Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Antivirus Products Vulnerable To Horrid Overflow Bug (zdnet.com)

Posted by msmash on from the we-are-doomed dept.

An anonymous reader writes: Tavis Ormandy of Google's Project Zero team has discovered a vulnerability in Symantec Antivirus Engine. The said engine is vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files, reports ZDNet. "Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site," Symantec said. "No user interaction is required to trigger the parsing of the malformed file." For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, Ormandy said in the Project Zero issue tracker. "On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get," he said.The vulnerability, if exploited, results in kernel memory corruption without user action and instant blue-screening on Windows.

79 comments

  1. Why does this matter? by Anonymous Coward · · Score: -1, Troll

    Does anyone still use Symantec? Yeah, I didn't think so. This matters to all of three neckbeards. I'll get modded down to -1 for asking this because Slashdot users can't handle the truth. All three of the neckbeards still using Symantec probably have mod points.

    1. Re:Why does this matter? by Anonymous Coward · · Score: 0

      Wait I am confused when you put neckbeards and symantec in the same sentence. That is like complete polar opposites.

    2. Re: Why does this matter? by Anonymous Coward · · Score: 5, Funny

      Lots of organizations use Symantec. Some Slashdot readers actually have jobs at such organizations and would therefore find this information useful. You don't because you're in your mom's basement with your NetBSD computers.

    3. Re:Why does this matter? by Anonymous Coward · · Score: 1

      We use Symantec Endpoint Protection. We tested over a dozen anti-virus systems, and it was the least worst. It's still pretty bad. I import and test .ova file (Open Virtualization Archive) imports several times a day. With Symantec enabled, it takes about four hours for a 2Gbyte compressed image. With it off, it usually takes less than ten minutes. Unfortunately my boss won't let me get rid of Windows since most of our customers use VirtualBox on Windows.

    4. Re:Why does this matter? by xxxJonBoyxxx · · Score: 1

      >> Wait I am confused when you put neckbeards and symantec in the same sentence

      This. No one buys Symantec unless their company culture consumes enterprise marketing pieces like "Gartner MQs" to figure what to buy.

    5. Re: Why does this matter? by Anonymous Coward · · Score: 1

      He's writing angry letters to the president in emacs under a single light bulb hanging from its own power wire.

    6. Re:Why does this matter? by Anonymous Coward · · Score: 0

      Should be +5

      CAPTCHA: inequity

    7. Re:Why does this matter? by darkain · · Score: 1

      Actually, sadly, yes, organizations use this shit. I've seen a few Bring Your Own Device networks (such as college campuses) that force you to install whatever "security" bullshit they shove down your throat in order to be allowed to access their network. One such thing I came across was indeed Norton's shitware.

    8. Re:Why does this matter? by Tablizer · · Score: 1

      Does anyone still use Symantec?

      People ticked off by McCrapfee

      --
      Table-ized A.I.
    9. Re:Why does this matter? by Joe_Dragon · · Score: 1

      what happens when the mac or Linux box try to get on?

    10. Re:Why does this matter? by jgtg32a · · Score: 3, Informative

      SEP has RPM and DEB packages

    11. Re:Why does this matter? by Anonymous Coward · · Score: 0

      Because McAfee is so bad, I wouldn't give it to my worst mortal enemy. Cough *US Government* Cough

    12. Re:Why does this matter? by Anonymous Coward · · Score: 0

      SEP has RPM and DEB packages

      If there wasn't a reason to run Solaris, there is NOW...

    13. Re:Why does this matter? by EvilSS · · Score: 0

      Does anyone still use Symantec? Yeah, I didn't think so. This matters to all of three neckbeards. I'll get modded down to -1 for asking this because Slashdot users can't handle the truth. All three of the neckbeards still using Symantec probably have mod points.

      This troll is getting old fast. I'll get modded up to 420x10^69 for saying this because Slashdot users are unicorns who poop pepper jack burgers.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    14. Re:Why does this matter? by Anonymous Coward · · Score: 0

      My God, your government is run by FBI-incompatible neckbeards!

