08 Février 2010 Changes (HHH) ----------------------------- 1. Action: Yet another escape for the "xxx" rule Added: GoodDomains[i++] = "ip-adress.com"; // xxx (2) - 2009-12-31 Reason: ip-adress.com/reverse_ip/www.tubexxxmatures.com 2. Action: Another strike against anti-virus pretenders Added: BadHostParts[i++] = "anti-vir"; // YOUR CHOICE - 2009-12-31 Reason: anti-virus914.com - They may not have the numbers but stopping them before you get there has to be important. toqg.susnoj.cn/in.cgi?9&tsk=id882-06june09-r35&type=l. ---> whereissanta-2010.com/?pid=356s02&sid=703b78 ---> anti-virus914.com/index.html... 3. Action: Resolving false positive Added: GoodDomains[i++] = "geekgirlsguide.com"; // girls - 2010-01-01 Reason: I don't want girls on the warpath against me too! I have my hands full with the hackers, McAfee, and some of the other Anti-Virus companies. 4. Action: SecureMecca.com & HostsFile.org rules Date: 2010-01-02 11:29 UTC From: GoodDomains[i++] = ".hostsfile.org"; // Phish - 2009-12-07 GoodDomains[i++] = ".securemecca.com"; // Phish - 2009-12-07 To: GoodDomains[i++] = "hostsfile.org"; // Phish - 2009-12-07 GoodDomains[i++] = "securemecca.com"; // Phish - 2009-12-07 Reason: Going to http://www.securemecca.tk redirects to http://securemecca.com no matter what I do. Fortunately http://www.securemecca.biz, http://www.securemecca.info, http://www.securemecca.org, http://www.securemecca.us all redirect correctly to http://www.securemecca.com. Unlike shorter patterns we can live with the chance of moresecuremecca.com 5. Action: Made as many PRIVUS rules public as possible. Also, some other non-PRIVUS rules are here Date: 2010-01-04 21:18 UTC From: GoodDomains[i++] = ".altavista.com"; // PRIVUS RULE babe GoodDomains[i++] = ".bicycling.com"; // PRIVUS RULE GoodDomains[i++] = "filext.com"; // PRIVUS RULE GoodDomains[i++] = "medopinions.com"; // PRIVUS RULE GoodDomains[i++] = ".nationalgeographic.com"; // PRIVUS RULE GoodDomains[i++] = ".osnews.com"; // PRIVUS RULE GoodDomains[i++] = ".rsbac.org"; // PRIVUS RULE GoodDomains[i++] = "snowleopard.org"; // PRIVUS RULE GoodDomains[i++] = ".tiaa-cref.org"; // PRIVUS RULE GoodDomains[i++] = "ubuntuforums.org"; // PRIVUS RULE GoodDomains[i++] = "washingtonpost.com"; // PRIVUS RULE -------------------------------------------------------- BadDomains[i++] = ".adjuggler.net"; // PRIVUS AdServer - 2009-11-28 -------------------------------------------------------- BadURL_Parts[i++] = "ads\.php"; // PRIVUS Tracker - 2009-11-07 BadURL_Parts[i++] = "transparent-pixel"; // PRIVUS Tracker - 2009-12-27 // BadURL_Parts[i++] = "utm\.js"; // YOUR CHOICE Tracker - 2009-11-16 -------------------------------------------------------- BadHostParts[i++] = "[^hrv]angel"; // BadHostParts[i++] = "rx"; // YOUR CHOICE SPAM - 2009-11-12 -------------------------------------------------------- BadURL_WordStarts[i++] = "omniture\.js"; // PRIVUS Tracker - 2009-11-04 BadURL_WordStarts[i++] = "omniture_code\.js"; // PRIVUS Tracker - 2009-11-02 // BadURL_WordStarts[i++] = "ptv8\.swf"; // PRIVUS Tracker - 2009-12-27 BadURL_WordStarts[i++] = "s_code\.js"; // PRIVUS Tracker - 2009-10-20 BadURL_WordStarts[i++] = "s_code_remote\.js"; // PRIVUS Tracker - 2009-11-02 BadURL_WordStarts[i++] = "sitecatalystinclude\.js"; // PRIVUS Tracker - 2009-11-07 // BadURL_WordStarts[i++] = "x-locale\/"; // PRIVUS Tracker - 2009-12-27 (NOTE - See below for a point on this one) To: GoodDomains[i++] = "altavista.com"; // 2010-01-04 GoodDomains[i++] = "bicycling.com"; // 2010-01-04 GoodDomains[i++] = "filext.com"; // 2009-01-04 