Sadly it seems like the maintainer might have passed sometime last year (or is at least gravely ill). From the page:

Folks … sorry for the delay (again) in getting out an update … just got out of the Hospital … I now have some severe health issues to deal with (complete Kidney failure … need a Kidney transplant) plus another operation … large needles inserted into my spine …however I will try to better maintain the MVPS HOSTS file. Well just got back from Hospital again (excessive water in lungs)

If you could … please consider a donation. Thanks to all that contributed … every little bit helps.

https://winhelp2002.mvps.org/hosts.htm (archive.org link)

So, I donated – may it be of some use to them / their family! And I encourage to do the same if you benefited from this great file!

As for alternatives, there are several good ones:

• I now use nextdns.io on the machines/mobile devices I maintain
• pi-hole is also an alternative
• Specifically for Windows, HostsMan is a good software to manage/update hosts files
• Browser plugins like uBlockOrigin are also very useful

For the last decade it has been the case – and continues to be the case in my opinion – that ad/tracker blocking is the single most effective way to keep devices from being infected with all kinds of malware (and, it generally makes web browsing faster!)

Warning: Something's Not Right Here!

hype-free.blogspot.com contains content from randaclay.com
, a site known to distribute malware.
Your computer might catch a virus if you visit this site.
...

The source of the warning is the image / link in the comment form, which I have now removed (or more precisely replaced with a local copy). It seems that the randaclay.com has been hacked and thus it is classified as malicious by Google, which in turn leads to all sites linking to it being marked a potentially malicious. So, while I’m sorry for doing this, I will remove the links to their site until they manage to resolve the issue and will mirror their manifesto below:

Almost all blog platforms by default are set up so that a “dead end” piece of code is inserted wherever there is a link in a comment, so that search engines will not “count” the link as they are crawling the internet. This was originally designed to help stop comment spam, but it doesn’t work. What it does is remove some of the incentive for your readers contribute to your site by commenting on your posts.

What can you do about it? Turn off “nofollow”. Show your commenters that you appreciate them. Spread the link love.

Now I have no idea about the relative size of this subset (or if the companies have it, or how they can collect it for that matter), but I find the idea that marketing material put “out there” can backfire amusing :-).

Picture taken from tigger1fic’s photostream with permission.

Almost a year ago I added a SMOG button to each blogpost, which (in a more or less serious manner) evaluated the “reading level” needed to understand the blogpost. However, today the site used for this service came up with a warning from Google saying that it might be malicious. I’ve looked into it, and indeed, it contains an IFRAME pointing towards a malicious site.

So I’ve taken down the script until this issue is resolved to protect people. Hopefully this issue will quickly be resolved.

Picture taken from riNux’s photostream with permission.

Very often media (and I’m using the word “media” here in its most comprehensive way – including things like blogs, Slashdot, etc) tells us the story of some uber-hyper-mega-cool new-unseen-until-now method of performing X. This leads many people to believe that progress is done in “quantum leaps” – ie. there are no intermediate steps between point A (where we are now) and point B (where we can get using this new discovery). As a side-effect, it also makes people think that all they have to do is to come up with a “big idea”.

This is utter nonsense and I would like to ask everybody to stop propagating this myth! (Of course I know that it is wishful thinking on my part to think that this blogpost would have a large impact on humanity, but hey, at least I’ve vented my frustration, and if just one person is convinced, I’m happy).

There are at least two factors which mislead people into this fallacy: first, the lack of knowledge of the reader in a particular field. So, there is no chance for the reader to evaluate what works the current one is based upon, unless this is explicitly mentioned by the author. And here is the second problem: our tendency to over-emphasize (either intentionally or unintentionally) our contribution.

Also, there are a lot of both empirical and scientific evidence for the fact that progress is not as simple as coming up with one great-idea. The quote from Thomas Edison (“Genius is 1 percent inspiration and 99 percent perspiration”) illustrates this. A more scientific study comes from Malcolm Gladwell, who says that you need about 10 000 hours (about ten years) of deliberate practice to become great in a given field.

