This file and all included files, Copyright 2003-2005 by Sponge

Files and information current as of December 31, 2005.

Introduction: The Parasite Detection System is a derivative of the Sponge
"Spyware Blocklist", a firewall-based method of detecting and stopping
parasites which communicate with known, fixed IP addresses or domains.
Originally geared at stopping spyware, this system has been extended to
various parasites, including adware, browser hijackers, and worms.
  The purpose behind the PDS is to address many critical problems: detecting
data leakage, compromised systems, lax security policy, evasion of company
policy, and auditing. The dangers of parasites and the usefulness of the PDS
should be obvious, but if it is not, here's a quick rundown: first, the
presence of any parasite indicates that a host has been compromised; second,
since many parasites have auto-update and code-execution features, this
creates a socket into your network that usually cannot be closed without
either removal of the parasite or filtering the parasite's "home" IP range.
Oh, and then there's the data leakage. Some parasites leak a little, some a
lot. ANY data leakage can be a threat to a business. Some administrators make
the foolish mistake of thinking that spyware and cookies are a "privacy"
issue, which is mainly a problem for consumers. Far from it, these issues
may be far more of a threat to a business than a consumer. Consider, for
example, an adware that tracks the website your users visit, but is "nice"
and doesn't identify them personally. It still identifies the computer. Your
competitors probably don't care who the user is, as long as they can identify
the computer and what your users are looking at.

Table of Contents:

1. What's Included

2. How to Implement the PDS in Snort

3. Known Issues

4. Update Policy

5. Threat Classifications

6. Revision History

7. Author's Notes and Other Stuff

--------------------------------------------------------------------------------

1. What's included

There should be four files included as well as this file: the PDS list itself
(parasites.conf), Adlist (adlist.conf), Crud (crud.conf), and extras
(extras.conf).

  Parasites.conf is the main parasite detection filter list. This is the part
  you need.

  Adlist.conf is a list of major advertising services used by parasites, or
  which may carry parasites via images, scripts, or pop-up windows, or which
  use tracking cookies. Generally, this list should NOT be used except to
  test the effectiveness of any network-wide site-blocking, such as DNSKong,
  HOSTS, and other blocking methods. If you do not deliberately engage in ad
  blocking, you will find this list to be far more trouble than it's worth.

  Crud.conf is a list of IP ranges that would generally be an indication of
  company policy violation, although probably not necessarily a sign of
  system compromise or data leakage. I call them "PNS", for Porn 'n' Spam.
  These are IP ranges believed to be used mostly if not exclusively by adult
  and gambling services, as well as some senders of spam. Presence of these
  in your logs DO NOT necessarily mean that a user has been violating
  company policy; very often, spam sites will link to these "home sites"
  to serve images and web bugs.

  Extras.conf is contains some handy, general IDS filters, not generally
  found elsewhere.

It is recommended that you use IDS filters from other sources for a more
complete IDS package. Although I plan to add IDS filters to the extras.conf
file and to various other filter files at my site, most of these filters are
already available, somewhat pre-packaged, from www.snort.org.

--------------------------------------------------------------------------------

2. How to Implement the PDS in Snort  

The PDS will actually work without any alteration. You can rename it to
snort.conf (the default configuration file name Snort looks for) or use the
-c switch and specify parasites.conf. The following command line works nicely
for most configurations:

snort -b -A fast -c parasites.conf

If you have multiple interfaces, use the -i switch to specify the interface
name (in Unix or Linux) or number (Windows). Remember that most Snort
switches require a space between the switch and data.

The default configuration mentioned will flag "any" host IP address that
tries contact a suspect IP address. This works fine for most configurations,
unless you are sharing a connection with others. You can refine your "home
network" simply by changing the IP address or range. The $internal variable,
defined in parasites.conf, is used for this. Look for the line (the first
line, in fact) that defines "internal" as "any":

var internal any

Simply replace "any" with your
network ID, in CIDR format. If CIDR format is new to you, just remember
that it is just a base IP address, followed by the number of bits
needed to define it. Remember that an IP address is really a 32 bit number.
So, if you have only one IP address, follow it with /32 to tell Snort that
all 32 bits must match. If you have a Class C, /24 will work and will give
you 256 (well, really, 254) contiguous network addresses.
If you have a home network with a dynamically-assigned IP address, you
can usually do just fine by using the network range of your ISP and the
appropriate netmask. Snort simply replaces any instance of "$internal" with
"ANY" (or whatever your network/mask) during the pre-processing phase of
execution.
You can set multiple IP addresses or ranges by simply putting a comma between
them and enclosing the whole thing in brackets. For example:

var internal [24.225.198.0/24,63.218.2.222/32]

will tell Snort that your home network is 24.225.198.x and also is
63.218.2.222. Note that there cannot be spaces between IP definitions or the
comma.