    15. Re: Why does this matter? by eumoria · · Score: 1

      My company insists on using it. We're small, though, so maybe one day I'll convince them that having it and not having it is basically the same thing except with one you spend a lot of money for no reason.

    16. Re:Why does this matter? by Joe_Dragon · · Score: 1

      does it push them at login? let you hit the repos to get the dependencies?

    17. Re:Why does this matter? by Anonymous Coward · · Score: 0

      I have over 100 customers ranging from 15 to 250 workstations all running SEP.

      A lot of my local competition also uses SEP.

      This is a huge problem.

    18. Re:Why does this matter? by Gumbercules!! · · Score: 1

      You know what, years back I worked at a place that used Symantec Endpoint Protection - and you're actually correct. Management absolutely loved Gartner. The CTO even had a Gartner Magic Quadrant of innovative companies on his wall. Every IT meeting (which was a monthly 2 hour snooze fest) started with an update from Gartner.

    19. Re:Why does this matter? by Gumbercules!! · · Score: 1

      To be fair, Symantec and Norton are not at all the same thing.

    20. Re: Why does this matter? by Anonymous Coward · · Score: 0

      > Some Slashdot readers [...] would [...] find this information useful.

      I do. Mainly for pouring mockery over my colleagues. Ahhh... schadenfreude. Endorphines and that.

      Thank you for this one!

    21. Re:Why does this matter? by Anonymous Coward · · Score: 0

      FYI, this is a troll.

      https://news.slashdot.org/comments.pl?sid=9120239&cid=52129387

    22. Re:Why does this matter? by KlomDark · · Score: 1

      SEP is a cheap, easy, and staggeringly useful way of safely protecting something from unwanted eyes. It can run almost indefinitely on a torch (flashlight)/9 volt battery, and is able to do so because it utilizes a person's natural tendency to ignore things they don't easily accept, like, for example, aliens at a cricket match. Any object around which an S.E.P. is applied will cease to be noticed, because any problems one may have understanding it (and therefore accepting its existence) become Somebody Else's. An object becomes not so much invisible as unnoticed.

      A perfect example of this would be a ship covered in an SEP field at a cricket match. A starship taking the appearance of a large pink elephant is ideal, because you can see it, but because it is so inconceivable, your mind can't accept it. Therefore it can't exist, thus ignoring it comes naturally.

      A S.E.P. can work in much the same way in dangerous or uninhabitable environments. Any problem which may present itself to a person inside an S.E.P. (such as not being able to breathe, due to a lack of atmosphere) will become Somebody Else's.

      An S.E.P. can be seen if caught by surprise, or out of the corner of one's eye.

    23. Re:Why does this matter? by ncc74656 · · Score: 1

      SEP has RPM and DEB packages

      ...and what would their response be if you showed them something like this on your Linux box?

      salfter@files ~ $ sudo apt-get install symantec-shitware
      -bash: apt-get: command not found

      Do they tell you you're SOL?

      --
      20 January 2017: the End of an Error.
    24. Re:Why does this matter? by Culture20 · · Score: 1

      My guess is they'd actually transfer the .deb or .rpm and use dpkg or rpm to install, not apt or yum. If you use gentoo, they'd emerge apt or rpm, or perhaps in the end tell you you're SOL.

  2. We herd u like liek... by Anonymous Coward · · Score: 0

    This really isn't surprising and shows a fundamental weakness in not just the software, but this approach to "security" in general. You're trying to make up for holes in other programs by adding more code to the festering heap, now in the kernel, thereby pulling out all the stops and safeguards, yet you kept on using the same languages, techniques, "coders", approaches, patterns, and so on, that made the code you're trying to make up for so vulnerable. In short, you've putten your foot in trying to kid yourself. But hey, it's a living, right?

    This is the "computer security" industry in a nutshell, this time without its trademark verbal abuse, just naked and getting laughed at.