GoodDomains[i++] = "medopinions.com"; // 2010-01-04 GoodDomains[i++] = "nationalgeographic.com"; // 2010-01-04 GoodDomains[i++] = "osnews.com"; // 2010-01-04 GoodDomains[i++] = "rsbac.org"; // 2010-01-04 GoodDomains[i++] = "snowleopard.org"; // 2010-01-04 GoodDomains[i++] = "tiaa-cref.org"; // 2010-01-04 GoodDomains[i++] = "ubuntuforums.org"; // 2010-01-04 GoodDomains[i++] = "washingtonpost.com"; // 2010-01-04 -------------------------------------------------------- BadDomains[i++] = ".adjuggler.net"; // YOUR CHOICE AdServer - 2009-11-28 -------------------------------------------------------- BadURL_Parts[i++] = "ads\.php"; // YOUR CHOICE Tracker - 2009-11-07 BadURL_Parts[i++] = "transparent-pixel"; // YOUR CHOICE Tracker - 2009-12-27 BadURL_Parts[i++] = "utm\.js"; // YOUR CHOICE Tracker - 2009-11-16 -------------------------------------------------------- BadHostParts[i++] = "[^hnrv]angel"; // Malware - 2010-01-04 // BadHostParts[i++] = "[^aeot]rx[^c]"; // YOUR CHOICE SPAM - 2009-11-12 -------------------------------------------------------- BadURL_WordStarts[i++] = "omniture\.js"; // YOUR CHOICE Tracker - 2009-11-04 BadURL_WordStarts[i++] = "omniture_code\.js"; // YOUR CHOICE Tracker - 2009-11-02 BadURL_WordStarts[i++] = "ptv8\.swf"; // YOUR CHOICE Tracker - 2009-12-27 BadURL_WordStarts[i++] = "s_code\.js"; // YOUR CHOICE Tracker - 2009-10-20 BadURL_WordStarts[i++] = "s_code_remote\.js"; // YOUR CHOICE Tracker - 2009-11-02 BadURL_WordStarts[i++] = "sitecatalystinclude\.js"; // YOUR CHOICE Tracker - 2009-11-07 BadURL_WordStarts[i++] = "x-locale\/"; // PRIVUS Tracker - 2009-12-27 (NOTE - See below for a point on this one) Reason: It is time to give them to others or lose them. The initial test for the g-ecx.images-amazon.com host has been completed. THEY ARE STORING INFORMATION IN THE FLASH COOKIE! I think I have the only flash file they are using but I don't know. The "x-locale\/" is a way for discovering any others and in addition the 1x1 tracking pixels they are using. At this point there ARE tiny sliver images in the "x-locale\/" folder but it remains to be seen if we will miss them. THE "x-locale\/" WILL NEVER GO PUBLIC! It is STRICTLY to be used for discovery purposes only! 6. Action: Removed PRIVUS rules I kept for other people I know personally and kept their changes. Also, I have removed some rules that were inherently temporary. Date: 2010-01-04 21:18 UTC Removed: GoodDomains[i++] = ".aquest.com"; // PRIVUS RULE GoodDomains[i++] = "hotsaints.com"; // PRIVUS RULE GoodDomains[i++] = "ldsdates.com"; // PRIVUS RULE GoodDomains[i++] = "ldsmingle.com"; // PRIVUS RULE GoodDomains[i++] = "ldshearts.com"; // PRIVUS RULE GoodDomains[i++] = "ldspals.com"; // PRIVUS RULE GoodDomains[i++] = "ldsplanet.com"; // PRIVUS RULE GoodDomains[i++] = "ldspromise.com"; // PRIVUS RULE GoodDomains[i++] = "ldssingles.com"; // PRIVUS RULE GoodDomains[i++] = "ldssinglesnetwork.com"; // PRIVUS RULE GoodDomains[i++] = "livelds.com"; // PRIVUS RULE GoodDomains[i++] = "singlepointnetworks.com"; // PRIVUS RULE GoodDomains[i++] = "singlesaints.com"; // PRIVUS RULE GoodDomains[i++] = "singles31.com"; // PRIVUS RULE GoodDomains[i++] = "thetinangel.com"; // PRIVUS RULE (will modify angel rule to handle it) GoodDomains[i++] = "tobaccofreeutah.org"; // PRIVUS RULE (will not activate "free" as a general rule now) GoodDomains[i++] = ".uofucu.com"; // PRIVUS RULE - 2009-06-14 GoodDomains[i++] = "utahsingles31.com"; // PRIVUS RULE GoodDomains[i++] = "yourutahjob.com"; // PRIVUS RULE -------------------------------------------------------- BadNetworks[i++] = "74.200.247.59, 