouldn't....

Ransomware is not prevalent in Linux, but again, it is absurdly naive to think that it couldn't, or that the OS is doing much to prevent it. Again, end user education is key, regardless of OS. Implying to under-informed users that OSX is magically secure against cryptoware, is a recipe for disaster.

Re:Angler PC malware?

[ttucker]

Have you ever actually asked where the software in repositories comes from?

Re:Angler PC malware?

[ttucker]

Even a Java plugin exploit requires some level of social engineering to convince the user to visit the attack page.

Re:Angler PC malware?

[Billly+Gates]

The problem is if you install java 6 and early java 7 it will install plugins for your browsers.

Visit a website and you are 0wned as it runs as full admin since javaw.exe runs as a freaking service with admin privledges! ... facepalm.

I think the old myth do not click on ads is 2004 knowledge. Unfortunately recent operating systems have terrible GUI's so many run older flavors like 7 and XP which do not have the same level of protections.

It pulls my hair out to see java 5 and the same users whine I AM INFECTED week after week after week because some beancounter does not want to upgrade to save $1,000 means $10,000 in lost productivity.

Re:Angler PC malware?

[NotInHere]

I haven't reviewed the source code for every single application and update I install. Nor have my distro's packagers. And the software is compiled on some server I don't know, and the server is a single point of failure.
But still I trust this model more as randomly installing blobs from various websites.
When I randomly install software from my package repo no ads pop up from the taskbar, and I don't see CPU constantly at 100%. Don't have tried it for randomly downloading windows software from the internet.

Re:Angler PC malware?

[Billly+Gates]

Linux users are incredibly prideful and niave and feel vulnerable and will not believe you when you claim you are infected. The perfect demographic.

Arstechnica had something a few months back on Linux malware. It is easier to infect linux users because they feel they are secure and do not run AV software and many run outdated versions because they do not like gnome 3

Re:Angler PC malware?

[Arker]

"You are trying to say that users needing to type chmod +x ./latest_flash_player_youtube.sh , is sufficient protection to prevent end users from running things they shouldn't.... "

I did not actually say that, but it is probably true. Most users are either a) smart enough to realize they do not actually want to do this or b) not actually capable of pulling it off without help (hopefully, from someone who belongs in category a).)

However that is NOT what I was saying. The exploits we are discussing rely on Win32 executables, NOT SHell scripts. Even if the user manages to slide in between case a) and b) somehow, setting an executable bit on a win32 application will not magically make it work on *nix. You would need to also install WINE and do some intricate configuration magic with it before this would work.

"Ransomware is not prevalent in Linux, but again, it is absurdly naive to think that it couldn't"

Notice I explicitly agreed with you that it could be done.

"Again, end user education is key, regardless of OS. Implying to under-informed users that OSX is magically secure against cryptoware, is a recipe for disaster."

Yes and no. Certainly end-user education is key, regardless of OS. And certainly it's true that no OS is magically secure against malware. And I think it's correct to say that the OS does nothing to prevent it. But that's looking at it backwards.

What OSX, and *nix systems in general, should get credit for is not that they *do something to prevent infection* but that they do *less to facilitate infection*.

Of course, the same things that make Windows an extraordinarily easy target for malware also makes it an extraordinarily easy target for more legitimate programming as well.

And that, ultimately, is why it was designed that way. Developers, developers, developers! Windows is ultra-friendly to developers, it goes out of its way to make life easy for them, and guess what? A subset of those developers make malware. And the same things that makes Windows easy for one set of developers makes it easy for the other.

OSX actually deserves some kudos because it *does* make development a little harder here and there, for the benefit of the user. And while saying OSX is 'virus-immune' would be clear BS, saying that it's an effective way for a technically challenged computer user to dramatically reduce their risk of being infected is actually true.

Linux can be deployed to even better effect on the security front, of course, though I would not recommend it for the technically-challenged unless said user has a friend or family member to help with setup and ssh in occasionally to administer it.

Re:Angler PC malware?

[lippydude]

"didn't take look for Windows hate to hijack this thread."

So, how does the Critroni ransomware get onto the victim’s Windows PC in the first place?

Re:Angler PC malware?