    1. Re: We herd u like liek... by Anonymous Coward · · Score: -1

      LOL JEWS DID 9/11

  3. That's awesome by easyTree · · Score: 1

    Irony Overflow Exception.at lines one to infinity.

    --
    Requiem for the American Dream
  4. That's because Symantec is run by LUDDITES! by Anonymous Coward · · Score: -1

    If Symantec started apping apps instead of LUDDITE software, then none of this would be possible because only apps can app apps!

    Apps!

    1. Re: That's because Symantec is run by LUDDITES! by Anonymous Coward · · Score: 0

      I think saying "app apps" should trigger the lameness filter. Let's make sexconker move on to more original material.

    2. Re: That's because Symantec is run by LUDDITES! by Anonymous Coward · · Score: 0

      Luddites don't appreciate the appiness of posts like this. You have to app apps to be appy.

  5. A thing of beauty by cyriustek · · Score: 3, Interesting

    Tavis Ormandy is bad ass, and is really awesome at finding bugs. Whether it is Microsoft, Symantec, or anything else, he will find a bug if one is there.

    This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.

    1. Re:A thing of beauty by tlhIngan · · Score: 4, Insightful

      This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.

      Well, on one hand, it does make some sense. Windows still has the equivalent of a system call table, but it is hookable and the antivirus program will monitor who's hooking the system calls. In addition, it too will hook the system calls to be able to scan files the second they're downloaded as well as be able to block creation of processes using infected files, which helps block infection. It also means many user-space tricks are no longer valid (a user space scanner is vulnerable to malware that can hide itself inside the kernel).

      So it does make some sense to have a part of your scanner inside the kernel itself.

      Of course, the downside is your scanner is now the target of .attack because well, it's a nice juicy place to attack.

    2. Re:A thing of beauty by cant_get_a_good_nick · · Score: 1

      wasn't NT at one point a microkernel? Wouldn't at some point you be able to vector this into user space libraries?

  6. The cure is worse that the disease on linux. by clockley(571021718) · · Score: 1

    Linux users would have been better off without Symantec antivirus or any av for that matter.

    1. Re: The cure is worse that the disease on linux. by clockley(571021718) · · Score: 1

      That/than

  7. so what you're saying is... by dAzED1 · · Score: 1

    Symantec actively makes Linux and UNIX less secure? Because other than the insanity Lennart Poettering gave us, I fail to see what a proper UNIX system would need with a symantec scanner. It's been far too long now for the myth of UNIX being insecure in the same ways (note the wording...) to still persist.

    1. Re: so what you're saying is... by Anonymous Coward · · Score: 0

      I can think of a great reason to run an antivirus on Linux or Unix. If I'm running a mail server or a server that hosts files that Windows users might run, it can be useful to scan them for viruses. I prefer to be safe, though, even when running Linux. So before I open documents from other people (who I know and trust) in Libreoffice, I do a quick scan with clamav. Now there's no good reason to put the antivirus in the kernel, but it can serve a legitimate purpose.

    2. Re: so what you're saying is... by basecastula+ · · Score: 1

      What I have wondered, is how many windows specific pieces of malware work in wine? How many pieces of pirated software, that contain malware, are still abe to reach out to the world when run via wine?

    3. Re: so what you're saying is... by Anonymous Coward · · Score: 0

      In my experience - none work on Wine. It seems that the Wine developers failed to implement all the exploits necessary.

  8. Yes! by c · · Score: 4, Funny

    When Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server.

    Points to Symantec for eating their own dog food, I guess.

    --
    Log in or piss off.
    1. Re:Yes! by powerlord · · Score: 1

      When Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server.

      Points to Symantec for eating their own dog food, I guess.

      Maybe ... but points off for having the Dog Food manufactured in China.

      --
      This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
  9. only a neckbeard such as yourself by Anonymous Coward · · Score: 0

    would try so hard for first post

  10. I wonder how long it will take... by Mike+Van+Pelt · · Score: 4, Insightful

    This isn't "as bad as it gets" yet. However, "Kernel memory corruption leading to blue screens" is "random stuff got sprayed across the kernel memory". If you can do that, and if you can get a handle on what got sprayed where... then, you have a decent chance of being able to improve that to "Kernel memory corruption leading to remote code execution. In Ring 0."

