30 Novembre 2009 Changes (HHH) ------------------------------ 1. Action: Handled a nasty DNSWCD Maliciels domain Added: BadDomains[i++] = ".a013.com"; // DNSWCD Malware - 2009-11-03 Reason: They seem to come and go, but there are always some there. 2. Action: New Omniture tracking code Added: BadURL_WordStarts[i++] = "omniture\.js"; // PRIVUS Tracker - 2009-11-04 Reason: This one does NOT stop the call to the *.2o7.net hosts or aliases like the omniture_code.js, s_code.js or s_code_remote.js scripts do. But it is obvious they using this stuff internally. { 2010-01-23: Rule is now public. } 3. Action: New tracker to me but not to Airelle Added: BadURL_Parts[i++] = "webiqonline"; // DNSWCD Tracker - 2009-11-05 Reason: http://www.deltafaucet.com/ has webiq005.webiqonline.com and this IS a DNSWCD. 4. Action: Added a new SPAM IP rule Added: BadNetworks[i++] = "222.170.127.122, 255.255.255.255"; // SPAM - 2009-11-05 Reason: It looked to be the new IP for the hosts in the embedded URLs in my SPAM email in my GMail account. 5. Action: Added a temporary Malware rule Added: BadURL_WordStarts[i++] = "flash-hq-plugin"; // Malware - 2009-11-07 Reason: I don't know all of the patterns they have to construct a proper REGEXP so for a while I will just add them as they come. In this case the HQ is all upper case but since the PAC filter lower cases everything it works. 6. Action: Added yet another personal Omniture PERSONAL rule Added: BadURL_WordStarts[i++] = "sitecatalystinclude\.js"; // PRIVUS Tracker - 2009-11-07 Reason: SiteCatalystInclude.js is the actual string but this works. The reason I am adding all of these is that you don't even need to know what their IP address space or anything else is. I noticed EasyPrivacy has some other rules. If I release these to the author of that list they may or may not include them. All I know is that if they are there the *.2o7.net host or an alias to it never gets called because the JavaScript is just stripped out. This particular one is used at this web-site among others: http://www.link.schlage.com (What is to prevent some hacker from opening your door as well? I could see random turning on of lights, vacuum cleaners, etcetera but opening a door from your cell phone or the Internet is a BAD idea.) { 2010-01-23: Rule is now public. } 7. Action: Raised the level of the cock rule in both files. Date: 2009-Nov-07 04:17 UTC From: BadHostParts[i++] = "[^hn]cock"; To: BadURL_Parts[i++] = "[^hn]cock"; // Malware - 2009-11-07 (the comment was added to both files, but the From rule was deleted from the dbgproxy / proxy files and replaced entirely with the To: rule there.) Reason: SHUTTLECOCK! What else is there out there? We have white listed the one and only host I know where the problem exists at - i.i.com.com, a tracker. See #8 next for how I handled it. 8. Action: Added a white-list rule for i.i.com.com Added: GoodDomains[i++] = "i.i.com.com"; // cock - 2009-11-07 Reason: I am temporarily raising the "cock" rule from Host to URL status in both the proxy* and pornproxy* files. AFAIK, this is the only host where I had problems with it and the pattern was "shuttlecock". I have tried to block this tracker and gave up - what the EasyPrivacy subscription for ABP is about the best you can get. 9. Action: Added a Brazilian Ad Server Added: BadDomains[i++] = ".hotwords.com.br"; // DNSWCD AdServer - 2009-11-07 Reason: It isn't so much it does anything wrong. It is just that it is an Ad Serveur. It doesn't really