Anatomy of an Attempted Malware Scam 139
Dynamoo writes "Malicious advertisements are getting more and more common as the Bad Guys try to use reputable ad networks to spread malware. Julia Casale-Amorim of Casale Media details the lengths that some fake companies will go to to convince ad networks to take the bait."
Re:127.0.0.1 for Casale (Score:3, Informative)
Better to use 0.0.0.0 - since it's a real invalid IP, connecting to it fails instantly, while a program trying to connect to 127.0.0.1 will take a while before giving up.
Re:Good Job Scott... apk (Score:5, Informative)
Good post, but for the record...
Using "0.0.0.0" instead of "127.0.0.1" is not more efficient because of size. There's only 2 bytes difference between the two; if your computer has a noticeable speedup just because it's reading 2 bytes less per HOSTS entry, you have way too many entries and probably more important problems.
The speedup, as pointed out by a different reply [slashdot.org] to GP, is because "0.0.0.0" is widely recognized as an invalid IP address, and just about every operating system will immediately fail if you try to connect to it. Using simply "127.0.0.1", the connect call has to go through the local loopback interface, and actually tries a connection, which adds up if you're accessing a lot of places at once (such as on a web page). The problem is even worse when the computer you're on is actually running something on port 80, in which case an actual connection is made, then fails, taking up more time. Or even worse: the connection times out!
Using "0.0.0.0" is good advice; I just wanted to make sure your reasons for using it are valid.
Re:Big Surprise (Score:3, Informative)
Not very extreme anymore. I just noticed that with the safari extensions, it is just one click away from the safari extensions gallery from being useful and implemented.
Re:Malicious malverts (Score:4, Informative)
Ultimately, how does the end users computer get infected by this `malware'?
The site linked to by the advert includes code that exploits a drive-by install using an unpatched exploit for the user's browser/OS, or uses some form of human engineering to get them to install it (i.e. like the many many "your machine is infected, follow these instructions to fix this" things that are seen out there).
At least one ad network I've seen seems to allow advertises to include custom javascript in their adverts, either that or the advertisers have found a way around the filtering the ad network does on the content, at which point such unpatched flaws can be exploited without the user needing to click the ad at all.
Re:I did cover loopback ops (Score:3, Informative)
Yes, I am aware that reading more data from the disk is slower. However, I would like to point out that the time it takes to read an additional two (or even eight) sequential bytes off the disk is insignificant compared to the potential time wasted in a timeout.
Using "0.0.0.0" is more efficient, but not because of the primary reason you listed, even if that is a contributing factor. It's like saying that the water is boiling faster because the air is drier, but not mentioning that you turned up the burner.
I was not aware of your other post, and I apologize for the redundancy.
I'm righter than you (Score:3, Informative)
I've been told it's weird when ACs try so hard. Also futile.
So disregard everything I said, I suck cocks.
APK
Re:I'm Surprized... (Score:3, Informative)
Re:Maybe it's me (Score:3, Informative)
But.. check the WHOIS for the registration date and valid contact details, check that the registrar isn't someone odd like China or Russia, check to see where the site is hosted, check the other sites on the same server and nearby IP addresses, also check the nameservers and if you are feeling more advanced check the MX handler. DomainTools or Robtex is your friend here.. very often you will find red flags using just those checks alone.
Re:Thanks, & see URL @ bottom of this reply (Score:4, Informative)
Yeah, in a file with that many entries, the extra 8 bytes per line would create a large performance hit.
I'm going to agree with the AC in a sibling thread, though: if your HOSTS file is larger than 10MB*, you're doing something with HOSTS it was never meant to do. It may be easier than setting up a proper DNS server, but it's not as efficient.
(I appreciate distributing a HOSTS file is easier than telling people how to setup a DNS server, though.)
I think if you start worrying about efficiency enough to start shaving bytes off of lines, you should consider the efficiency of loading a 10MB file instead of a proper DNS server, which can store this data more efficiently than a plain-text list.
My point stands for sane use cases. In my opinion, what you're doing is an abuse of HOSTS, even if it's a handy abuse.
* 10MB is an estimate. ~10 bytes per line * ~1 million lines