Linux users tend to be not as vulnerable to dancing pigs exploits for a few reasons:

1: Generally, most Linux stuff is either sitting on a repo and fetchable by yum or apt-get. If it isn't, the user will tend to look for a website with the software and fetch it. If some site demanded a user download stuff, unzip it, chmod 755 it, and run it as root without any explanation, it raises a -lot- more flags than something that appears to be a flash update which gets downloaded and run with 1-2 mouse clicks. Because installing a Trojan on Linux takes a -lot- more work, and is far more different than just clicking "OK" and answering a UAC dialog on Windows.

2: Linux (and Mac) users as a whole tend to at least have a clue. Some website proffers a "pr0n viewer", they will refuse. Or in reality, Adblock/NoScript stop that stuff before it even displays.

3: Linux (and Mac) users tend to have some insulation between their systems and E-mail. An attachment on Windows is usually just 1-2 clicks away from being run. However, on Linux, the attachment must be downloaded, extracted, chmod 755, then run.

4: Cleaning a user account in Linux is fairly easy, due to the limited number of startup areas. Windows, this can be extremely hard since there are a lot of places something can burrow into.

Re:Angler PC malware?

[NotInHere]

The ldpreload attack is not a problem of the compositor, but the configuration of apparmor or SELinux:
http://mupuf.org/blog/2014/02/...
http://blog.siphos.be/2011/04/...
The transparent window attack doesn't work, does it? It seems that it is possible to make a transparent window, but then I doubt the events will be passed on onto the below applications. The keylogger would need to fake user input, which isn't possible AFAIK.

Re: Angler PC malware?

[Redmancometh]

No need. I have this newfangled feature called "sources.list."

Re:Angler PC malware?

well you certainly disproved the "most Linux users aren't retards" well done

Re: Angler PC malware?

[ttucker]

No need. I have this newfangled feature called "sources.list."

That file barely tells you where the repositories are. The main question still remains, where did the programs actually come from, who compiled them, and why do you trust any of the parties involved?

I trust the Ubuntu repositories much more than any app store, but the principle is similar... they could conceivably contain malicious code.

Re: Angler PC malware?

[Redmancometh]

You do have a point, but I trust the Debian repos 100%. They are so behind that I figure if there was malware in them...someone would have said so by now.

I have yet to hear of a single case of this happening. Granted, that could just mean they are better at covering their tracks..

Firewalls that block suspicious activity

[davidwr]

Time will come when firewalls inspect all outgoing packets and use heuristics to guess how dangerous encrypted traffic might be.

For example:

• Whitelisted sites Encrypted traffic to an IP address previously whitelisted by the firewall vendor or end user? It's whitelisted, let it pass.
• Heuristically safe sites Encrypted traffic to an IP address known to be associated with a well-known domain whose DNS is known to be valid and who is known to typically use encryption over this port and whose recent activity hasn't been suspicious? Probably safe.
• Suspicious traffic to an okay site Encrypted traffic to whitelisted or probably-safe web sites that is uncharacteristic in size or other known details? Possibly not safe.
• Unknown site Encrypted traffic to anyone else who isn't blacklisted? Possibly not safe.
• Blacklisted site Encrypted traffic to a blacklisted site? Block it.

In the middle three groups, give the user a chance to approve/block/whitelist the traffic or, if the user just wants such traffic logged or just wants to see an on-screen alert but doesn't want to be bothered with the "should I block it" question, log it and/or put up a visible notification to the end-user.

But Bitcoin is traceable?

If Bitcoin if traceable, shouldn't it be possible to trace these malware assholes cashing in?

Re:But Bitcoin is traceable?

[ArcadeMan]

Yes it should be possible, if and when then cash it.

Corporate MITM

[davidwr]

Which is more evil:
Telling employees "we block all encrypted traffic and snoop on everything else"

or telling them

"We MITM all encrypted traffic we can so we can snoop on it, we snoop on everything we can and block the rest"

or telling them

"we block all traffic except traffic to the few Internet resources we know you need, and oh by the way we snoop on that"

or telling the

"we don't think you need a computer to do your job, if you do need a computer to do your job then talk to your boss and he MAY give you the keys to the one room where there is a computer. Oh, by the way, there are TV cameras all over that room so don't even think about using it for non-business purposes."

Substitute "school," "institution," or "parent" for "employer" and substitute "student," "client/end-user," or "minor child who the parents deem too young/immature to use the Internet unsupervised" for "employee."