capitalize on its DNSWCD status - the number used by nascarbrasil.com was ads5426.hotwords.com.br. The number is the number of the client. My activation of the hot rules is what caught it. 10. Action: Added another tracking type script BUT PRIVATE FOR NOW Added: BadURL_Parts[i++] = "ads\.php"; // PRIVUS Tracker - 2009-11-07 Reason: I want to make sure I am not whacked first before I give this one to others. { 2010-01-23: Rule is now public. } 11. Action: Dropped the scope of the "cock" rule. From: BadURL_Parts[i++] = "[^hn]cock"; // Malware - 2009-11-07 To: BadURL_Parts[i++] = "[^ehn]cock"; // Malware - 2009-11-07 Reason: False positive discovered by Rodney, alias DomainAnalysis. 12. Action: Just in case Added: GoodDomains[i++] = "blockacountry.com"; // SECURITY - 2009-11-11 Reason: As wonderful as it sounds that you would block access to your web site from being modified by country, they are doing it all by country IPs alone. What is to prevent a hacker from going through a compromised site in la-la county in wa-wa state in the US? But this IS a good site to do a quick check of what IP addresses each country has. I got them for China. 13. Action: swapped experimental rule From: BadHostWordStarts[i++] = "0x"; // PRIVUS Malware - 2009-10-27 To: BadHostParts[i++] = "rx"; // PRIVUS - SPAM - 2009-11-12 Reason: I have already had false positives with the first and got nothing. Let's try the other one since it will stop a KNOWN spammer pattern. { 2010-01-23: The rule is now public with LOTS of exclusions! Why the exclusions? False positives. But I added another start rule to prevent it. } 14. Action: garwarner.blogspot.com - has security stuff Added: GoodDomains[i++] = "garwarner.blogspot.com"; // SECURITY - 2009-11-14 Reason: Information that rules will hit. Also a good source of current patterns. The problem is, the instant the hosts lists hit his blog they are gone. What I am counting on is the hackers overlooking the tiny PAC filter and trying to repeat the scheme six months to one year later. 15. Action: nacha.org phish Added: GoodDomains[i++] = "nacha.org"; // Phish - 2009-11-15 BadHostWordStarts[i++] = "nacha\.org"; // Phish - 2009-11-15 Reason: garwarner.blogspot.com - 2009-11-12 16. Action: irs.gov phish Added: GoodDomains[i++] = "irs.gov"; // Phish - 2009-11-15 BadHostWordStarts[i++] = "irs\.gov"; // Phish - 2009-11-15 Reason: garwarner.blogspot.com - 2009-11-10 17. Action: Changed the designation for three rules Date: 2009-Nov-15 08:07 UTC From: GoodDomains[i++] = "myspace.com"; // PROXY GoodDomains[i++] = "myspacecdn.com"; // PROXY - 2009-07-27 BadHostParts[i++] = "myspace"; // PROXY To: GoodDomains[i++] = "myspace.com"; // Phish - 2009-11-15 GoodDomains[i++] = "myspacecdn.com"; // Phish - 2009-11-15 BadHostParts[i++] = "myspace"; // Phish - 2009-11-15 Reason: garwarner.blogspot.com - 2009-11-09 The rules caught it AS IS. I didn't need to change a thing. Well I did change the comments but either way something (ANYTHING) pretending to be MySpace cannot be a good thing. Let's go for the general article, MySpace.com. 18. Action: Changed the designation for two rules Date: 2009-Nov-15 08:26 UTC From: GoodDomains[i++] = ".facebook.com"; // PROXY BadHostParts[i++] = "facebook"; // PROXY To: GoodDomains[i++] = ".facebook.com"; // Phish - 2009-11-15 BadHostParts[i++] = "facebook"; // Phish - 2009-11-15 Reason: garwarner.blogspot.com - 2009-11-01 Again, the rules caught it AS IS. All I changed were the comments. In the past other PROXY rules HAS CAUGHT MALWARE for me. They will do it again! 