255.255.255.255"; // PRIVUS 2009-12-10 BadNetworks[i++] = "74.200.247.61, 255.255.255.255"; // PRIVUS 2009-12-10 BadNetworks[i++] = "76.74.254.120, 255.255.255.254"; // PRIVUS 2009-12-10 -------------------------------------------------------- BadHostParts[i++] = "daaswe"; // Phish - 2009-11-26 BadHostParts[i++] = "heddas"; // Phish - 2009-11-26 Reason: The vast majority were for this guy named Bert. Most will no longer have false positives but since they are not using what I have created there is no reason to hang on to them. I DID have them in a separate folder but since they haven't said anything in a year it is time to move on. 7. Action: Some Zeus Malware rules Added: BadURL_WordStarts[i++] = "bot\.exe"; // Malware - 2010-01-07 // BadURL_WordStarts[i++] = "gate\.php"; // YOUR CHOICE Malware - 2010-01-08 BadURL_WordStarts[i++] = "ldr\.exe"; // Malware - 2010-01-07 BadURL_WordStarts[i++] = "loader\.exe"; // Malware - 2010-01-07 Reason: These are patterns that I noticed are prevalent right now. Unlike KoobFace, both the Zeus folder names and Zeus file names are all over the wall. Nevertheless we are adding these since the false positives will be lower. I will include a file that shows the ones I found by looking at the list from: https://zeustracker.abuse.ch/blocklist.php 8. Action: Another Flash pretender Added: BadURL_WordStarts[i++] = "flash_up"; // Malware - 2010-01-08 Reason: egoldenglove.com/Images/bin/movie/Flash_Update_1260873156.exe 9. Action: Added some PRIVUS rules Added: BadDomains[i++] = ".interclick.com"; // PRIVUS Tracker - 2010-01-07 BadURL_Parts[i++] = "omniture"; // PRIVUS Tracker - 2010-01-07 BadURL_Parts[i++] = "proxysignature"; // PRIVUS Tracker - 2010-01-07 BadHostWordStarts[i++] = "pixel\."; // PRIVUS Tracker - 2010-01-07 Reason: idcs.interclick.com gave a 1x1 tracking image. How many more of them will we have? The second two were used for LSOs at Forbes. I will probably have to remove the "omniture" one. The pixel was some pixel tracking host also used at Forbes. 10. Action: Removed a test rule Date: 2010-01-08 04:34 UTC Removed: BadHostWordStarts[i++] = "click"; // PRIVUS Tracker - 2009-10-06 Reason: clickfrom.buy.com/default.asp (AMONG OTHERS) 11. Action: *.clickshield.net Added: BadDomains[i++] = ".clickshield.net"; // DNSWCD Tracker - 2010-01-09 Reason: Detected ones that even Airelle didn't have. The previous rule found it but it also caused a LOT of false positives. I will just have to look for the others manually. 12. Action: Added some combination tracker / ad server rules Added: BadURL_WordStarts[i++] = "dotclear\.[(g|j)]"; // YOUR CHOICE Tracker - 2010-01-09 BadHostWordStarts[i++] = "adlog\."; // YOUR CHOICE Tracker - 2010-01-09 Reason: They used in conjunction with each other to track but the second rule is probably going to serve up ads. WARNING: I DID A LOT OF REORDERING OF THE RULES HERE! ALSO, THE "cmdatatagutils" rule had somehow got accidentally deleted from the proxy_fr.txt and dbgproxy_fr.txt French files. So use this as your guide rather than depending on the diffs. 13. Action: WebBug rule Added: BadDomains[i++] = ".wemfbox.ch"; // WebBug - 2010-01-12 Reason: Airelle has nzz.wemfbox.ch and tagesanz.wemfbox.ch which I didn't have. HOW MANY MORE ARE THERE? I suspect there are a lot more than the ones we have and we need something for Opera, Chrome, IE, and Safari users. Firefox with AdBlockPlus and any of the good browsers has protection from it. 14. Action: Weaken a malware rule to avoid white lists. Date: 2010-01-12 08:20 UTC From: BadHostParts[i++] = "suck"; To: BadHostParts[i++] = "[^sy]suck"; // Malware - 2010-01-12 Reason: "honeysuckle" even though it was used for a phish (honeysucklecottage.com.au/shop/images/9didh47djsgsifkv\ nxdyd53648fhdsu34hd8ncwieucnywe34.html) and Marco Peereboom's "adssuck.org". Where did his white list rule go? 15. Action: AdSense rule with exclusions Date: 2010-01-12 08:31 UTC Added: GoodDomains[i++] = "adsense.blogspot.com"; // adsense - 2010-01-12 GoodDomains[i++] = "thecodingstudio.com"; // adsense - 2010-01-12 BadURL_WordStarts[i++] = "adsense"; // AdServer - 2010-01-12 Reason: We already had it for google.com/...adsense... but we need the rule because it does function at the URL level and the host level. So the other domains had to be added (see EasyPrivacy+EasyList). 16. Action: Changed the "analytics" rule to something we may be able to live with Date: 2010-01-12 08:51 UTC From: // BadHostParts[i++] = "analytics"; // PRIVUS Tracker - 2009-11-16 To: BadURL_Parts[i++] = "analytics.sol"; // Tracker - 2010-01-12 BadURL_Parts[i++] = "analytics\.[(j|p)]"; // PRIVUS Tracker - 2010-01-12 Reason: I actually only ran into one false positive for the rule at the URL level but it was with HJT. THAT IS A PRETTY SERIOUS FALSE POSITIVE! Hopefully these two rules will work but they will most likely work only at the URL level and coincidentally any hosts that start with analytics.j... or analytics.p... 17. Action: Added some new tracking rules Added: BadURL_WordStarts[i++] = "competetracking"; // Tracker - 2010-01-12 BadURL_WordStarts[i++] = "openads"; // Tracker - 2010-01-12 BadURL_WordStarts[i++] = "showads\.[(j|p)]"; // Tracker - 2010-01-12 Reason: Was used at several hosts, but ABP stopped so I don't have their log but if you use IE, Opera, Safari, or Chrome this rule will stop it. 18. Action: Added some new ad server rules. Added: BadHostWordStarts[i++] = "synad\."; // AdServer - 2010-01-12 BadHostWordStarts[i++] = "synad2\."; // AdServer - 2010-01-12 Reason: ABP caught some hosts I don't have. If I can find them again I will turn off ABP and log them. 19. Action: New malware posing as a legititmate software upgrade Added: GoodDomains[i++] = ".java.com"; // java_v - 2010-01-12 GoodDomains[i++] = ".sun.com"; // java_v - 2010-01-12 BadURL_Parts[i++] = "java_v\."; // Malware - 2010-01-12 Reason: I saw this while I was walking through the Zeus stuff. I finally found the malware download again: transportools.com/solesto/java_v.2.7.exe VirusTotal 1: http://preview.tinyurl.com/ycm8n22 (9/41) (2010-01-09 06:05 UTC) VirusTotal 2:: http://preview.tinyurl.com/y9wecd5 (33/41) (2010-01-14 04:48 UTC) Let's nip this in the bud before it ever gets started. Java downloads can only come from Java / Sun. OKAY? 20. Action: Activated some commented out rules Date: 2010-01-12 15:23 UTC From: // BadHostParts[i++] = "ally\.com"; // YOUR CHOICE Phish - 2009-12-03 // BadHostParts[i++] = "ebay\.com"; // Phish - 2009-12-08 // BadHostParts[i++] = "[^aeot]rx[^c]"; // YOUR CHOICE SPAM - 2009-11-12 // BadHostParts[i++] = "webs\.com"; // Phish - 2009-12-07 To: BadHostParts[i++] = "ally\.com"; // YOUR CHOICE Phish - 2009-12-03 BadHostParts[i++] = "ebay\.com"; // Phish - 2009-12-08 BadHostParts[i++] = "[^aeot]rx[^c]"; // YOUR CHOICE SPAM - 2009-11-12 BadHostParts[i++] = "webs\.com"; // YOUR CHOICE Phish - 2009-12-07 Reason: They are ready for others. Lets cut them loose and see what they do. Rodney, remind me to remove the following rules if these work: BadHostParts[i++] = "50webs\.com"; BadHostParts[i++] = "freewebs\.com"; BadHostParts[i++] = "secure\.ally\.com"; BadHostWordStarts[i++] = "ebay\.com"; BadHostWordStarts[i++] = "webs\.com"; They were just meant to tide me over until the above rules could kick in and defend people. The last BadHostParts[i++] = "webs\.com"; rule makes all of these other BadHostParts "webs" rules not needed. Ditto for the others. 