You can use Snort as a host-based IDS (HIDS). If so, you will find it is
faster than the Spyware Blocklist. However, don't let that fool you: IDS is
very resource intensive, and really is not meant to be run on a "work"
machine. It makes much more sense to simply stop the parasites outright
by using firewall-based filters like the Spyware Blocklist.

Used as a network-based IDS (NIDS), the Parasite Detection System is a
powerful tool for detecting compromised systems and data leakage. As a NIDS,
Snort should normally run on a dedicated PC, with whatever operating system
you choose. Such a sensor can be implemented cheaply with any old PC you have
lying around. Snort can log and take packet captures to an on-disk file
(default), or can be configured to log data to a variety of services such as
an SQL database. See the Snort User's Manual at www.snort.org for more
information.

In general, a Snort NIDS should run on a dedicated PC, usually running behind
the network firewall, on the LAN side. This is not required, only a
recommended setup for IDS in general. The PDS should work effectively on a
50 Mbps (T3-equivalent) connection without packet loss, although this has not
been tested. Use on higher-speed connections is not recommended unless the
PDS (and any other IDS rules) is split among several sensors. Remember that
the PC has some definite and significant hardware limitations, which is why
high-end IDS vendors use proprietary hardware.

--------------------------------------------------------------------------------

3. Known Issues

Some filters that may be noisy:

The RealNetworks (ProgressiveNetworks) filters may be noisy due to the
popularity of RealPlayer, RealOne, RealJukebox, etc. You may wish to
delete these. It is recommended, however, to disable various reporting
features in the software to reduce bandwidth consumption and potential
data leakage. Same for the Musicmatch filters, as both of these products
are installed on all new Dell computers.

The Phoenixnet filters may be noisy if hosts on your network contain use
Phoenix BIOS chips. Some do, some dont. In 2001, Phoenix Technologies
tried to jump on the spyware/adware bandwagon by installing the
technology within BIOS, so that it cannot be removed. Supposedly, after
much consumer outrage, Phoenix added an opt-out feature, and later
removed the feature, but a new problem on steroids will return as
Phoenix has announced new BIOS with embedded DRM and TCA-compliance.
While this can be good or bad, the problem is that this can result in
both data leakage and may disable many or most legitimate software,
as the current TCA model (and future versions of TCA operating systems)
require current certificates before being allowed to run.

The IMRWorldWide/RedSheriff filters may be noisy if your users
frequently visit sites with this parasite embedded in them. This
parasite differs from all others in that is is loaded as a Java applet,
and cannot be detected or filtered by conventional methods by
traditional removal software. If the noise becomes excessive, you can 1.
remove the filters; 2. you can use firewall-based filtering of
Redsheriff IPs; or 3. use a HOSTS-file on each host; 4. or use
proxy-based filter, either local or network-based; and/or 5. use a
private DNS server with the A record for all domains for
imrworldwide.com and .net, and redsheriff.com, set to a local
or null value.

--------------------------------------------------------------------------------

4. Update Policy

The Parasite Detection System, as well as the Spyware Blocklist and other
stuff, is updated and is available from www.geocities.com/yosponge, in the
"Updates" section. I do intend to get a "real" site soon.
Please send an corrections, updates, new parasites or details of any
communications of them to yosponge@yahoo.com or yosponge2@yahoo.com.

--------------------------------------------------------------------------------

5. Threat Classifications

Parasite threat levels are not classified in the Basic version of the
PDS. However, the following generally applies:
The presence of any parasite indicates an extremely severe, top-level
security threat: aside from the obvious data leakage and man-in-the-middle
attacks that parasites can permit, the presence of a parasite indicates a
successful installation in itself. Furthermore, most parasites today have an
automatic, background update feature, which allows their manufacturer to
install whatever code their wish on the victim's system. This is an open
socket into your network. As a result, most parasites are currently
categorized as Priority 1, either as a Network Trojan, or as a Web
Application Attack. The reason why they are not all simply classed as Network
Trojans (the most proper classification) is to distinguish between parasites
that are likely to have been installed due to too-lax software settings (i.e.
too liberal ActiveX or Active Scripting settings in Internet Explorer), due
to unpatched flaws in applications (e.g. the Java Virtual Machine Bytecode-
verifier flaw, which affects Microsoft Internet Explorer and other
applications that use JVM), versus parasites likely to have been installed by
the user as a part of the installation of another software package (e.g.
KaZaa, iMesh; in other words, a probable policy violation.) Also, since some
kinds can hijack critical settings such as DNS services, they offer the
opportunity for Man-in-the-Middle attacks. In any case, this is not something
to be toyed with, and deserve the most severe threat classification and most
rapid response. Too, since most parasites are either user-installed or
install by way of exploiting a high-level application, such as Internet
Explorer, they are generally immune to traditional firewall and IPS-based
filtering.