19. Action: fdic.gov phish Added: GoodDomains[i++] = "fdic.gov"; // Phish - 2009-11-15 BadHostWordStarts[i++] = "fdic\.gov"; // Phish - 2009-11-15 Reason: garwarner.blogspot.com - 2009-10-27 20. Action: Added Airelle's rules for "zzz" Added: BadHostWordStarts[i++] = "zzz"; // PRIVUS Spam - 2009-11-15 BadHostWordEnds[i++] = "zzz"; // PRIVUS Spam - 2009-11-15 Reason: I don't want to put this into the URL but it should not cause any problems in the hosts level. If that works we can then experiment with the "zzz" at the URL level. Rodney can try the "000" at the URL level (do not bother with hosts level for it). The other rule is just too short to even try (I even got rid of the "0x" host rule). { 2010-01-13: NOTHING blocked so it is probably Français so I will make them public with comment Français spam. Drop these PRIVUS rules to the URL level and see what happens. } 21. Action: Added some rules for joerobertrocks fiasco Added: BadNetworks[i++] = "212.95.58.115, 255.255.255.255"; // DNSWCD mybeliefs.info - 2009-11-15 BadNetworks[i++] = "212.95.58.121, 255.255.255.255"; // DNSWCD wegoodentertainment.info - 2009-11-15 BadDomains[i++] = ".wegoodentertainment.info"; // DNSWCD - WebBug - 2009-11-16 Reason: Instead of going away like I thought, they are going to stay for the rest of eternity. Okay, then these rules are going in for eternity. So are all their hosts that are sub###.wegoodentertainment.info into the hosts file. Thousands of 500,000+ byte PHP scripts hitting your browser? 22. Action: Added a whole bunch of experimental tracker and ad server rules. Some are active, some aren't. Added: // BadURL_Parts[i++] = "adcheck\.fcgi"; // YOUR CHOICE Tracker - 2009-11-16 // BadURL_Parts[i++] = "analytics"; // YOUR CHOICE Tracker - 2009-11-16 BadURL_Parts[i++] = "counter\.js"; // YOUR CHOICE Tracker - 2009-11-16 BadURL_Parts[i++] = "eluminate"; // YOUR CHOICE Tracker - 2009-11-16 // BadURL_Parts[i++] = "googlead"; // YOUR CHOICE AdServer - 2009-11-16 BadURL_Parts[i++] = "loglib\.js"; // YOUR CHOICE Tracker - 2009-11-16 // BadURL_Parts[i++] = "track\.[(g|j|p)]"; // YOUR CHOICE Tracker - 2009-11-16 // BadURL_Parts[i++] = "utm\.js"; // YOUR CHOICE Tracker - 2009-11-16 BadURL_Parts[i++] = "webtrekk\.js"; // YOUR CHOICE Tracker - 2009-11-16 Reason: I have been trolling for trackers by going to web sites as they were advertised on TV. This is the result. Some of them have rather convoluted REGEXP rules in the EasyPrivacy subscription or EasyList subscriptions for ABP so I have those commented out. I didn't want them private. Others may need them. 24. Action: Loosened youtube.com rule so you can go to it direct From: GoodDomains[i++] = ".youtube.com"; GoodDomains[i++] = "youtube-nocookie.com"; // 2009-10-05 To: GoodDomains[i++] = "youtube.com"; // Malware - 2009-11-17 GoodDomains[i++] = "youtube-nocookie.com"; // Malware - 2009-10-05 Reason: I was going to add a "youtube" rule but then I realized I replaced it with the "tube" rule. We give up nothing with this change - BadYouTube.com gets blocked. 25. Action: Added more AD and TRACKER rules Added: BadURL_Parts[i++] = "tracking\.