Speaking of parents, many parenting experts highly recommend that if a kid under a certain age/maturity level wants to use the Internet, he only be allowed to do so under close supervision, as in mom or dad in the room within eyesight of the screen. What age? Experts disagree, but almost all would put the cutoff age where mom can leave the room for a few minutes at somewhere in the elementary school (age 5-12) age range.

Re: Corporate MITM

Fix the fact that those who use this technology use it to oppress the poor.

Those who spy must be forced to do so blatently to avoid massive abuse.

I am seriously considering assing client side resistance to the medical software I write designed for use across the public internet because of people like you who collect data you have no business collecting.

Hiding bridges

[davidwr]

If counteracting the detecting and blocking bridge notes becomes a problem - and it probably will as soon the the Chinese get good at it - someone will find a solution.

A resource-intensive solution would be to layer the TOR/bridge traffic on top of and steganographically embedded into some seemingly-normal traffic, such as an encrypted streaming video, so that a traffic analysis would say "it's probably just someone watching online TV."

unpatched wetware

[davidwr]

but under-informed end users are much more consistently available

Question: What's more common and arguably more dangerous than a Windows XP computer that hasn't received any OS updates in the last 2 months?

Answer: An "unpatched" (naive/uninformed) human operating the keyboard.

They're using embedded resources... apk

To place the Tor.exe file INSIDE the main executable!

Fairly clever, & FAR easier than duplicating Tor functionality in the exe used itself, by far!

I've done something QUITE like it in a "Dr. Who" screensaver I wrote in 2006 in fact...

(I.E./E.G.-> Embedding the .avi for the introduction sequence of the "new" Dr. Who series INSIDE the screensaver & then extracting it out of the .scr Win32 Portable Executable, and playing it back from memory... very fast, & worked - even the folks @ the BBC liked it, but gave me guff over "copyright infringement" & I was giving it away free, no charge, & even offered it to them (more efficient than "FLASH" based ones by far is why, it was a TRUE "stand-alone" Win32 Portable Executable written in Borland Delphi 7.1 is why))

Anyhow/anyways:

The technique used, in & OF itself, is cool (& like bitmaps you use in programs, you can store ANYTHING YOU LIKE in an executable really) in & of itself , except these morons (which is what I think of ANY malware maker) are using that technique for bogus stuff like this instead...

APK

P.S.=> I don't care HOW they *try* to "hide" their C&C Servers either... why? Once they're known, they are EASILY DEFEATED by another program of mine (even FastFlux &/or Dynamic DNS utilizing botnets, the MOST dangerous + advanced type there is which also functions on host-domain names as well) here & EASILY mind you -> http://start64.com/index.php?o... using a TRUE "Sun-Tzu like idea" of taking advantage of the strengths &/or nature of the opponent himself (in these botnets' usage of host-domain names in this case)... apk

Re:They're using embedded resources... apk

[NotInHere]

I guess your host file program is very superior (it uses 64 bit, that is very future-proof) and so on and so on, but even *if* the C&C servers were known, they could only be defeated if your host program were installed on the tor exit relays. As I guess most run linux, you should port your host program to linux, and encourage its installation on the tor mailing list. Tor doesn't use "normal" DNS -- it uses its own which is routed through the tor network also. The exit relays do the DNS request for you. Otherwise it would be too simple to trace the traffic from the DNS usage.

Re:Misconception

[Billly+Gates]

Once I imaged a computer and opened IE to go download Firefox and other apps and my webcam went on instantly! Ad appeared doing a fake AV scan all from msn.com since computer had 0 updates yet it was 0wned.

Had to reimage again.

XP users really are in trouble and you don't need social engineering. Just IE, no updates, reader, or Java. Scary stuff.

It is why I don't run ancient operating systems, updates, and never use a root or admin account.

Antivirus LiveCDs - boot and scan your system

+ AVG:
http://www.avg.com/us-en/avg-r...

+ AVG ARL: The latest release version of the AVG Rescue CD GNU/Linux (ARL) with daily updated virus database,
latest alpha or beta version of the ARL and all the resources needed to build the ARL from scratch.
Releases are signed!
https://share.avg.com/arl

+ Avira:
https://www.avira.com/en/downl...