21. Action: Block of DSL due to a PayPal Phish I personally received. Added: BadNetworks[i++] = "122.170.0.0, 255.255.128.0"; // ABTS-WEST-DSL PCs - 2010-01-12 Reason: I wrote and informed them I was going to do it and asked if it was safe. They said nothing so I am assuming they are just all DSL PCs. What business do I have in my machine going to another PC doing bad, Bad, BAD web server duty? I must confess I finally found an email address the phish was happy with where they gladly took all of my bogus information! Now if we could get all Phish recipients to do this, what would happen to the Phish being sent? 21. Action: Another PayPal Phish Added: BadNetworks[i++] = "80.13.0.0, 255.255.0.0"; // Wanadoo PCs - 2010-01-14 Reason: Personal PayPal Phish. 22. Action: Another eBay pair of rules. Added: GoodDomains[i++] = ".ebayrtm.com"; // rx - 2010-01-14 BadHostParts[i++] = "ebayrtm\.com"; // Phish - 2010-01-14 Reason: srx.main.ebayrtm.com/rtm?RtmCmd&a=json 23. Action: Modification for exisiting "rx" rule Date: 2010-01-14 23:07 UTC From: BadHostParts[i++] = "[^aeot]rx[^c]"; // YOUR CHOICE SPAM - 2009-11-12 To: BadHostParts[i++] = "[^aeost]rx[^c]"; // YOUR CHOICE SPAM - 2009-11-12 Reason: srx.main.ebayrtm.com/rtm?RtmCmd&a=json 24. Action: Added a new "rx"rule Added: BadHostWordStarts[i++] = "rx"; // YOUR CHOICE SPAM - 2010-01-14 Reason: srx.main.ebayrtm.com/rtm?RtmCmd&a=json The exclusion for the previous rule significantly weakened it. I noticed TONS of host names in my last GMail spam that were starting with this pattern. Should I have waited on it? I don't think so. In this location it is highly doubtful that we will have false positives. I SURE HOPE I AM RIGHT! 25. Action: Added some various Ad and Trackers I discover as I work Added: BadDomains[i++] = ".checkm8.com"; // Tracker - 2010-01-14 BadDomains[i++] = ".grapeshot.co.uk"; // PRIVUS Tracker - 2010-01-14 BadURL_WordStarts[i++] = "adlinks\.[(j|p)]"; // AdServer - 2010-01-14 BadURL_WordStarts[i++] = "adstream\.[(j|p)]"; // AdServer - 2010-01-14 BadURL_WordStarts[i++] = "xtcore\.[(j|p)]"; // Tracker - 2010-01-14 BadHostWordStarts[i++] = "adimg\."; // AdServer - 2010-01-14 Reason: For IE, Opera, Safari, and Google Chrome users. 26. Action: New Flash tracker rule - for "admanager.swf" Added: BadURL_WordStarts[i++] = "admanager\."; // Tracker - 2010-01-15 Reason: HamptonRoads.com still has the d.hamptonroads.com which is an alias to ehg-hamptonroad.1p.hitbox.com. They are also using the vpmc.122.2o7.net which I just added so they will probably NEVER use d.hamptonroads.com again since this FLASH cookie they are using keeps track of everything now except for what ever the *.2o7.net host is doing. If this is overly broad, add the "swf". 27. Action: Altered the way Microsoft is handled Date: 2010-01-19 22:20 UTC From: GoodDomains[i++] = "microsoft.com"; // SECURITY - 2009-08-17 To: GoodDomains[i++] = ".microsoft.com"; // SECURITY - 2009-08-17 BadHostParts[i++] = "microsoft\.com"; // SpearPhish - 2010-01-19 Reason: Office Spear Phishing Campaign http://preview.tinyurl.com/yjglyft http://preview.tinyurl.com/y9aeyvs http://preview.tinyurl.com/y9eoax4 28. Action: Added some more Pattern Squatting rules Added: GoodDomains[i++] = ".hsbc.co.uk"; // Phish - 2010-01-19 BadHostParts[i++] = "hsbc\.co\.uk"; // Phish - 2010-01-19 GoodDomains[i++] = ".sendspace.com"; // Phish - 2010-01-19 BadHostParts[i++] = "sendspace\.com"; // Phish - 2010-01-19 GoodDomains[i++] = ".usaa.com"; // Phish - 2010-01-19 BadHostParts[i++] = "usaa\.com"; // Phish - 2010-01-19 Reason: http://garwarner.blogspot.com 29. Action: Adding various Tracker rules Added: BadDomains[i++] = ".vizu.com"; // DNSWCD Tracker - 2010-01-19 BadURL_WordStarts[i++] = "pageear"; // Tracker - 2010-01-19 BadURL_WordStarts[i++] = "revsci"; // Tracker - 2010-01-19 BadURL_WordStarts[i++] = "touchclarity"; // Tracker - 2010-01-19 Reason: These were what I discovered ad Mike Burgess removed the *.hitbox.com and *.2o7.net aliases. 30. Action: Another RealMedia IP block Added: BadNetworks[i++] = "208.81.232.0, 255.255.252.0"; // YOUR CHOICE REALMEDIA-5 - 2010-01-20 Reason: The sifomedia.aftonbladet.se drove the realization that this IP range had to be added 31. Action: Adding a tracker discovery rule Added: BadDomains[i++] = ".specificclick.net"; // PRIVUS Tracker - 2010-01-20 Reason: afe3.specificclick.net - I didn't have this sucker probably for months. But also you can NOT just add everything in this domain. Some map to multiple IP addresses like this one, while others are just one. But most importantly THEY ALL ACT DIFFERENTLY. YOU MUST LOOK AT EACH ONE INDIVIDUALLY! Yes, ABP has the rule but if you ask me the hosts file approach is the best way to handle this one. 32. Action: Moved an AdServer rule to a more appropriate place. Date: 2010-01-21 01:38 UTC From: BadHostParts[i++] = "advertising"; // AdServer - 2009-04-27 To: BadURL_WordStarts[i++] = "advertising"; // AdServer - 2010-01-20 Reason: It wasn't at the appropriate level and everything where it needs to be blocked is always at the start ... 33. Action: AdServer rule for ads that are IN YOUR FACE & UNWANTED Added: BadURL_WordStarts[i++] = "popunder\."; // AdServer - 2010-01-20 Reason: www./impre.com/eldiarony/ 34. Action: New Tracker rules for "openx" Added: GoodDomains[i++] = "openx.zomoto.nl"; // openx - 2010-01-20 BadDomains[i++] = ".openx.net"; // Tracker - 2010-01-20 BadDomains[i++] = ".openx.org"; // Tracker - 2010-01-20 BadHostWordStarts[i++] = "openx\."; // Tracker - 2010-01-20 Reason: I looked at ABP but until I encounter what they are doing in the URL I don't want to muck with it. I con't completely understand their exclusions for d1.openx.org but since I block the host completely it is a moot point. Rather than colliding with openx.zomoto.nl with their (ABP's) fine-tuned exclusion, I WILL JUST LET THEM DO THEIR THING - SPY AWAY! 35. Action: Removed rule that is not in my logs Date: 2010-01-23 17:46 UTC Removed: BadDomains[i++] = ".esomniture.com"; // DNSWCD Tracker - 2009-03-30 Reason: I have NONE in my phttpd logs. They may be there but I haven't encountered any since this rule has been active (and it is a LOT older than date shown here) then why have it? I would just make sure if you use Firefox to block cookies from being set in the esomniture.com domain since that is SUPPOSEDLY its main threat. 36. Action: Made Java rules harmonious with what Sun has Date: 2010-01-27 23:55 UTC From: GoodDomains[i++] = ".java.com"; // java_v - 2010-01-12 GoodDomains[i++] = ".sun.com"; // java_v - 2010-01-12 To: GoodDomains[i++] = "java.com"; // java_v - 2010-01-12 GoodDomains[i++] = "sun.com"; // java_v - 2010-01-12 Reason: They don't give it with "www." and I don't know whether they use it or not in their update programs. It seems like they would be smarter than that, but ... 