[(g|j|p)]"; // YOUR CHOICE Tracker - 2009-11-17 BadURL_Parts[i++] = "wunderloop"; // AdServer - 2009-11-17 Reason: This is a steady march while I have the time to add as many TRACKERS and AD PUSHERS as I can. In reality, I don't think the first two will do a thing. They are HIDDEN and thus I should really cede them to ABP. 26. Action: Tracker over-ride, but they track the Zeus Trojan Added: GoodDomains[i++] = "zeustracker.abuse.ch"; // SECURITY - 2009-11-19 Reason: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist Think of losing the tracker rule? 27. Action: Expanded counter rule to CGI scripts From: BadURL_Parts[i++] = "counter\.js"; // YOUR CHOICE Tracker - 2009-11-16 To: BadURL_Parts[i++] = "counter\.[(c|j)]"; // YOUR CHOICE Tracker - 2009-11-16 Reason: www.directrix.ru/cgi-bin/counter/counter.cgi 28. Action: Some more DNSWCD rules Added: BadDomains[i++] = ".internetserviceteam.com"; // DNSWCD Malware - 2009-06-06 BadDomains[i++] = ".linkbucks.com"; // DNSWCD WebBug - 2009-11-20 Reason: hpHosts added no less than 11369 for the first domain and 2329 for the second. WHAT FOR? These rules handles ALL of them. The first rule was already there. I am just mentioning it because of this phenomenon. 29. Action: Three more rules from the UAB grist mill Added: GoodDomains[i++] = "mydomain.com"; // Phish - 2009-11-23 BadHostParts[i++] = "mydomain"; // Phish - 2009-11-23 BadURL_WordStarts[i++] = "flashinstaller"; // Malware - 2009-11-23 Reason: http://garwarner.blogspot.com/ 30. Action: Added a rule to avoid a false positive & block phishers Added: GoodDomains[i++] = "discovercard.com"; // Phish - 2009-11-23 BadHostParts[i++] = "discovercard"; // Phish - 2009-11-23 Reason: Rodney had a false positive there. It does not take a genius to figure out that somebody, some place along the line. I cannot add the others right now but PayPal and eBay come to mind as something they will try to fool people with. 31. Action: Added tracker rules based on what was at gogogo.com Added: BadURL_WordStarts[i++] = "redirectexittrack"; // Tracker - 2009-11-23 BadURL_WordStarts[i++] = "vtrack\.php"; // Tracker - 2009-11-23 Reason: Pulled down the files and THEY TRACK you. The EasyPrivacy author agrees with me. 32. Action: Modified the BadURL_WordStarts "teen" rule to be the same From: BadURL_WordStarts[i++] = "teen[^y]"; (proxy) BadURL_WordStarts[i++] = "teen"; (pornproxy) To: BadURL_WordStarts[i++] = "teen[^y]"; // Malware - 2009-11-23 Reason: teeny really is a porn term but it is used so often in other places it should be this and now they are consistent. 33. Action: Removed old test rules Date: 2009-Nov-23 08:37 UTC Removed: BadDomains[i++] = ".namiflow.com"; // PRIVUS DNSWCD - Tracker - 2009-04-26 BadDomains[i++] = ".scorecardresearch.com"; // PRIVUS Tracker - 2009-06-01 BadDomains[i++] = ".smartbizsearch.com"; // PRIVUS - 2009-07-12 BadDomains[i++] = ".spaces.live.com"; // PRIVUS DNSWCD TEST - 2009-05-18 BadDomains[i++] = ".sphere.com"; // PRIVUS DNSWCD TEST - 2009-05-28 BadDomains[i++] = ".tophosts.com"; // PRIVUS WebBug - 2009-06-20 Reason: They are useless. Their function was to see if anything else was there. There isn't so ... 34. Action: Added some more tracker rules from Jared.com Added: BadURL_Parts[i++] = "coremetrics"; // Tracker - 2009-11-23 BadURL_WordStarts[i++] = "cmdatatagutils"; // Tracker - 2009-11-23 BadURL_WordStarts[i++] = "techprops\.js"; // Tracker - 2009-11-23 Reason: Trackers we had no good way to handle. You can NOT block the hosts. Here are the URLs: www.jared.com/Jared/coremetrics/v40/eluminate.js www.jared.com/Jared/coremetrics/cmdatatagutils.js www.jared.com/Jared/coremetrics/v40/techprops.js The coremetrics rule may not work but we will see ... All I know is that the CoreMetrics people have to make stuff for IDIOTS to put into their code. I suspect these will be the same for everybody. 