See these redericts to self BadHosts list: http://webfilter.intranetcom.net/BadHosts.unx/hosts.lnx
available from http://www.hostsfile.org/hosts.html
polonus
Hi polonus, thanks for providing us with this list.
Since this forum caters to ordinary non-geek pc users, I think some explanation is in place.
As all of you should know, real internet adresses (IPv4) are like 123.456.789.12. Somewhere, a translation takes place between the text you see in the address bar of your browser and a number like that.
There are two places where the translation may take place: on a Domain Name Server usually provided by your Internet provider, or on your own pc in a Hosts file. Your Hosts file obviously cannot contain all possible Internet addresses and be up-to-date. The Domain Name Server must provide all necessary address translations. Except for adresses on your local LAN that are usually served by a local Domain Name Server in your router: myprinter > 192.168.0.101.
Blissfully unaware, the Domain Name Server will translate to badware sites. And now it gets interesting: your Hosts file takes precedence over the Domain Name Server. That means we can make badware sites unreachable from our pc by providing a false translation in the Hosts file. Hostfiles.org provides such false translations. My.badware.site > 127.0.0.1, which is the address of ‘localhost’, the pc that sent out the translation request in the first place.
EDIT “Local LAN” , Local Local Area Network, OK.
Hi Kwartet!,
As you plough through the list you see some flagged for adult smut content, others as spammers and phishers, etc.
Here an example for what we should look upon as a trusted mailer service
in the category computer and internet info…
An example why a certain domain landed on this list: wXw.bronto.com
Trust-e qualifications but also spam and phishing from that IP range…
Where Brightcloud give the site as trustworthy, a green 96 points on their web rep index
No threats found and No infections for the time of existence 54 months.
See: http://dnstree.com/216/27/63/18/
But see what happens on that range: http://www.projecthoneypot.org/ip_216.27.63.21
and another spam incident here: http://www.projecthoneypot.org/ip_216.27.63.81
Not actally security related as a first priority but we can learn some very interesting characteristics as how the domain is being operated:
http://www.chlooe.com/en/seo-review/bronto.com
Checked the re-mailer IP on 70 70 DNS based anti-spam databases.
All came up green, also the IP I menstioned that appeared in the logs of project honeypot dot org
Merci, Henry Hertz Hobbit, thank you for this list …
so avast and friends that care implement it as far as you see fit,
polonus
To give more insight in the contents of the list, I treat another example of bad web rep that goes back to 2010…
But the analysis will explain why it initially landed there.
Some of the issues go back quite some time as for everapo dot ru for instance, haunted by some incidents from 2010, self inflicted, I assume!: http://www.malwaregroup.com/domains/details/everapo.ru
Block SPIM and Malware Text Messages Policy: Worm/Autorun Keywords: This policy was modified to detect the additional keyword(s): “upd.everapo dot ru”, “prs.everapo dot ru”
Block SPIM and Malware Text Messages Policy: Worm/Palevo Keywords: This policy was modified to detect the additional keyword(s): “76.76.99.186”, “193.104.186.88” It then had Trojan.Win32.Gibi.ti for 1.5 hrs, and Win-Trojan/Malware.180224.Q for 832.2 hrs,
which avast detected as Win32:AutoRun-BPN [W
So we should have a look with Palevo tracker and really establish this incident lies far back in history.
It goes back in history and it is still actual for that IP we started out with at our investigations…
SeeL https://palevotracker.abuse.ch/?ipaddress=91.211.117.146
and also we see incidents of backdoor Tofsee, a rootkit based Skype worm that opens up backdoors,
it is a jpg posing file that actually is an executable.
It is a high-risk piece of malware that allows a remote attacker
to take complete control over the infected machine and use it for various illegal purposes.
So there the bad web rep stayed: http://www.mywot.com/en/scorecard/everapo.ru
See what kind of abuse issues there are with other IPs in the neighbourhood there,
see: http://www.projecthoneypot.org/ip_91.211.117.146
Abuse as spam, so also see the associated harvesters there…
polonus