Blocking malicious sites with Adblock Plus · 2008-07-03 09:48 by Wladimir Palant
I was reading about yet another wave of attacks exploiting a Flash vulnerability. It turned out that the Flash vulnerability used was already fixed but that doesn’t really matter — Adobe seems incapable of updating users to a secure Flash version in a timely fashion. So Firefox users were at risk here as well, and the continuing waves of SQL Injection attacks inserting malicious iframes into trusted websites didn’t exactly make the situation better.
Yet the domains participating in the attacks are known, so there must be a way to block them. Of course I checked the malware filter in Firefox 3 first, yet it didn’t recognize the sites as malicious. It might have been that the sites were too new, yet the information on Google for some of the older domains indicated that these have been scanned and nothing objectionable could be found. Not sure what Google’s scans look at, but I guess they simply have a different focus — the idea is to block sites the user might go to unintentionally rather than malicious Flash objects that could be easily served with ads for example.
I searched for other lists of malicious domains and quickly found one aggregating multiple sources of information including Dancho Danchev’s blog posts I linked to above. The list is mainly meant for DNS servers, but why not try to use it in Adblock Plus? The script to convert the list was easily written, discussing the matter with the author of the list and finding hosting for the Adblock Plus filter subscription took somewhat longer — but now it is all done.
So now Adblock Plus users can add a subscription with slightly over 40000 filters that will block access to the known malicious domains. It is the first time I tried Adblock Plus with so many filters, and the good news is: the slowdown during browsing is in the area of single-digit millisecond numbers, that’s not noticeable. The bad news: loading/saving the list still takes a while (noticeable as browser startup/shutdown delay). In Firefox 2 this took around 20 seconds which is why I recommend against using this subscription there. The big surprise was Firefox 3, there the delay is only 3-4 seconds. Congratulations to everybody who helped optimizing JavaScript, the results are really incredible!
Using this filter subscription will also require 20 MB more memory and up to 25 MB download bandwidth per month. I’ll continue working on performance optimizations, but if you can live with the performance cost and want to try it already: click here to subscribe to the list in Adblock Plus (listed on the usual list of filter subscriptions as well of course).
Amsterdammer · 2008-07-03 10:40 · #
Google? Malware filter in Firefox 3? Forget it!
Within the last 3 week I have reported two times via menu>help>report web forgery a website with a malicious code, which is blocked by my Kaspersky. Searching in the virus-encyclopaedia of Kaspersky I found, that this code is well known since 2007 (http://www.viruslist.com/de/analysis?pubid=200883546 (in German), scroll to Nr. 4: iframe Attacken…). But nothing happened the last 3 weeks, site is still not blocked by Firefox 3.
So, who decides for the Fx3 users, what is malicious, what not? Google? IMHO too slow and unreliable..
Fox · 2008-07-03 13:23 · #
why there is / after every domain extension, like .com/
what if some listed domain uses port number, like:
.com:8080 or .com:81
Then that list does not block it.
Reply from Wladimir Palant:
That’s to prevent false positives. So far it seems that port numbers other than 80 are very uncommon – if that assumption turns out to be wrong we can change the list.
Fox · 2008-07-03 14:03 · #
WP: “That’s to prevent false positives.”
And i did just remember:
.com.au
.net.au
.com.sg
-domain extensions and some others,
then that list is better that way.
ecjs · 2008-07-03 17:56 · #
This one is a nice solution too :
http://www.k9webprotection.com/
Asshole · 2008-07-03 21:06 · #
Kudos to you, Mr. Palant, for this Malware Domains list. I have loaded this list and will watch its hit counts with interest.
Asshole · 2008-07-03 21:17 · #
Wait a minute—what is the point of this list? I have it installed and enabled (and ABP is also enabled), yet was able to navigate to one of the domains in the list without (007arcadegames.com) a problem. Surely I’m missing something.
Reply from Wladimir Palant:
It won’t prevent you from going to this page – but it will block for example any iframes or Flash objects from this domain.
Asshole · 2008-07-03 22:21 · #
The thing with K9WP is that its filters are system-wide; they are not user-based . Thus you either block categories for all users or none. The last time I used it there was also a very noticable slowdown for loading new domains, due to the way each domain is checked before being loaded.
If you need multi-user blocking you’re better off using OpenDNS’ content-filtering and adult-site blocking features .
Fury · 2008-07-06 17:05 · #
I think this filterlist is a great idea.
But why is it necessary to download the whole filterlist every time. I think there will be only slight changes to the list. Wouldn’t it be possible to download only the changes and Adblock Plus integrates them locally in the list. This would spare a lot of bandwith and server traffic.
Reply from Wladimir Palant:
Adblock Plus doesn’t support that mode yet – and it is more difficult to implement on the server side. Nevertheless, that’s a direction we might try in future.
Verb · 2008-07-08 12:54 · #
Wladimir, you have a list of 4000 malicious domains. Why not report them to Mozilla to block them instead of having the list on every user’s machine that may reduce the browser speed?
Reply from Wladimir Palant:
I have a list of 20000 malicious domains. And they come from a source that is available to Google as well – problem seems to be really that Google has a different focus with its list, as I said in the article. So reporting those domains is pointless.
RNiK · 2008-07-15 09:25 · #
I have installed and enabled the above list. Then I start noting frequent browers hangs (I’m still using Firefox 2.x) so I looked at firefox.exe process throught Process Explorer and I discovered the problem was the connection with malwaredomains.com and malware.com.
Unfortunately I have to disable the above list.
Reply from Wladimir Palant:
Right, and of course you didn’t read the numerous warnings not to use that list with Firefox 2…
RNiK · 2008-07-15 11:00 · #
…numerous warnings…
…Firefox 2…
…ME = zzzz…
DOH!
Sorry for the spam.
worriedMan · 2008-07-16 21:35 · #
Wladimir,
The good folks at ShadowServer.org are maintaining an up to date list of the urls found on SQL injected pages. It can be found at
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
It’s pretty simple to scrape this text and use a script to convert it into an ABP filter list, and it’s a much shorter and more direct approach to the problem.
Perhaps you could persuade them to publish it in a more acessable form and add it as an alternate subscription?
Reply from Wladimir Palant:
Looks interesting. I’ll contact them about that list – in particular asking whether they themselves think that creating a blocking list from it would be a useful thing. 500 filters is quite a difference compared to 40000 of course.
worriedMan · 2008-07-17 16:22 · #
Wladimir,
As I understand it, this list is only the injected urls observed on SQL injected sites, not the secondary urls in the cascade (mostly redirects which ABP can’t block) and not the ultimate malware dispensaries. These are what actually show up in the injected script/iframe/whatever tags. Hence this list is much shorter and more targeted and can be used to block the entire attack at the source.
The malwaredomains list is much broader and deeper covering all manner of attack sources, destinations and intermediate vectors, hence compartively huge.
I’ve been using this list for about three weeks now and have already registered some hits. It seems to be updated rapidly as each new wave of injections is detected (a practice that we need to encourage). I still have some questions about the best way to organize/format it for ABP, perhaps we should take this discussion to the forum?
Reply from Wladimir Palant:
Yes, the forum is the best place for discussions.
Havvy · 2008-07-24 07:59 · #
Can you add *.on.nimp.org for the malice the site does…no viruses, but you lose your session.
Reply from Wladimir Palant:
I am not maintaining that list, http://www.malwaredomains.com/ is the right place to make suggestions.