Hostsman makes it easy to block malware with a hosts file

I’ve written before about using the hosts file to block domains that are hosting malware. The idea is pretty simple. There’s a known list of domains that are either hosting or controlling malware, so by blocking your computer from accessing those domains, you make it much harder to get infected in the first place, and in the event that you do get infected, at least you block access to the command and control servers.

The problem is that Windows doesn’t make this easy. Well, I found an easy way: Hostsman. You can have it up and running in minutes.

Read more

Toggle between two hosts files with a simple script

A longtime reader wrote in asking if it was possible to easily toggle between two hosts files. There are several possible uses for this. When I’m at home, I need to address my web site by its internal, private IP address. On the road, that private address obviously doesn’t work. He wants something like this for other reasons; I believe he’s blocking ad servers with his hosts file and needs to unblock one or more servers temporarily for select sites to work properly.

This solution would make my Computer Science 203 professor rescind the B I received in his class if he saw it, but it works, and I don’t think he reads this blog anyway.

Read more

Defrag scareware

This isn’t exactly news, as word has been going around for a couple of weeks, but if you haven’t heard about it elsewhere, there are some fake defragmenters going around.

I heard mention of it today, and it reminded me that I saw one last week when I was working on my mother in law’s computer. This was especially obnoxious, considering that at the time, I was running Firefox and I was visiting a mainstream site.

So there are a couple of things you need to keep in mind.
Read more

Fix host hijacks or host file hijacks for free

Sometimes your antivirus will tell you that you have host hijacks or host file hijacks, but not elaborate on how to fix them. Some people charge way too much to fix them. Here’s how to fix host hijacks or host file hijacks for free.

A former classmate’s computer suddenly stopped letting him get to search engines. Aside from that, his computer appeared to be normal.

Fortunately he had some antivirus and antispyware software installed, so he was able to run it and get a relatively clean bill of health, but he still couldn’t use Google or Bing or Yahoo.

One of the pieces of software he ran mentioned a host hijack or hosts file hijack, but didn’t offer to clean it up without ponying up some serious bucks.

That was enough to tell me how to clean it up though. You don’t have to buy anything. Read more

Blocking malware at the operating system level

In recent months I’ve been recommending that everyone run Adblock Plus with the malware domains subscription, to get extra protection beyond what your antivirus/antispyware suite can give. Given a choice between detecting and blocking bad stuff, or not downloading it at all, it’s much better to not download it at all.

There are some downsides to this. Adblock Plus uses a fair bit of memory. It’s tolerable on my desktop PC with 2 GB of RAM, but less so on my netbook with 1 GB of RAM. And if you have to use a browser that doesn’t have a compatible version of Adblock Plus available, you’re unprotected.

The solution is to block at the operating system level, using the hosts file.

Here’s a script that does it, with instructions.
http://www.ericphelps.com/scripting/samples/Hosts/index.htm

But I know of one malware site list that his script doesn’t use: http://www.malwaredomainlist.com/hostslist/hosts.txt. Luckily, it’s not hard at all to add that. Open the file in Notepad or another text editor, go to line 21 and add the following on a new line:
& ” http://www.malwaredomainlist.com/hostslist/hosts.txt” _

Follow the author’s instructions for turning off the DNS client service if you run Windows 2000 or newer, then run the script to generate a mega-hosts file that will keep your PC from acknowledging the existence of the known bad guys. I’ve said it before, but it’s worth repeating: Detecting and blocking malware is fine, but it’s much better–faster and safer is better, right?–to not even download the stuff in the first place.

The script explicitly works with Windows 98, NT, 2000, XP, and Vista. There’s no reason why it won’t work with Windows 7, and it might even work with Windows 95 (no guarantees though).

Review: D-Link DSL-2640B

I’ve had DSL for right around 10 years. I would have ordered it sooner, except it wasn’t available in my area any earlier than that.

Over the years I’ve owned several modems. I started out with an Alcatel, then after I moved a mile down the street I owned a couple of different Speedstream modems. Each would drop connections every so often, and each had a different (and undocumented, of course) ritual to get it back online.

The highest praise I can give to the D-Link DSL-2640B is that I haven’t discovered such a ritual yet. If the phone line and electricity are working, it finds a way to stay online.

There’s nothing especially flashy about the 2640B. It’s an unassuming black and silver box, similar in styling to modern PCs, with jacks in the back. It’s a combination modem, gateway, and switch in one package, so in my case, it replaced two boxes–my Speedstream modem, and my Linksys WRT54G. Many ISPs have been distributing all-in-one units made by companies like 2wire in recent years; the D-Link is similar to those, but a bit smaller than many of them.