+ BitDefender:
http://download.bitdefender.co...

+ Comodo Rescue Disk (CRD):
https://www.comodo.com/busines...

+ Dr.Web LiveCD & LiveUSB:
http://www.freedrweb.com/livec...
http://www.freedrweb.com/liveu...

+ F-Secure:
https://www.f-secure.com/en/we...
https://www.f-secure.com/en/we...

+ Kaspersky:
http://support.kaspersky.com/f...
http://support.kaspersky.com/v...
http://forum.kaspersky.com/ind...

Re:Antivirus reactive tech loses (I don't)... apk

by way of comparison! It also self-checks itself @ startup vs. std. exe alteration (every program SHOULD do that, but they don't).

you're right, self-checks are another good under-used protection, even if they can be bypassed through tunneling etc.
another thing is, CA enforcement of websites is one thing - standard CA enforcement of signed-executables would be nice at the OS level.
not just driver subsystem.
sure it wont defeat scripts and exploits as mentioned earlier.
but man would that cut down on fast-flux executables.
and it's waaaaaaaaay better than a traditional white-list.

Correct me *IF* I am wrong, but... apk

The C&C Servers are what is communicated back against (as well as serving up exploits payloads etc. @ times also & IF they don't? Blocking out the payloads servers does the job... which hosts CAN do) - IF/WHEN I block that, should it NOT be disabled for communication, even via TOR?

* Fill me in...

(As far as "porting" it to Linux? I've thought about it... wouldn't be hard - & I WISH Borland didn't KILL Kylix (was Delphi for Linux for the most part) - however - there IS FreePascal & it's "Lazarus" IDE, which is VERY CLOSE to the Delphi IDE, & from what I understand, an ALMOST clone of its compiler commandset too! Thus, it IS, doable...)

APK

P.S.=> See - I guess I don't *fully* understand TOR (as I don't use it myself, tried it once - TOO damned slow, just like anonymous proxies are, same idea iirc for the most part afaik - correct me IF I am wrong/off here too... I can stand to learn by it as I *admit* I do NOT "know it all" & can learn as much as the next guy since this field changes so fast & dynamically)

... apk

Re:Correct me *IF* I am wrong, but... apk

[NotInHere]

The C&C Servers are what is communicated back against (as well as serving up exploits payloads etc. @ times also & IF they don't? Blocking out the payloads servers does the job... which hosts CAN do) - IF/WHEN I block that, should it NOT be disabled for communication, even via TOR?

blocking C&C can at least stop the bad guys from integrating your computer into a botnet. correct me if I'm wrong, but hosts only changes the host file? The host file blocks a website only when the OS' DNS is used, but tor has its own DNS, not even using the usual DNS port, but tunneling everything through a https-like connection.

* Fill me in...

(As far as "porting" it to Linux? I've thought about it... wouldn't be hard - & I WISH Borland didn't KILL Kylix (was Delphi for Linux for the most part) - however - there IS FreePascal & it's "Lazarus" IDE, which is VERY CLOSE to the Delphi IDE, & from what I understand, an ALMOST clone of its compiler commandset too! Thus, it IS, doable...)

APK

P.S.=> See - I guess I don't *fully* understand TOR (as I don't use it myself, tried it once - TOO damned slow, just like anonymous proxies are, same idea iirc for the most part afaik - correct me IF I am wrong/off here too... I can stand to learn by it as I *admit* I do NOT "know it all" & can learn as much as the next guy since this field changes so fast & dynamically)

... apk

The first time I've tried tor it was also very slow, but after some years I've tried again and now its usually fast enough even for videos. Sometimes (seldom) a relay is slow, then wait 10 minutes or choose another circuit.

Backups

[fisted]

As so often, the solution is called "Backup".

Re:Backups

[mlts]

I wonder how many generations of ransomware we will see before backups come back into "style". It used to be in the '90s that people actively did some type of backups, and even PCs shipped with some form of tape drive. Then disks got cheap, and offsite storage become viable, so backups were not done, or if done, were just kicked to the cloud.