    And that's as bad as it gets.

    1. Re:I wonder how long it will take... by Anonymous Coward · · Score: 0

      You mean BSOD is not an Intentional Remote Invocation ?

      Someone call Microsoft.. they got some.. xplainin to do..

  11. Found the LUDDITE! by Anonymous Coward · · Score: -1

    Clearly this LUDDITE is too dumb to be capable of using modern appy apps, and has to resort to using LUDDITE software like Symantec instead!

    Apps!

    1. Re:Found the LUDDITE! by Anonymous Coward · · Score: 0

      Appcelerator

  12. MOD PARENT UP +11111111 INFINITY BUFFER OVERFLOW by Anonymous Coward · · Score: 0

    very informative

  13. Babel Fish by Anonymous Coward · · Score: 0

    I would rather take a Babel Fish, please.

  14. Of the largest AV manufacturers by Anonymous Coward · · Score: 0

    the only two that really deliver are F-Secure and Kaspersky. That's just how it is. The others either are either sup-bar, contain spyware, or even have security flaws. If you spend money on the bigger AV programs, and you are buying from any other vendor than F-Secure and Kaspersky, then you're just gambling.

    1. Re:Of the largest AV manufacturers by gweihir · · Score: 1

      You are kidding yourself. These two may look better at the moment, but they have the same problems. AV has become a massive security risk.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  16. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  17. Actually, there's a few levels left. by Anonymous Coward · · Score: 1

    Find a similar bug in a SMM (ring -1) handler in your UEFI BIOS... or perhaps in the various subsystems both intel and amd keep on strewing over their offerings that include complete RTOSes running in ring -2 or -3, or in the LOM, maybe on a processor embedded in the southbridge, which might run diddled Chinese firmware complete with diddle-hider, or.... And yes, that southbridge thing sits on a management NIC and gets its input from there before the rest of the system even sees it, so any exploit more or less has to be remote.

    Nope, there's really no end to the depth of the rot. Please note that for most of these at least promising proof-of-concepts already exist, and where not publicly known often strong hints are available that someone must have developed such a thing anyway. And yes, there really are that many OSes running on various parts on a modern computer. Hey, who knows, maybe the microcode can somehow be triggered too.

  18. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  19. Because it runs on AIX and Solaris... by mlts · · Score: 1

    Yes, it is a waste of time, but McAfee and Symantec both have ICSA certified AV solutions which run on Linux, Solaris, HP-UX, and AIX. This is crucial in a lot of environments to make the legal eagles happy, and check that box off that "all computers run a certified AV solution", even if the machines are LPARs or LDOMs.

    Sounds idiotic, but PCI-DSS and other specs can require this, even though the AV software, at best, will be deadweight.

    1. Re:Because it runs on AIX and Solaris... by viperidaenz · · Score: 1

      You mean they require a specific set of certified attack vectors to be installed on every machine?

    2. Re: Because it runs on AIX and Solaris... by Anonymous Coward · · Score: 0

      TGe first rule of AV protection is "entry/exit points only" - why would you want to have AV on all servers?
      Here's your sign.....

  20. Solved LiveUpdate by Anonymous Coward · · Score: 0

    All updates to the scan engine come via LiveUpdate, so run LiveUpdate (which probably is running daily or even multiple times a day and you are solved. There is no need to push out a new version of SEP to fix this. Symantec has addressed this already https://www-secure.symantec.co...

  21. This is BETTER antivirus than antivirus by Anonymous Coward · · Score: -1

    See subject & APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...

    Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.

    Ads rob bandwidth/speed paid for, security (adnetwork abuse), privacy in tracking + anonymity.

    Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogtrackers) natively. Hosts != blockable by ClarityRay (vs. souled-out to admen inferior wasteful redundant slow usermode browser addons)

    Works vs. caps & HTTP PUSH ads w/ firewalls.