One example which comes to mind from the field of malware-research is the case of the Storm worm. When it “appeared”, there was a big media frenzy around it, fueled mainly by the AV companies. What nobody mentioned (because it would have broken the myth of “new, ultra-dangerous malware materializing from nowhere”) is that “Storm” is in fact the “normal” evolution of a much older malware family detected by many as “Tibs”. If one would to place the samples on a timeline and study them in the order as they appeared, one could clearly see how the different methods (like using a simple encryption layer over UPX, using different API calls to thwart emulators, using MMX/SSE instructions, using the return values of the API calls in the decoding process, etc) appeared and evolved. In fact “Tibs” and “Storm” are very clearly the work of the same group of people, and not something new as the reports would like you to believe.

No quantum leaps (except in theoretical physics :-))!

Picture taken from renrut’s photostream with permission.

What bothers me:

• The blacklist approach – this means that there will be a lag before new attacks are detected
• Relying on third-party service (like the Google Safe Browsing API, McAfee SiteAdvisor, etc). While the Google Safe Browsing API has an explicit TOS stating that you can use it (under certain circumstances of course), the situation with McAfee and Symantec is not as clear-cut. Does Dasient have a contract with them or are they just scraping their websites? What if McAfee / Symantec decides that enough is enough and blocks them or even worse, sues them? Also, relying on these services means further delay in detecting the infected sites (because they must wait until these providers detect the infection)
• Their touted “dynamic filtering” technology seems to be over engineered for me. It also (as far as I understand) can’t handle situations like “the request is directed to a different machine” or “the machine is rootkitted and the malicious code is added on-the-fly”, both of these being situations which occurred in the real world (the first with CN CERT and the second with a bunch of compromised Linux machines)
• Also, I fear that because this filtering masks the problem (much like a WAF does), it will encourage people to be complacent about fixing the root of the problem (“so what if we get compromised twice a day due to weak passwords? we just click the checkbox!”)
• Finally, the prices seem a little steep to me (starting from ~10 USD a month and going over ~ 50 USD per month)

All in all it doesn’t seem to me to be worth 2M USD (which they claim to have in funding)…

After reading on Graham Cluley’s blog that the IEEE came up with a new standard [PDF] for malware interchange, I had to check it out immediately. As always, being a cranky old man, I found several problems with the proposed standard:

• Even though the presentation has a section abou “Re-Inventing the Wheel”, it fails to mention that such sample exchange has been going on for at least a decade at this point between participants of the AV industry
• It fails to address the issue which traditionally concerned the people the most: who should the samples be shared with?
• The specification is tied strictly to proprietary products, where at least comparable (if not better) open products exists, the adopting of which would ensure that these files can be easily processed on any platform: RAR and PGP. While they both are excellent products, their selection also means that there is a minimal license fee for anybody interested in producing such archives. Also, certain encryption schemes of PGP are not implemented in GnuPG because of patent concerns, but the document doesn’t mention this. A much better option would have been to go with 7-zip and GnuPG for example (and explicitly stating that patent encumbered encryption algorithms won’t be used).
• The strictly defined attributes (like md5, sha1, sha256) can be easily recalculated at the receiving end. You might argue that they provide an integrity check, however the presentation explicitly states that the archive provides this function – “RAR-archived (for integrity checking)”
• Some of the definitions are lacking in detail – for example they introduce a “classification” tag, but it doesn’t seem to include timestamp / engine version / signature version information. Without these, in todays dynamic world, the information is not very useful.
• Many of the fields are “free-form”, meaning that no complete automatic parsing can be done.

The conclusion? This format doesn’t bring anything new to the table and is (as it stands) just a poorly thought out waste of time.

• Access the user files from MyDocuments
• Perform keylogging
• Take screeenshots

Sorry for the typos in the text but I hope that the point came across that with minimal modifications malware can be made “compatible” with more restricted environments than what it is used by default by a large percentage of the population. While malware running in these conditions wouldn’t have access to advanced capabilities (like kernel-mode rookits), it can still inflict a lot of damage in the time-window between the infection and when it is detected. This window can be even expanded by using tools like server-side polymorphism.

