Tuesday 12 August 2008
- HOSTS files, IP blacklists, toolbars - is it enough?
HOSTS files, IP blacklists, toolbars - is it enough?
By Steven Burn - August 12th 2008
Back in 2006, I wrote an article on the HOSTS file, and how it added an improvement to the security of your computer. Whilst this has not changed, the malware scene has and thus, the security needed to protect your computer, has changed drastically.
A HOSTS file has never been enough on it's own to protect you, simply because it is far too easy for a malicious program (and depending on your browser settings, a malicious webpage) to completely change or remove, the HOSTS file in seconds, and it is limited to blocking individual hostnames only (it cannot for example, do a wildcard block such as *.badsite.com, and it cannot block IP addresses). Obviously this requires you have a program monitoring the file for changes, such as WinPatrol. So what else is needed?
As with everything else however, PAC files have a downside - they can only be set on a per application and per user basis. Thus you'd need to configure a PAC file for every user on your system, and then for every application that accesses the internet. A better option to this, would be to have a dedicated machine working as your Proxy using Linux and DansGuardian.
For detailed information on PAC files and how they work, please see;
On top of the HOSTS file, you could use an IP blocklist. IP blocklists allow you to cover one of the HOSTS files drawbacks by blocking sites based on IP (Internet Protocol), allowing the covering of wildcard domain blocks for example, and blocking the lovely IP direct links that the malware community seems very fond of. This however, has it's own drawbacks, namely;
1. IP addresses are not restricted to being provisioned for a single website, one IP address can host thousands of sites, good and bad. By blocking 188.8.131.52 for example, you could be blocking 10 bad sites, and hundreds of good sites.
2. Fastflux/Hydraflux - this is now a very common method used by malicious hosts and involves (in basic terms) setting a sites DNS TTL (Time to live) to a very low value. ICANN, amongst many others, wrote a great article (PDF) that goes into far greater detail on this.
Browser Security Toolbars
In addition to the above, you could also use one of the many security toolbars that are available. These plug into your browser to help protect you from malicious websites by either scanning the sites code prior to loading it, or by checking the site against their blacklist and warning you of a match. Just some of these include;
1. SiteHound (firetrust.com/products/sitehound)
2. Trusted Source (http://www.trustedsource.org/en/tools/tstoolbar)
3. SiteAdvisor (siteadvisor.com)
4. Netcraft (toolbar.netcraft.com)
5. Web of Trust (mywot.com)
6. Haute Secure (hautesecure.com)
7. LinkScanner (http://www.explabs.com/products/lslite.asp)
8. AVG Security Toolbar (http://www.grisoft.com/ww.product-avg-toolbar-app)
These are a great addition to the browser, and almost all of them that I'm aware of, support the major browsers such as IE, FireFox and Opera (not all of them support all 3 though, and few of them support the alternate shells such as Avant Browser).
Surely the HOSTS file, IP blocklist and toolbars should be enough? Actually no, they aren't. The toolbars also have their drawbacks - namely blacklists, the majority rely on knowing a site is bad, adding it to the blacklist, and subsequently updating the database that goes with it, on your computer (a problem they share with the HOSTS file and IP blocklist). So whats left?
Not surprisingly, there is no absolute solution, and there never will be aslong as we are relying on black/white lists, instead of on-the-fly scanning of a sites code. Alas, OTF is not viable for the vast majority of every day internet users, simply because it would require the use of a sandbox that was capable of;
1. Downloading a copy of the site
2. Loading it in a sandboxed browser
3. Checking for changes to the system
4. Reporting these to the user
5. Allowing the user to make an informed decision based on the results
Aside from the obvious time involved in having it do that, which itself, would drastically slowdown your favourite websites, can you guess what your Average Joe is going to do with the results? yep - they're gonna go "huh?". Without being properly educated on what exactly the results mean, Joe isn't going to have a clue what those results mean and is simply going to be annoyed at how slow the webpages were loading.
Don't fret however, there are several things you can do, in addition to the addons mentioned above and of course, ensuring your system (operating system aswell as any of the applications you've got) is kept up to date. First and foremost, get educated on what a site is capable of doing via your browser - and stop clicking blindly on links both in e-mails and on websites, without knowing exactly what it is you are clicking, and what it is going to load.
Improving your computers security
The next step, is to educate yourself enough to be able to tighten your browsers security settings (and no, switching to FireFox isn't going to save your computer - it's just going to keep the fanboys happy). Disable Java, disable ActiveX, disable Scripting, disable flash. Besides being unnecessary bloat for the most part, these provide the perfect vector to infect your computer. Alas disabling these will also prevent the majority of websites from working as your friendly webmaster has decided the site "looks better" or "works better" doing these things on the client rather than server-side (flash/Java can't be done on the server side, but are themselves, completely unnecessary for websites).