Any backup is better than none, but I wouldn't be surprised if the next generation of ransomware would either encrypt files slowly (but use a shim driver to decrypt stuff until it is done, and then completely zap all decryption keys and tell the user to pay up), or if it does notice a backup program being run, actively or passively corrupt it... or just erase the hard disk or the file share it is being backed up to. A simple TRIM command would make the data on a SSD unrecoverable. An overwrite of a directory synced with a cloud service will make that unrecoverable.

I wouldn't mind seeing tape come back, as it isn't slow, and it is relatively cheap (I've seen ads for LTO-6 tapes for $10 each.) The drives are pricy [1], but tapes are reliable [2], LTO4 and newer have AES-256 encryption in hardware (and very easy to turn on, be it by third party software, the tape silo's web page, or the backup utility.) A tape sitting on a shelf takes zero energy to store (other than HVAC), and if dropped, unless there is major physical damage, it is almost certain the media will be usable.

Will tape be 100% against malware? Nope. However, it keeps the data offline, so that a single "erase everything" command won't touch the data [3]. One can buy WORM tapes to protect against erasure/tampering as well, as well as flip a write protect tab.

In a ransomware scenario, WORM tapes would be very useful, especially if the malware decides to try to force an erase on all backups. The fact that tapes tend to be offline brings even more security since if the tape isn't physically in the drive, it can't be touched. Again, nothing is 100%, but the barrier for ransomware to destroy all backups goes a lot higher with offline media than with cloud storage or an external HDD.

I wouldn't mind seeing backups be done again, and done in a smart, time-tested way... done to local, archival grade media that is very inexpensive, but yet super reliable.

[1]: I think there is a market niche for USB3 tape drives at the consumer level. Newer drives have variable speeds to minimize/prevent "shoe-shining", and with all the space on a tape, if areal densities similar to HDD are present, it would store quite a lot of data, even with multiple layers of forward-ECC. LTO tape drives are even bootable so a bare metal restore can be done with just the tape in hand and the drive on the machine, no other media.

[2]: In the past decade at multiple IT shops, I've gone through thousands, possibly tens of thousands of LTO tapes. The total number of tapes that I introduced to the degausser were fewer than five, and all the errors thrown when read/written were all soft errors, so all data was recoverable. This is pure anecdotal evidence, but it has impressed me personally on the reliability of these drives. It is wise to have a backup process of rotating tapes and having some task just verify data when nothing else is going on, and goes without saying to use multiple media just in case hard read errors do happen.

[3]: One can tell a tape silo to zero out all tapes sitting in it, but that is going to take some time, and not be instant. It can be done... but if one has a basic offsite procedure in place (where all tapes leaving get the write protect tab sent), even this can be mitigated without much time and effort.

Re:Backups

[Nyder]

As so often, the solution is called "Backup".

Also you could not store your documents in the "My Documents" folder, make a folder on your C drive, store your docs, pics & important stuff in that. So if you do get cryptoransomed they will have done the wrong files.

Re:Backups

[Voyager529]

As so often, the solution is called "Backup".

Also you could not store your documents in the "My Documents" folder, make a folder on your C drive, store your docs, pics & important stuff in that. So if you do get cryptoransomed they will have done the wrong files.

That will only take you so far. With so many programs defaulting to the My Documents folder, it'd be annoying at best to have to point to c:\realdocs "because viruses". The user could point the "My Documents" folder to c:\realdocs, but now we're in the same boat again. Even if a user decided it was worth the hassle to deprecate the use of the system variable, c:\realdocs would still be accessible by the same user. From Windows' security standpoint, there's no difference between the user being attacked by ransomware, and the user adding a password to an Excel sheet. Thus, ransomware doesn't need root privileges to mess up a user's files.

Even beyond that, the next generation of ransomware wouldn't exactly need a foundational rewrite to go to %user%\recent and see where those files point to and encrypt all the .docx, .xlsx, and .qif files there. I'm sure that somewhere in userland, there's some indication as to where the Dropbox/OneDrive/Gdrive folders are, and encrypting all that stuff. Even less complicated would be to search all available hard drives for user generated file types. .dll files wouldn't be worth it, but .qbw files very much would be. Ultimately, trying to thwart an attack of this nature would be of limited success, because from the most literal of standpoints, the virus is doing nothing different than what a user would be doing.