Setup is trivial for someone who’s set up devices like my old Linksys. Those who’ve never done such a thing may need assistance. I can’t vouch for the quality of D-Link’s customer service because I didn’t need it. Before I plugged the unit into my phone line, I plugged a laptop into the D-Link, brought the two units over to my desktop PC where I brought up my Linksys configuration, and I checked all my settings against the Linksys. About 10 minutes later, I plugged the D-Link into my phone line, it connected to my ISP, and it’s been online ever since.

The nicest feature is its ADSL information screen. It tells me the modem speed (downstream and upstream), number of errors, and other diagnostic information. I’ve seen my speed range from 1.5 megabit to as low as 256K (upstream stays steady at 384K), but it’s never dropped. I’ll take speed fluctuations over dropped connections any day. If the quality of my phone line deteriorates any further (or maybe I should say, “when”)–I’ll be armed with some good information. Southwestern Bell/SBC/AT&T have always been able to dismiss my complaints in the past. I imagine that’ll be harder to do when I can tell them exactly how many tens of millions of downstream errors I have, versus 96 upstream errors.

Despite those connections, the modem keeps on trucking. I’m impressed.

My sole complaint is that the DynDNS client doesn’t pass my domain name to my internal network. I had to put an entry for my DynDNS name into my hosts file. This won’t be an issue for anyone who isn’t running their own web server, but it’s a little aggravating for those who do. Less aggravating than a dropped connection though.

So if you need a new DSL modem for whatever reason, I recommend the D-Link DSL-2640B. It isn’t flashy, but it works and keeps working.

Update 10 October 2010: I’ve been using this unit for about 15 months, and it’s still going strong. So I can recommend it even more strongly than when I wrote this. It’s out of warranty now, and I didn’t even notice.

The worm that’s not a worm

I got mail at work today. The subject:
David you have an e-card from Alex.

Well, about the only person I know who calls me David is my mom. And I don’t know anybody named Alex. And why would a guy be sending me an e-card? Not wanting to explore that possibility any further, I disregarded it.

Then I remembered reading about something like that somewhere, so I went back and looked at it.

Short story: A really sleazy e-card company is sending out e-mail containing nothing but an URL at friendgreetings.com, which sends down ActiveX controls and installs some spyware that, among other things, sends bogus cards to everyone in your Outlook address book. That’s where I got that e-card message from. I was in this guy’s address book, for whatever reason. (Turns out he’s the webmaster at work. Funny how the webmaster and the hostmaster can go for long periods of time and never meet, eh?)

Officially, this isn’t a virus or a worm because it’s a company doing this crap, rather than a bored loser who lives in his parents’ basement and you have to click on an EULA (which most people do blindly anyway) for it to activate. I fail to see the difference, but I guess I’m weird that way.

I originally wrote that the anti-virus makers didn’t consider this a worm, but Symantec seems to have relented. You can get a removal tool at Symantec’s site.

If you want to protect yourself pre-emptively, locate your hosts file (in C:\winnt\system32\drivers\etc on NT/2000/XP; I’m wanting to say it’s in C:\Windows\System on Win9x; on most Unix systems it’s in /etc, not that it matters since this not-a-worm runs on Windows) and add the following entry:

127.0.0.1 www.friendgreetings.com

More cleanly, you can ask your network admins really nicely if they can block friendgreetings.com at the firewall or DNS level.

If you have inadvertently unleashed this monster, first, close Outlook immediately. Normally, I’d advise getting right with everyone else before cleaning things up, but since there’s the risk of making things worse if you do it that way, clean house, then start apologizing.

Next, download the removal tool.

If you want to be really safe, go into the control panel and remove anything that appears to have anything to do with friendgreetings.com. Next, I’d go to www.cognitronix.com and download Active Xcavator and remove anything having to do with friendgreetings.com. Next, I’d head over to LavaSoft and download Ad-Aware and let it shoot anything that moves.

Next, apologize profusely to the guy who runs your mail server (ours got clogged up for hours processing all the mail from not-our-friendgreetings.com) and to everyone in your address book. I can’t offer you any advice on the best way to do that. Except I’d use something other than Outlook to do it. Head over to TinyApps.org to find yourself a small freeware mail client. Assuming you’re not on an Exchange server, I’d suggest pulling the network plug before firing up Outlook again to get those e-mail addresses.

Meanwhile, it would do no good whatsoever if everyone who’s gotten one of these annoying e-cards (whether they opened it or not) opened a command prompt and typed ping -t www.friendgreetings.com and left it running indefinitely. No good whatsoever. It’s still a distributed denial of service attack if all of the participants participate voluntarily and independently. Right?

WordPress Appliance - Powered by TurnKey Linux