35. Action: Added an Ad Server rule and Tracker rule from WalMart.com Added: BadURL_WordStarts[i++] = "ad_label_"; // AdServer - 2009-11-23 BadDomains[i++] = ".richrelevance.com"; // AdServer Tracker - 2009-11-23 Reason: If you are using IE, Safari, or Opera you need 36. Action: Altered alpha ONLY pattern matches to alphanumeric Date: 2009-Nov-23 10:09 UTC From: FIRST: var BadHostWordStartRegx = new RegExp("(^|[^a-z])(" + BadHostWordStarts.join("|") + ")", "i"); SECOND: var BadHostWordEndRegx = new RegExp("(" + BadHostWordEnds.join("|") + ")([^a-z]|$)", "i"); THIRD: var BadURL_WordStartRegx = new RegExp("[^a-z](" + BadURL_WordStarts.join("|") + ")", "i"); FOURTH var BadURL_WordEndRegx = new RegExp("(" + BadURL_WordEnds.join("|") + ")([^a-z]|$)", "i"); To: FIRST: var BadHostWordStartRegx = new RegExp("(^|[^a-z0-9])(" + BadHostWordStarts.join("|") + ")", "i"); SECOND: var BadHostWordEndRegx = new RegExp("(" + BadHostWordEnds.join("|") + ")([^a-z0-9]|$)", "i"); THIRD: var BadURL_WordStartRegx = new RegExp("[^a-z0-9](" + BadURL_WordStarts.join("|") + ")", "i"); FOURTH var BadURL_WordEndRegx = new RegExp("(" + BadURL_WordEnds.join("|") + ")([^a-z0-9]|$)", "i"); Reason: 37. Action: bye bye filter Date: 2009-Nov-25 11:02 UTC Removed: BadHostParts[i++] = "filter"; // PROXY GoodDomains[i++] = "filtersetg.com"; Reason: It wasn't worth it. We removed the filtersetg rule as well because there is no longer a collision but also because that has been superseded by EasyList. See the next one for alterations due to this rule being removed.:w 38. Action: Changed the comments on the white-list "filter" rules Date: 2009-Nov-25 11:18 UTC From: GoodDomains[i++] = "antispamfilterblocker.com"; // filter - 2009-03-06 GoodDomains[i++] = "internetfilter.com"; GoodDomains[i++] = "netfilter.org"; To: GoodDomains[i++] = "antispamfilterblocker.com"; // Security - 2009-11-25 GoodDomains[i++] = "internetfilter.com"; // Security - 2009-11-25 GoodDomains[i++] = "netfilter.org"; // Security - 2009-11-25 Reason: Except for the first which can still be blocked by the "block rule and the second by a LOT of rules, they no longer need white listing from the filter rule. But they do provide security products. 40. Action: removed rules that do no good Date: 2009-Nov-26 03:06 UTC Removed: BadDomains[i++] = ".hpg.ig.com.br"; // DNSWCD AdServer // BadDomains[i++] = ".hk"; // YOUR CHOICE - MalWare Reason: No hosts left in the domain for the first, the second is useless. 41. Action: Added new tracker rule Added: BadURL_Parts[i++] = "ntpagetag"; // Tracker - 2009-10-05 Reason: Saw at www.chaminade.edu. URL is: http://www.chaminade.edu/includes/ntpagetag.js pulled it down and it is Sane Solutions NetTracker page tracking script. 42. Action: Some more phishy rules Added: BadHostParts[i++] = "daaswe"; // Phish - 2009-11-26 BadHostParts[i++] = "heddas"; // Phish - 2009-11-26 GoodDomains[i++] = "ssa.gov"; // Phish - 2009-11-26 BadHostParts[i++] = "ssa\.gov"; // Phish - 2009-11-26 Reason: http://garwarner.blogspot.com/ 2009-11-24 for first two, 2009-11-23 for the second two 43. Action: Some malware from the previous hosts. Added: BadURL_Parts[i++] = "statement\.exe"; // Malware - 2009-11-26 Reason: I was going to have two rules since what I got was a tax-statement.exe file but they got a statement.exe file: http://garwarner.blogspot.com/ 2009-11-23 This rule will foil both of them 44. Action: new adjuggler domain and dating