Amongst the things that makes this kind of attack so successful is that very problem: if you're trying to prevent outbound traffic at the firewall, you've already lost, basically. How does security software distinguish. technically, between a cryptovirus taking a file hostage, and a user passwording a file with WinRAR and uploading it to SpiderOak? That, good friends, is a question that I pay ESET a nontrivial sum to discuss and determine.

Re:Misconception

[ttucker]

I think XP users are in trouble too, and there is not much to save them.

Make it embedded XP ...

[CaptainDork]

There's a registry hack that I've applied to Windows XP and I'm getting security updates ...

Hosts override ANY DNS (even local)... apk

Hosts are, as I stated in my original reply you 1st replied to, the 1st resolver queried (overriding ALL others, especially external ones, & iirc, even a local DNS server you run yourself, needless complexity & redundancy though it is unless it is specifically a DNS server for a network that is, & yes, ROOM for BREAKDOWN).

E.G. from Windows registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:00000007
"HostsPriority"=dword:00000006
"LocalPriority"=dword:00000005

(LOWER = more priority/first in order)

Hosts ARE part of the IP Stack, & thus? Even a DNS "rides on that" & has to obey them...

---

Blocking the C&C Servers also STOPS communicaie BACK to the "hq" of the botnet, even IF/WHEN you are already infested too (not just stopping integration BEFORE it can even start mind you, because of that blockage I just noted...)

* :)

APK

P.S.=> I don't bother with TOR - from what I understand, it puts you on an "NSA hitlist" & other law enforcement agencies as well (NOT worth it for that reason alone, as well as slowness, imo @ least)... apk

Re:Hosts override ANY DNS (even local)... apk

[NotInHere]

That might be true if the application is using the OS provided network stack, e.g. with DnsQuery. However AFAIK nothing prevents an application to bring its own DNS stack which queries external DNS, ignoring the host file. Does the OS block outgoing requests on port 53?
And, as I've said before, the DNS in TOR doesn't use the OS provided DNS. It uses its own one.
Blocking the C&C perhaps stops communication to the hq, but that doesn't help when the virus is written to first encrypt the HDD and then wait for further commands from C&C.

What about the opposite?

On the opposite side, even though this sounds horrid, maybe ransomware might do some good. Back in the MS-DOS/early Windows days, it took viruses blasting out the BIOS firmware, bricking motherboards, zapping controllers on hard disks, and frying monitors (back in the days where you tell a multisync monitor to use a frequency it didn't know, it blew the flyback transformer.)

Maybe ransomware being common may be a good thing. It would spur users to be proactive and not depend on the OS to protect them against themselves.

Block rogue DNS servers via hosts

I've got tons of rogue DNS servers blocked in hosts, so that's not effective either. In fact, THAT's why it's done: Those rogue DNS servers are provided by the makers of the hosts file data my application imports it from (12 of them from the security community in fact) for that very reason...

APK

P.S.=> Your point on encrypting the HDD is also moot when blocking access to the infestor/infector in the 1st place (which hosts does) occurs - you can't get sick by what you can't be exposed to, period... apk

Re:Block rogue DNS servers via hosts

[NotInHere]

Blocking ips using a hosts file... I'm sorry but I don't know of any way of doing this.
Even it it were possible, there tor uses no "rogue DNS" servers, and not using any DNS directly, the DNS is tunneled to the exit relay which then invokes the DNS request. Any block by any firewall or ISP DNS fails here -- not just DNS request blocks like the hosts files, but also IP level blocks. This is what TOR was invented for.

Silver Lining

The 'silver lining' of all this is of course that millions more people will get added to the NSA/GCHQ/etc 'watch lists' for using Tor. That's great news for everyone because:

1) It floods the watchlists with lots of innocent people, all of whom have to be checked, verified and cleared in some manual (aka. expensive) way
2) Should anyone ever say "you use Tor, that means you must be a terrorist/paedo/whatever", you can probably say "Tor? No, I don't use that, but I did have a nasty bout of malware on my kids computer".
3) Tor gets in the news some more. Any publicity is good publicity and all that

Yay! bring on the malware - remember folks, to take advantage of this fantastic offer, please don't use Linux ;-)

You conceded my point on rogue DNS @ least

Now on IP addresses : They're FAR less used (& you'd have to be silly to click on a link that uses one, as you have literally NO real way to check on it first ordinarily in a browser alone typically (there are tools for it though)).

