2008-03-24

HostExploit - What? Why? Who?

HostExploit – ‘A call to arms’- Why another Internet security blog and more ‘black hole’ lists? - It's the HOSTS!

It has become increasingly apparent the malware, spam, phishing and other BadWare distributors are now engaged in automated domain generation, 100’s to 1,000’s per week, which is proving a serious difficulty for major domain / IP ‘blocklist’ and ‘blacklist’ providers to simply keep up .

Added to this we now have; iFrame attacks via web portals, several major international web hosts with 1,000’s of their innocent and money paying clients having hacked and infectious (to web surfers) web sites, DDos (distributed denial of service), polymorphic malware that many anti-virus / spyware / malware solutions are unable to detect, and millions of PC users being directed to rogue and fake web sites.

Finally we have the rise of the Botnets, anonymously managed fast and double-flux (ever changing IP addresses) control of 1,000’s of infected zombie PCs.


We now believe the general situation on the Internet calls for an alternative and added open source approach to deal with this head on, i.e. the web hosts and Internet carriers. Every one of the IP’s, web sites or domains are hosted or carried by someone, we feel it is time to break the taboo and name, list and expose the ones that host the malware that infects us all. This approach is not to replace existing methods, but we hope it will add to the security community’s and PC user’s array of possible tools to reduce the threat.


HostExploit – Who? This blog and associated list(s) is edited by Jart Armin and James McQuaid, however the research is provided by a wider volunteer group, some of whom would rather remain anonymous, due to their other professional Internet activities. All those involved are web professionals within; web hosting, server management, DNS (Domain Name System), Internet security, and IDS (Intrusion Detection Systems).


HostExploit – Who is this for?
You, i.e. any PC user, webmaster, ISP (Internet Service Provider) or web host, who wants to reduce the threat of infection or exploitation. Where necessary or possible all topics and articles will contain added information to illuminate and educate.


HostExploit – What to expect?

• Bad Host Lists – these will be in several formats for users to apply for themselves or distribute freely. These lists will initially focus on the (b) and (c) categories (see below) can be used to black hole, block or just for general awareness - click here.


• Specific bad host exposures – On a regular basis there will be articles exposing a specific host and providing detailed and where possible quantification with a historical background.

• Bad Host categorization – host or AS (autonomous server) issue comes down to a certain level of semantics and initially crude differentiation – so we will commence with an ‘a b c’ method:

(a) Hosts / Servers / AS of 'infected sites' = - i.e. infected or hacked sites / domains which have bad exploit code, infected iFrame, SQL injections, XSS exploits, etc. to exploit visitors.

(b) Hosts / Servers / AS of 'user infector sites' = i.e. where the malware and rogues are located and more often than not, users are directed to from infections on sites within (a)

(c) Hosts / Servers / AS of 'user receptor sites' = The ultimately very bad = including the so called "the bullet proof servers" masked by the botnets to; receive, trade, pay affiliates, warez, etc. etc. - from (b); stolen IDs, credit cards, bank phishing info, for (a) to pay partners and affiliates to infect the web sites. Also for DDos Botnet C&C (command and control) actions.


HostExploit - To Inform and educate – Articles that attempt to help explain the processes and terminology involved.


HostExploit – Want to help or have your say?
This is an open source ‘non-profit’ volunteer group and we welcome help, input or feedback. However for security reasons there is no allowance for onsite comments so email HostExploit (at) gmail.com.

It is likely input would be within the following:


• To keep informed or pass on the information? – sign up for a ‘Feedburner’ feed and then you will be informed about new articles. Feel free to pass on articles and the list(s), publish in your blog or magazine or newspaper, under a ‘Creative Commons License’, obviously it is courteous to show hostexploit.com as a reference.


• Have information we may have missed or a new exposure? – email us.

• Web Host / Server / AS, and feel any information or inclusion within the list(s) is in error? – Please email us and say where we are wrong, our objective is to reduce such a list and we will be delighted to explain the error or demonstrate you have cleaned up your act.