    Avg. webpage = big as Doom http://www.theregister.co.uk/2...

    APK

    P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & yes it's safe" http://forum.hosts-file.net/vi... )

    1. Re: This is BETTER antivirus than antivirus by Anonymous Coward · · Score: 0

      Only LUDDITES use LUDDITE host files! Modern app appers use APPS to app other apps!

      Apps!

    2. Re:This is BETTER antivirus than antivirus by Anonymous Coward · · Score: 0

      This is BETTER antivirus than antivirus

      OK then, question for you. How does this protect my users against, say, the latest CryptoWall whose C&C server is an IP address in Balochistan that was set up an hour ago? Your software stops this somehow? If not, how is it "better antivirus than antivirus?"

  22. This is BETTER antivirus than antivirus by Anonymous Coward · · Score: -1

    See subject & APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...

    Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.

    Ads rob bandwidth/speed paid for, security (adnetwork abuse), privacy in tracking + anonymity.

    Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogtrackers) natively. Hosts != blockable by ClarityRay (vs. souled-out to admen inferior wasteful redundant slow usermode browser addons)

    Works vs. caps & HTTP PUSH ads w/ firewalls.

    Avg. webpage = big as Doom http://www.theregister.co.uk/2...

    APK

    P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & yes it's safe" http://forum.hosts-file.net/vi... )

  23. automated fix already out by synthe · · Score: 2

    Unless you don't update AV definitions, this is a nonissue. The AV definition files dated 5/16/16 rev24 included an updated av engine component that fixes this vulnerability. By the time I heard of this issue, our SEPM server had already downloaded the defs with fixed engine and 3/4 of our enterprise was already up to date.

    1. Re:automated fix already out by gweihir · · Score: 1

      I beg to disagree. This shows that the scanning engines are of low(est) quality and run in places they should not. While this particular bug is now fixed, the underlying problem is very much not so.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:automated fix already out by Anonymous Coward · · Score: 0

      BS. If you're not in the kernel, stuff can hide from you there. It not only should be there, it MUST be there to do its job effectively,
      In other news, bugs are possible. Who knew? It's not like they already fixed this particular one or anything... Oh wait.

    3. Re:automated fix already out by gweihir · · Score: 1

      You are seriously claiming that a file-scan engine needs to be in the kernel? You are even more stupid that the average AC moron.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  24. This is BETTER antivirus than antivirus by Anonymous Coward · · Score: 0

    See subject & APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...

    Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.

    Ads rob bandwidth/speed paid for, security (adnetwork abuse), privacy in tracking + anonymity.

    Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogtrackers) natively. Hosts != blockable by ClarityRay (vs. souled-out to admen inferior wasteful redundant slow usermode browser addons)

    Works vs. caps & HTTP PUSH ads w/ firewalls.

    Avg. webpage = big as Doom http://www.theregister.co.uk/2...

    APK

    P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & yes it's safe" http://forum.hosts-file.net/vi... )

  25. TFA Description Understates Impact by AlphaBro · · Score: 1

    "instant blue-screening"? How about kernel-mode code execution, hence why "this is about as bad as it can possibly get".

  26. Most stupid design possible by gweihir · · Score: 1

    You would think that of all things, scanning engines of AV products would have buffer-overflow protection in place. But apparently, these are the same bad 3rd-rated coders that are responsible for the problem in the first place. And doing this in kernel-space? How insane can you get?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  27. Duh by Anonymous Coward · · Score: 0

    It's meant to protect your computer(not really), not itself.

  28. Well done Symantec by Anonymous Coward · · Score: 0

    You eventually turned antivirus into virus.

  29. wew by Anonymous Coward · · Score: 0

    Google cucks publishing irrelevant 0days while keeping even the good ones and selling them to NSA.

  30. 1 hr. ago odds protect you! by Anonymous Coward · · Score: 0

    See subject: That hasn't propogated thru DNS even (takes up to 24 hours iirc) & my hosts data sources update in that time so you'd be protected (most likely).