of the old one Date: 2009-Nov-28 05:39 UTC From: BadDomains[i++] = ".adjuggler.com"; // AdServer To: BadDomains[i++] = ".adjuggler.com"; // AdServer - 2009-11-28 Added: BadDomains[i++] = ".adjuggler.net"; // PRIVUS AdServer - 2009-11-28 BadURL_WordStarts[i++] = "ajrotator"; // AdServer - 2009-11-28 Reason: Searching for lyrics for "Nothing Else Matters" by Metallic, found cdn.hadj7.adjuggler.net/banners/ajtg.js and overlay.ringtonematcher.com/overlay/overlay.js I will be blocking overlay.ringtonematcher.com in the hosts file. { 2010-01-23: PRIVUS rule is now public } 45. Action: New Malware binary name (names?) Date: updatetool.exe Added: BadURL_Parts[i++] = "updatetool\.exe"; // Malware - 2009-11-30 Reason: http://garwarner.blogspot.com/ http://preview.tinyurl.com/ykkn2vr I decided NOT to add the number rules. They will just change them. 46. Action: Added a Tracker rule for a domain that is on the move Added: BadDomains[i++] = ".trackalyzer.com"; // Tracker - 2009-11-30 Reason: I just removed the domain itself and t2.trackalyzer.com. Good riddance I say. I never saw t2.trackalyzer.com, have only a few entries for t3.trackalyzer.com in 2007, and since then only see t4.trackalyzer.com. This is not surprising since EasyPrivacy has this domain for ABP users. I am giving IE, Opera and Safari users that want to avail themselves of this protection. 47. Action: A tracker that comes and goes? Added: BadURL_WordStarts[i++] = "clickjs\.php"; // Tracker - 2009-11-30 Reason: TryAbCircle.com www.hercle.com/scripts/clickjs.php (but clean your cache, all cookies you can, flash cookies and then turn off ABP, close the browser and go back to it. guess what - THIS AND ALL OTHERS MAGICALLY DISAPPEAR!) 48. Action: Google's ad pusher? Added: BadURL_WordStarts[i++] = "show_afs_ads"; // AdServer - 2009-11-30 Reason: OverStock.com & ABP with EasyList I get the following block in ABP when I go down some: www.google.com/afsonline/show_afs_ads.js It is there but the instant I turn off ABP I don't get it but I even tried a HARD block of Google and don't get it. I will leave it just in case. 49. Action: More Phish rules Added: GoodDomains[i++] = ".ally.com"; // Phish - 2009-11-30 GoodDomains[i++] = "ustreas.gov"; // Phish - 2009-11-30 BadHostParts[i++] = "chaseonline\.chase\.com"; // Phish - 2009-11-30 BadHostParts[i++] = "secure\.ally\.com"; // Phish - 2009-11-30 BadHostWordStarts[i++] = "ally\.com"; // Phish - 2009-11-30 BadHostWordStarts[i++] = "chase\.com"; // Phish - 2009-11-30 BadHostWordStarts[i++] = "refund-services\.irs"; // Phish - 2009-11-30 BadHostWordStarts[i++] = "refunds\.irs"; // Phish - 2009-11-30 BadHostWordStarts[i++] = "ustreasury"; // Phish - 2009-11-30 // BadURL_WordStarts[i++] = "install"; // YOUR CHOICE Malware - 2009-11-30 From: GoodDomains[i++] = ".chase.com"; // 2009-06-14 To: GoodDomains[i++] = ".chase.com"; // Phish - 2009-11-30 Reason: http://garwarner.blogspot.com/ 30 Novembre 2009 UNresolved False Positives (HHH) ------------------------------------------------- NONE 30 Novembre 2009 RESOLVED False Positives (HHH) ----------------------------------------------- 1. Pattern: "ecock" Date: 2009-Nov-07 04:17 UTC Rules: BadHostParts[i++] = "[^hn]cock" (replaced by) BadURL_Parts[i++] = "[^hn]cock"; // Malware - 2009-11-07 (next added to combat previous rule) GoodDomains[i++] = "i.i.com.com"; // cock - 2009-11-07 Reason: SHUTTLECOCK Solution: White-list what is causing the problem. It is the only thing that has appeared in YEARS.