IP Addresses are also FAR easier to shutdown vs. say, Dynamic DNS using botnets for instance (& tying MANY hostnames to a single IP in FastFlux botnets merely involves finding another hosting provider - yes, usually a bogus one - to change that for the "flocks" of host-domain names those use too)

You're meandering from the topic, which IS that this botnet (our subject) usese host-domain names iirc (feel free to correct me there if you wish though).

So it's @ least good to see your "point" on DNS was easily nullified regarding rogue DNS servers malware uses (possibly/potentially, however - not usually, as it represents a LOT more work, or, changing DNS settings in the Operating System for the IP stack (e.g. -> DNSChanger, look that up, IF you have to...)).

HOWEVER: On your point?

I use Firewall rules tables, & even vs. tracking (on /. & other sites too -> http://yro.slashdot.org/commen... )

* :)

(As you can plainly see? I've got "All the bases covered" & (can't resist this, lol) "ALL YOUR BASE, ARE BELONG TO US" as far as your points of contention vs. my own...).

Additionally - hosts CAN ALSO DEFEAT DNSBL's like TOR by the way (via hardcodes) as well as DNS request logs (& does so, FAR FASTER than the incredibly SLOW TOR... hosts actually ADD speed - whereas TOR steals it, and puts you on NSA "hitlists" for using them as well iirc which is in & of itself, NOT worth it imo!)

APK

P.S.=> I *think* you'll really LIKE that firewall rules table (speeds you up & secures you vs. what you DON'T see HERE, & yes - on other sites too, served up by IP Address - which admittedly, hosts do NOT stop (but is FAR LESS USED as well vs. host-domain names which hosts DO stop))... apk

Re:You conceded my point on rogue DNS @ least

[NotInHere]

To bring this back to the original topic: you know what a command and control is? I hope so. My posts only have covered the time the malware already was installed on the device. Not before. Of course you won't get the virus when you click a link "download here" which leads into nothingness. And yes, you are true, single ips are easier to fight than dns entries in remote countries, spread over the world. I just said that IPs cannot be blocked by a host file, and I say that it makes no sense to give a DNS server a DNS entry, which would have to be resolved first using a dns server, but the only one available needs a dns lookup before working, and so on and so on.

The only cause that justifies this /. story is that this malware was the first ransomware that used an onion address for C&C, not just only "tor alone". It would gain almost no advantage when it then exited the tor network again through an exit node. It would still have needed some DNS entry somewhere. onion addresses are almost impossible to take down.

Please explain: what are hardcodes?

TOR isn't slow anymore. try it. today. then come back and tell me your opinion about the speed of tor but don't yell tor *is* slow while not having tried it recently (you may yell tor *was* slow though).

You run a HUGE risk (bogus TOR nodes)

*IF* you truly *think* that all TOR nodes are legit? You've got another think coming...

(E.G./I.E.-> think the NSA isn't on THAT like "white-on-rice"? Guess again IF you think not! Using TOR is a risk to get THEM on your back as well, which again, imo @ least? IS NOT WORTH IT by a longshot as well as the tremendous speed-hit incurred using TOR!)

APK

P.S.=> That's in addition to my other points (like TOR stealing speed, whereas hosts add it AND do much more as well in terms of security, reliability, & even anonymity (vs. DNS request logs + DNSBL's, doing what TOR can, faster) -> http://it.slashdot.org/comment... )

... apk

OK you CAN take down onion addresses

[NotInHere]

but no one wants to do that. Doing it would mean to be responsible for subsequent takedowns, and what is seen as illegal in one country may be the opposite in another country, and you would need to establish a system for takedown, which can be misused for censorship.

My program stops your point (NSA stops TOR)

By blocking sources of malware you note: Your point's moot & you run HUGE risks via TOR http://it.slashdot.org/comment... (you say NOBODY wants to stop TOR & it's tech? Beg to differ - Do YOU know who the NSA is & what they do vs. it, by setting up bogus TOR nodes & endpoints?) - think about that.

* You may wish to verify my firewall rules table I pointed out too (which I verified using either netstat -ano OR network latency viewer by Nirsoft) - it works on the IP addressed stuff you DON'T SEE (ala trackers here on /., & yes, other sites too...).