37. Action: Added some potential malware rules. Added: // BadURL_WordEnds[i++] = "\.bat"; // Malware - 2010-01-27 // BadURL_WordEnds[i++] = "\.exe"; // Malware - 2010-01-27 // BadURL_WordEnds[i++] = "\.pdf"; // Malware - 2010-01-27 BadURL_WordEnds[i++] = "\.sh"; // Malware - 2010-01-27 Reason: I cannot understand why Microsoft wants a file with a given extension from any where in the world to have the same execution privileges it has on the machine. Like the stupid automount and autoplay of CDs, DVDs, and USB sticks it is just a DUMB idea. But since the first two are Microsoft's, the third will probably never fly and they won't deactivate the script and they will keep getting infected? Go figure. BUT I INTRODUCED THE SH EXTENSION AND I WILL BE DARNED IF I WILL LET IT EXECUTE FROM THE INTERNET! 38. Action: Downgraded the "xxx" rule From: BadURL_Parts[i++] = "xxx"; GoodDomains[i++] = "mywot.com"; // xxx - 2009-06-06 To: BadHostParts[i++] = "xxx"; // Malware - 2010-01-28 GoodDomains[i++] = "mywot.com"; // Security - 2010-01-28 Reason: A newbie removed the PAC filter and this may have been the reason. I am looking at others that have caused similar problems a little bit differently and will also not white-list but drop the rule a little faster from now on. A weakened PAC filter is better than no PAC filter at all. 39. Action: Removed white list rules that were for "xxx" (downgraded) Date: 2010-01-28 18:49 UTC Removed: GoodDomains[i++] = "dslreports.com"; // xxx - 2009-12-17 GoodDomains[i++] = "ip-adress.com"; // xxx (2) - 2009-12-31 Reason: Since this was all that caused the problem with the affected domains they don't need white-list status 40. Action: Added some PRIVUS adtech.de IP rules Added: BadNetworks[i++] = "194.117.224.80, 255.255.255.254"; // PRIVUS adtech.de - 2010-02-05 BadNetworks[i++] = "194.117.224.90, 255.255.255.254"; // PRIVUS adtech.de - 2010-02-05 Reason: We have precious few of these by IP address in my hosts file and I assume there are even more. 41. Action: Added some more phishing pattern rules Added: GoodDomains[i++] = "aba.com"; // Phish - 2010-02-05 GoodDomains[i++] = ".aol.com"; // Phish - 2010-02-05 GoodDomains[i++] = ".aolcdn.com"; // 2010-02-05 -------------------------------------------------------- BadHostParts[i++] = "aba\.com"; // Phish - 2010-02-05 BadHostParts[i++] = "aol\.com"; // Phish - 2010-02-05 Reason: The AOL rules were dropped when going from the pornproxy to the proxy. Now that phish are using them we are putting them back in. 42. Action: Modified some of the rules that goes with the previous Date: 2010-02-05 11:36 UTC From: GoodDomains[i++] = ".aol.com"; GoodDomains[i++] = ".aolcdn.com"; To: GoodDomains[i++] = ".aol.com"; // Phish - 2010-02-05 GoodDomains[i++] = ".aolcdn.com"; // 2010-02-05 Reason: First off there were no GoodDomains rules for these in proxy* files, only the pornproxy* files. Second, their purpose changed slightly for the Phish people are now getting in their email box. I don't think that the ".aolcdn.com" rule is really needed in the proxy* files but I added it and put in a date for consistency. 43. Action: Altered the "cock" rule again. From: BadURL_Parts[i++] = "[^ehn]cock"; // Malware - 2009-11-07 To: BadURL_Parts[i++] = "[^ehn]cock[^t]"; // Malware - 2010-02-05 Reason: "cocktail". It isn't what you think - an alcoholic beverage. They used it in an generic sense as in mix of stuff. 