    * All the rest of what I wrote makes it better than antivirus (less moving parts for exploit or breakdown, less resource use, & more speed vs. LESS OF IT as Antivirus slows you down + is vulnerable as hell (not a 1st for Mr. Ormandy our subject & others finding exploitable buffer overflows & such in antivirus - FAR from it, especially lately...)

    APK

    P.S.=> Now I have to ask you - what have YOU yourself created that does the same or better? apk

    1. Re:1 hr. ago odds protect you! by Anonymous Coward · · Score: 0

      See subject: That hasn't propogated thru DNS even (takes up to 24 hours iirc) & my hosts data sources update in that time so you'd be protected (most likely).

      There is no DNS. The CryptoWall comes in a .js file coded to connect directly to an IP address and download the payload. How is your "better antivirus than antivirus" going to protect me?

      P.S.=> Now I have to ask you - what have YOU yourself created that does the same or better? apk

      I haven't claimed to create any such thing. You, on the other hand, are advertising your creation as "better antivirus than antivirus." I'm trying to figure out how your creation is supposedly better than antivirus. As far as I can tell, it does absolutely nothing to protect against common ransomware threats.

  31. A scan engine should be in the kernel by Anonymous Coward · · Score: 0

    Just like font rendering and other cool things such as scroll bars https://news.ycombinator.com/item?id=9031419

  32. Ok, vs. CryptoWall this protects you then by Anonymous Coward · · Score: 0

    0.0.0.0 host.vivialvarez.com.ar
    0.0.0.0 kw.projetoraizes.com.br
    0.0.0.0 net.jacquieleebrasil.com.br
    0.0.0.0 bintiye.helpthevets.org
    0.0.0.0 mcimaildmz.dinnerplate.co.uk
    0.0.0.0 candidulumbestuurlijk.newlandsierrarealestate.com
    0.0.0.0 frageboegen-plletyksin.breastcanceroutreach.com
    0.0.0.0 reikleivn-azarashi.orlandohomesbydevito.com
    0.0.0.0 litigators.esteroscreen.com
    0.0.0.0 vivialvarez.com.ar
    0.0.0.0 projetoraizes.com.br
    0.0.0.0 jacquieleebrasil.com.br
    0.0.0.0 helpthevets.org
    0.0.0.0 dinnerplate.co.uk
    0.0.0.0 newlandsierrarealestate.com
    0.0.0.0 breastcanceroutreach.com
    0.0.0.0 orlandohomesbydevito.com
    0.0.0.0 esteroscreen.com
    0.0.0.0 qrwzoxcjatynejejsz.com
    0.0.0.0 yfczmludodohkdqnij.com
    0.0.0.0 ranetardinghap.com
    0.0.0.0 cetinhechinhis.com
    0.0.0.0 tedgeroatref.com
    0.0.0.0 rerobloketbo.com
    0.0.0.0 tonthishessici.com
    0.0.0.0 allofuslikesforums.com
    0.0.0.0 oqpwldjc.mjobrkn3.eu
    0.0.0.0 mjobrkn3.eu
    0.0.0.0 maisto.com
    0.0.0.0 rp4roxeuhcf2vgft.onion.to
    0.0.0.0 rp4roxeuhcf2vgft.onion.cab
    0.0.0.0 rp4roxeuhcf2vgft.onion.city
    0.0.0.0 onion.to
    0.0.0.0 onion.cab
    0.0.0.0 onion.city

    * Putting those in your custom hosts file stops this thing cold... & I never said "hosts cure all" (but they do a LOT MORE for a LOT less...)