My conclusions would be:

• Limited accounts are a great tool, but only because most (almost all) malware wasn’t written with it in mind. Probably this will change in the future as
• Any executable (which can take many forms) running under the current user can access anything the current user can, which is probably all the information the user cares about!

I wish to emphasize again that the environment tested is was much more restrictive than the user accounts created by default by Windows 7, and even so, the malicious code could access all the data belonging to the user.

PS. I will not release the source code used for the demonstration in any form (binary or source code), because there is already enough malicious code out there. Then again, the code used is fairly standard and there are many examples out there and a little searching can lead anyone to it.

Update: re-uploaded the video, now in better quality.

Update: I recently found a video demonstration by PrevX which shows how Vanquish, an old user-mode rootkit, works perfectly well under Windows Vista (and most probably 7) with LUA.

A great tool to help you identify the source of the problems is Process Monitor (or Procmon for short) from Microsoft (formerly Sysinternals). It records all kind of actions related to the registry, filesystem and network with detailed information about the source of the call (process, stacktrace, etc). It can also perform this logging during bootup (which is useful, since malware can launch before you get to the desktop). Here is a short tutorial on how to use it:

The scenario is:

You have malware.bat in you system32 directory with the following content:

@echo off
echo Boo!
pause > NUL

It is being launched by launcher.bat, which is started because of an entry in the registry and has the following contents:

@echo off
call c:WINDOWSsystem32malware.bat

Pretend that you don’t know this and want to find out how the “malware” gets started. So fire up Procmon and check “Enable Boot Logging”. You can also uncheck “Resolve Network Addresses”, because we are not interested in them currently and it speeds up things a little bit.

Now restart your computer and observe that the “malware” is launched. Now start Procmon again, and it will ask you if (and where) you want to save the capture file from this reboot:

After you saved the file, you can search in it and locate references to our “malware”. When you’ve located a reference, you can see the properties of the process when it executed the particular command. In our case it is cmd.exe running the “launcher”:

However, this was the easy part. The hard part is interpreting the results :-). A process can “touch” a file for many reasons. Don’t immediately assume that just because one process is related to the malware, it too is instantly malicious. For example, all programs registered in the “Run” and similar registry key are started by explorer.exe, which isn’t malware ;-). An other reason why a clean process could launch malicious files is because they’ve loaded a DLL related to the malware. Check the stack tab. Conversely, just because the name / icon looks familiar, don’t assume that it’s innocent. Check that it is in the right path (an old trick is to put executable in the system directory with the same names as the ones in system32). If possible, check that the digital certificate is valid (malware can for example modify the code in executables to launch itself – which invalidates the certificates). When in doubt, second check. Sites like VirusTotal can give you a good indicator on the “maliciousness” of the file. Also, you can submit your files to sandboxes like ThreatExpert or CWSandbox, and see how it behaves. This can give you and indication about other files you might need to take a look at.

Good luck and stay secure!

• Original papare: Tracking GhostNet: Investigating a Cyber Espionage Network
• F-Secure blogpost about it
• The paper from Cambridge: The snooping dragon: social-malware surveillance of the Tibetan movement

My take on it? There is no proof that China is behind this. There are alternative explanations (as the paper correctly points it out on page 47, but I don’t think that most people got that far). The fact that all those government institutions got penetrated only shows that most people don’t get security (even in “high risk” places). Yes, some of the attacks were targeted, but we hear almost daily about your average worm penetrating all kinds of “big” institutions.

A qualm of mine with the report is too secretive: it tries to black out essential parts (no MD5 is given for the files, etc). Also, there are some aspects which make the fact that this was a “professionally run” operation less believable:

• From what I’ve seen, the associated GUI only makes it possible to control one machine at a time. This is very ineffective.
• They mentioned that one of the first files to be retrieved trough the network was one to contain email addresses. This seems to be indicative of spamming-operation more than an infiltration operation

Picture taken Môsieur J.’s photostream with permission.