Improve the safety of your browsing and e-mail activities
US Cert: Securing Your Web Browser
A major improvement would be to switch your DNS servers to OpenDNS. OpenDNS not only allows the blocking of malicious websites (though again, they rely on blacklists), but also a whole host of others, such as pornographic and social networking sites (something I'm sure the parents amongst you, would love to block), and it's surprisingly simple for you to do.
In addition to this, ensure you have a good firewall, and have it configured correctly. My personal favourite is Tiny Personal Firewall (I use the last freeware version, but there are newer commercial versions), but there are many others, of which I'd recommend Online Armor or Outpost (I've linked to the free (and limited) versions here, but there are fully featured commercial versions available for both of these for those that are willing and can afford to, pay for the licences).
Keeping YOUR computer up to date
If your system is not up to date, it is not going to matter how much protection you've got in place, malware will find a way in (and it can find a way in on fully patched systems, so unpatched is a major no-no). You MUST ensure you keep Windows/Linux/MAC (whichever you use) up to date.
Keeping Windows up to date is fairly simple - leave Automatic Updates enabled (I tend to have it prompt me rather than automatically install them, but for those unfamiliar with what the updates are and what they will do, I'd recommend either reading up on them, and leaving automatic updates enabled until you fully understand, or simply - leave it set to automatically download and install updates).
As with Windows, Linux generally has an option for automatic updates (I know Ubuntu tells me when there are updates), but even so, running* apt-get update every now and then can't hurt (and if your system can handle the newer version of the distro you are using, then apt-get dist-upgrade*).
* It should be noted, not all Linux distributions support apt-get. You should check with your distributions support documentation to find out which one it uses. If you can't find the information, ASK
Infection prevention and cures
What should you do to both help prevent infections, and cleanup any you do get? A good anti-malware is always a good thing. Again, there are several options available to you;
1. WinPatrol - www.winpatrol.com (without a doubt, the best system monitor available)
2. MBAM (Malwarebytes Anti Malware) - www.malwarebytes.org
3. Spybot Search & Destroy - www.safer-networking.org
4. Mamutu - www.mamutu.com/en/software/mamutu/ (hpHosts users, see the TeMerc Internet Countermeasures Forums for a free licence)
5. a-Squared - www.emsisoft.com/en/software/free/
Please note, an anti-malware/system monitor is NOT a replacement for your antivirus, it's an addition to it. I'd strongly recommend (in no particular order);
1. ClamAV For Windows (* see update) - www.clamwin.com (free/open source, available for Linux, Windows and the MAC)
2. NOD32 - www.eset.com (commercial)
3. Kaspersky - www.kaspersky.com (commercial)
4. Avira AntiVir - free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html (free for home use (advert presented when updating signatures))
5. Avast Home Edition - www.avast.com/eng/avast_4_home.html (free for home use)
Why isn't Norton or McAfee listed here? Simple. The last time I tried Norton myself, it was a bloated pile of over priced rubbish. Donna (Calendar of Updates) however, assures me that Norton 2008/9 are alot less bloated and alot faster than their previous releases. Alas however, 09 is a beta, and Norton's beta registration system seems to be broken, so until Symantec get back to me with a resolution (hopefully involving a download link and beta licence), I can't recommend it.
I'm not going to bother commenting on McAfee however, every single version of their products have had the same problems as Norton - bloated, over priced, and worse still, very bad detection rates. Research suggests things have not changed in the McAfee camp.
You can of course, also use a sandbox yourself, when using the internet. Many such things are available, such as Sandboxie. Browser sandboxes, ensure your browser cannot do any damage to your system by preventing anything that loads in the browser, writing to your computers drive. Again however, these are not foolproof, and are, like everything else, susceptable to exploit. Nonetheless, they provide a great deal of security to those that use them.
Please note, I've only touched on the basics above, there is far more detailed information on both the risks of and improvements you can make to, surfing the internet. If you need advice, feel free to pop by the TeMerc Internet Countermeasures Forums, or any of the many ASAP (Alliance of Security Analysis Professionals) forums available on the internet.
Malware Detections of Free Anti-Malware/Anti-Spyware
A HOST'ed computer is a happy computer!
Microsoft Update helps keep your computer current
Update #1 15-08-2008 - It should be noted that ClamAV does NOT come with realtime protection, though it can be scheduled for perodic scans, so it's best used as a backup scanner (i.e. scheduled to scan once per day).
Update #2 17-02-2009 - Changed hpHosts forum link to TeMerc Internet Countermeasures link as the hpHosts forums are offline at present.
Update #3 19-01-2010 - No longer recommending ClamWin as they're now bundling the Ask toolbar.