APK

P.S.=> Again - you CAN'T BE BURNED by what you CAN'T TOUCH in the 1st place... apk

Beg to differ (NSA does & YOU TOO using it)

This says it all -> http://it.slashdot.org/comment...

You note censorship: Unfortunately, it IS a fact of life (that hosts help you get around too, & speed you up doing it via hardcodes, unlike TOR slowing you down + putting you @ legal risk as well) - @ least communist block nations (ala China for example) are honest about it... it happens here too though (even on /. via the MAIN sockpuppet driven unjustifiable downmod "truncheon used in lieu of conversation" by parties looking to "further their OWN agenda" when logical factual information is put forth they cannot validly combat with counter point facts & logic... or doesn't the term "sockpuppet marketing" &/or HBGary ring a bell there too?)

APK

P.S.=> It's YOUR LIFE man, not mine... & TOR is slow, there is NO real way around it (unless you run your own local setup serving it I suppose, & per that link above, THEN, you are *REALLY* running a risk (lol, unless you're the NSA doing it, right?))...

... apk

Hardcodes = FASTER than remote DNS

They also use less moving parts + electricity than local DNS, & are proof vs. Kaminsky flaw redirects which 99.999% of ISP DNS' are STILL not patched vs., even ~ 10++ yrs. AFTER a patch exists (they avoid it due to MX records screwups iirc).

Hosts also aiding in securing you there, & making your connects MORE reliable (easily verified by reverse dns ping tech for those "favs" of yours in my app here too -> http://start64.com/index.php?o... in it's "Speedup Favorites" tab... )).

APK

P.S.=> TOR's slow no matter WHAT you do (unless you run your own node/endpoint/exit node etc. & serve it too) - especially vs. the speed hosts yield (blocking banners & faster local favs resolutions vs. remote dns with FAR less moving parts + direct end user control too), as well as the reliability + security features (vs. malicious code bearing sites, all types of botnets & vs. DNS redirect security issues), reliability (vs. downed or redirect poisoned DNS), & anonymity as well (like TOR, vs. DNSBL blocks + dns request logs)... apk

Antivirus "reactive tech" fails (I don't)... apk

Even Aryeh Goretsky of NOD32/Eset won't take my challenge the other day -> http://it.slashdot.org/comment...

See subject!

Even Symantec/Norton ADMITS their tech is "Only 55% effective" vs. TODAY'S threats http://it.slashdot.org/story/1... ...

Why?

They're mostly delivered via bogus javascript & self-altering .exe files (I note it here http://it.slashdot.org/comment... using exe resources to store things, a viable way of doing that, altering the file vs. detects, + using self-encrypting exe's to go with it + exe compression)

"Complex" techniques once mastered are effective vs. antivirus.

I note it in a program I wrote that's not "REACTIVE" TECH & is PROACTIVE in nature by way of comparison!

Self-checks itself @ startup vs. std. exe alteration (every program SHOULD do that, but they don't) too.

(Works on a simple principle of "what you can't touch, can't harm you" blocking out SOURCE + C&C Servers used in hosts generated by 12 reputable sources in the security community e.g. MalwareBytes' hpHosts (who host it for me & recommend it as "best of breed"), MVPS, etc.))

It works vs. resource embedding malicious executables, since hosts blocks the SOURCE (once C&C is known)

As a BONUS?

IF you're infected this method STALLS THE MALWARE'S ABILITY TO "talk to HQ for orders" too!

Multiple bonus + MORE speed, security, reliability, & even anonymity from 1 single file you already have.

(An unjustifiable downmod vs. the last time I posted this -> http://it.slashdot.org/comment... = YOU FAIL!& you know it, I KNOW IT, & so do all reading (proving my points)).

APK

P.S.=> Another simple effective principle it works on is this (even disassembler of the MORRIS worm, Spafford, recommends using what you natively have vs. bolting on more complexity & room for breakdown + exploit):

"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Please do

[davidwr]

am seriously considering assing client side resistance to the medical software I write designed for use across the public internet because of people like you who collect data you have no business collecting.

Please do.

The only one of the examples I listed in the grandparent post that I plan on implementing are those in a role of a parent.

When I have a 6 year old kid who is using the Internet, no amount of "client-side resistance" that you add is going to stop me from seeing what's on the screen as I watch my kid use the computer.