    APK

    P.S.=> Courtesy/Credits to http://researchcenter.paloalto... AND https://www.proofpoint.com/us/... ... apk

  33. Eat your words: Cryptowall's from malvertising by Anonymous Coward · · Score: 0

    Zedo specifically & malvertising stopping's a HUGE PART of what my program prevents infection from - C&C list to stop it versions 1.x-4.x:

    1.x (source https://barracudalabs.com/2014... )

    hindustantimes.com, bollywoodhungama.com, one.co.il, codingforums.com, mawdoo3.com, zedo.com, c1.zedo.com, c2.zedo.com, c3.zedo.com, c4.zedo.com, c5.zedo.com, ss1.zedo.com, static.rcs7.org, xenon.asapparts.com, rcs7.org, asapparts.com

    2.x-3.x (source http://blogs.cisco.com/securit...):

    paytordmbdekmizq.tor4pay.com, tor4pay.com, paytordmbdekmizq.pay2tor.com, pay2tor.com, paytordmbdekmizq.tor2pay.com, tor2pay.com, paytordmbdekmizq.pay4tor.com, pay4tor.com,
    eportfolio.ccpullman.ca, ccpullman.ca, www.mg-unterburg.ch, mg-unterburg.ch, www.sportantiques.co.uk,
    sportantiques.co.uk, www.drk-wettringen.de, drk-wettringen.de, www.rock-times.com, rock-times.com, www.footstepphotography.co.uk, footstepphotography.co.uk, www.choosingcruising.co.uk, , choosingcruising.co.uk, www.felixwoman.com, felixwoman.com, www.projetorideal.com, projetorideal.com,
    www.jimcole.be, jimcole.be, www.jes.or.at, jes.or.at, or.at,
    artpartner.cz, www.meihuainfo.com, meihuainfo.com, www.grekiskaforeningen.com, grekiskaforeningen.com, www.cup-neumann.de, cup-neumann.de, ww.areaverda.com, areaverda.com, , www.yemekyapmak.com, yemekyapmak.com

    4.x (source http://www.tripwire.com/state-... ):

    abelinda.com, purposenowacademy.com, mycampusjuice.com, thegingod.com, yahoosupportaustralia.com, successafter60.com, alltimefacts.com, csscott.com, smfinternational.com,
    lexscheep.com, posrednik-china.com, ks0407.com, stwholesaleinc.com, ainahanaudoula.com, httthanglong.com, myshop.lk, parsimaj.com, kingalter.com, shrisaisales.com, cjforudesigns.com, mabawamathare.org, manisidhu.in, adcconsulting.net, frc-pr.com, , localburialinsuranceinfo.com, smfinternational.com, 3wzn5p1ylumh7ak.j.paypartnerstodo.com, j.paypartnerstodo.com, paypartnerstodo.com, 3wzn5p1ylumh7ak.j.allepohelpto.com, j.allepohelpto.com,
    allepohelpto.com, 3wzn5p1ylumh7ak.j.barklpaypartners.com, j.barklpaypartners.com, barklpaypartners.com, 3wzn5p1ylumh7ak.j.maverickpaypartners.com, j.maverickpaypartners.com, maverickpaypartners.com,

    * What's that you said that my program doesn't stop "Common Ransonware Threats"?

    APK

    P.S.=> My last post also puts down another 'variant' of it in CryptXXX / Locky... want JAKU too? apk

  34. Gone silent now? Gosh, why's that?? by Anonymous Coward · · Score: 0

    See subject: These 2 posts PUT YOU AWAY easily https://it.slashdot.org/commen... + https://it.slashdot.org/commen...

    * YOU are in MASSIVE ERROR = why (see you quoted below)!

    * :)

    (You unidentifiable trolls - you're ALL THE SAME, & stupid... shouldn't open your mouths when I can SLAM THEM SHUT so easily...)

    APK

    P.S.=>

    "I'm trying to figure out how your creation is supposedly better than antivirus. As far as I can tell, it does absolutely nothing to protect against common ransomware threats" - by Anonymous Coward on Wednesday May 18, 2016 @02:18PM (#52136785)

    See the above links & "tell us another one" since CryptXXX & Cryptowall use host-domain names which I have blocked in hosts (& as far as javascript usage? Use a GOOD browser that allows you to use it ONLY where you absolutely need it, otherwise, you're stupid (like you))... apk