44. Action: Ad Rules Added: BadURL_WordStarts[i++] = "adrelated\."; // AdServer - 2010-02-05 BadURL_WordStarts[i++] = "adsonar\."; // AdServer - 2010-02-05 Reason: Actually adsonar is more of a tracker than it is a ad rule but it doesn't matter. Now Chrome, IE, Opera and Safari users have this protection if they want it. 45. Action: Tracker Rule Added: BadURL_WordStarts[i++] = "tc_logging\.js"; // Tracker - 2010-02-05 Reason: samsclub.com/omniture/scripts/tc_logging.js 46. Action: Ad Rule Added: BadHostWordStarts[i++] = "sdc\."; // AdServer - 2010-02-05 Reason: A whole bunch of them were just added. This is the only reasonable way to handle a runaway situation. 47. Action: DNSWCD Ad Domain Added: BadDomains[i++] = ".asklots.com"; // DNSWCD AdServer - 2010-02-05 Reason: 6153.nosubid.asklots.com, 8185.237.asklots.com, 8200.6639.asklots.com have been added to MVPHosts. I don't know how many more there will be but ... 48. Action: Another DNSWCD tracker Added: BadDomains[i++] = ".hopfeed.com"; // DNSWCD Tracker - 2010-02-05 Reason: MVPHosts has a passel, I have none. hpHosts has download6.hopfeed.com, but I have a block of: trupassion.hopfeed.com/script/hopfeed_widget_content.js on 30 Apr 2009 that was triggered by yet another rule 49. Action: Another smart Ad Server Domain Added: BadDomains[i++] = ".crwdcntrl.net"; // AdServer - 2010-02-05 Reason: Too many are coming into the hosts file. 50. Action: Changed a rule to handle multiple variants Date: 2010-02-05 14:25 UTC From: BadURL_WordStarts[i++] = "xplays\.php"; // Malware - 2009-09-03 To: BadURL_WordStarts[i++] = "xplay[(m|s)]"; // Malware - 2010-02-05 Reason: xplays.php, xplaymovie.php 51. Action: New malware rules Added: BadURL_WordStarts[i++] = "install_activex"; // YOUR CHOICE Malware - 2010-02-08 BadURL_WordStarts[i++] = "new-video-addon"; // YOUR CHOICE Malware - 2010-02-08 BadURL_WordStarts[i++] = "photoarchive"; // YOUR CHOICE Malware - 2010-02-08 BadURL_WordStarts[i++] = "smart-plugin"; // YOUR CHOICE Malware - 2010-02-08 Reason: The latest crop of malware that pretends to be something else. I still don't buy into this. You allow exe files to come ONLY from where you want them to come from. IOW, I would activate the exe rule and white list the sites I would allow exe files to come from and no place else. But people want to install, Install, INSTALL! They never once think to ask - is this crap I am installing adware / spyware or even worse a trojan that will cause me to have to reinstall the Operasting System? My take on that is simple - Don't reinstall. INSTALL UBUNTU LINUX! I am getting tired of this. 52. Action: An exclusion for the teen rule. Added: GoodDomains[i++] = "thirteen.org"; // teen - 2010-02-08 Reason: Even if I drop the "teen rules to the hosts level this will still be a problem so they need an exclusion. This is the main PBS station in New York City. I would say that Charlie Rose and others makes it pretty big. 53. Action: A modification for one of the teen rules. From: BadHostParts[i++] = "[^s]teen"; // Malware - 2009-10-01 To: BadHostParts[i++] = "[^rs]teen"; // Malware - 2010-02-08 Reason: See number 52. 08 Février 2010 UNresolved False Positives (HHH) ------------------------------------------------ THERE HAS TO BE SOME! WHERE ARE THEY? 08 Février 2010 RESOLVED False Positives (HHH) ---------------------------------------------- 1. Pattern: "xxx" Date: 2009-Dec-19 04:31 UTC From: BadURL_Parts[i++] = "xxx"; GoodDomains[i++] = "dslreports.com"; GoodDomains[i++] = "ip-adress.com"; GoodDomains[i++] = "mywot.com"; To: BadHostParts[i++] = "xxx"; // Malware - 2010-01-28 REMOVED - GoodDomains[i++] = "dslreports.com"; REMOVED - GoodDomains[i++] = "ip-adress.com"; ALTERED - GoodDomains[i++] = "mywot.com"; (from "xxx" to Security) Reason: I am pre-empting more from happening. Ditto for other patterns that may cause problems. mywot is a security site so I changed it's comment.