The optional adlist.conf file will classify threats as Priority 2,
successful-recon, Limited Information Leak. These are ad sites that may place
user tracking cookies. Although some may attempt to execute malicious and
data vaccuming scripts or inject parasites, which would be Priority 1
threats, the vast majority are relegated to tracking end users. Do not
understimate the danger of this; it can be highly useful for competitors to
determine where your company's users are going and what they're doing; it's
just that this is technically the proper threat classification level.
Remember that this was mainly included to audit other security software and
procedures.

The optional crud.conf rules are intended to detect breaches of company
policy, and are mostly classed at Priority 3, the lowest threat level. Some
of the sites in here may attempt to install Priority 1 dialers and parasites,
or perform data vacuuming, also a Priority 1, but the sites that do this are
spotty and highly mobile, so the Extra ruleset is better used if policy
violations are not a major concern.

The optional extra.conf rules contains a number of filters designed to target
malicious scripts, parasites, and other undesirables from entering your
network. Most valuable among these are specific filters designed to look for
external ActiveX and exploit attempts. However, these filters are highly
processor intensive.

--------------------------------------------------------------------------------

6. Revision History

Risk key:
C = Common                   S=High
O = Occasional               M=Moderate
R = Rare                     L=Low

OCTOBER 17, 2006

PARASITES.CONF
Changd smitfraud (CS) to 85.255.112.0/21 to accomodate new versions. Any
connection to this network can be considered a sign of infection,
possibly by a zero-day variant. See Smitfraudfix at
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php or afterdawn.com. Be
advised that there are fake versions of this tool going around as well.


OCTOBER 16, 2006

PARASITES.CONF
Added Smitfraud (CS) - this is by far the most prevalent, and most dangerous,
spyware around. It usually appears on your desktop advertising "anti-spyware"
or "anti-virus" software e.g. spywarequake, Spy-Sheriff, etc.
Added Toolbar888 (CS)
Added Shopnav.drsnsrch (CS)
Added more Azebar (CS)
Added W32.Trymedia worm (CM)
Added MywebSearch (CL)
Added AdExtension/unlimiteddownloadcenter/trackingbot (CS)
Added W32/HLLP.Philis.I, accesses www.hyap98.com (RS)
Added Ask.com (CS). According to spyware researcher Ben Edelman, Ask.com has become a major purveyor of spyware and adware. Since these appear to be sourced from ask.com servers, it is recommended that all of ask.com be filtered. See http://www.benedelman.org/spyware/ask-toolbars/ This service gets it's ads from targetnet/Mamma.com
Need to add Googkle.com to IDS rules, which downloads code from
www.ntsearch.com and toolbarpartner.com (outdated but still a threat) (RS)
- Note this probably uses the misspellings of other popular websites as well
Added two unknown (CS) malware that appear to read the Outlook address book
Removed Neucom filter 66.230.192.0/19, at least temporarily. This was causing
problems with some popular sites including Wikipedia.
Removed Systemuptodate.net, see Smitfraud below.
Removed Updatesearches - it is now part of Smitfraud (CS_
Added new eGroup dialer (CS)
Added Mrfindalot (OL)
Added more New dot net (CL)
Added unknown 66.244.254.0/24 to spyware
Added Proffy209.com/Smitfraud (WMF spyware hijack) (CS)
Added new eGroup dialer homesite e.g. akamai.downloadv3.com
Added new Pilosoft/CWS/Spywarequake site
Added Trj.Riler.F (RS) LSP hijacker
Added Trj.Bifrose.E (RS) aka Backdoor.Bifrose.E
Added Smitfraud (CS) - This primarily impersonates "security alerts" and
such to sell junk "security" software. The home site, thesecuritypage.com
and www.topsecuritysite.net impersonates Microsoft's site.
Added Party Gaming (CH) - hope of Party Poker, tons of pop-ups, and
questionable software
Added 64.69.40.42 (revres.exe) nerdytechs.com and proxify.be
Added mywebsearch (OL)
Added Accoona (OL)
Added new Look2me detection (CS)
Added new Transponder (CS) 204.16.120.0/19.
Added 217.73.64.0/20 (CS) This is reportedly one of the worst and
longest-running malware homesites. See http://asert.arbornetworks.com/
2006/06/long-lived-malware-distribution-sites for one such explanation.
This should be filtered by everyone, regardless of what kind of software
or OS you run.
Added Trj_Conhook (CS) (Note: Many phony websites or websites that use
similar domains to opular sites are also located on some of these netblocks.)
Added more SpecificMedia. Note that this service runs regular web ads
in addition to malware.
Added 2020search (also upspiral and freakyseek. Note that freakyseek
has no dns).
Added Ittoolbox
Changed a notation for Comet Cursor (198.65.220.0/24) and added that a Comet
Cursor product is being called Starware.com/Miva.
Removed Whazit DNS hijack - apparently no longer operational.
Removed Xupiter DNS hijack - Xupiter is gone. 
Removed Qhosts hijack - long since defunct

ADLIST.CONF
Added Doubleclick filters
Added RightMedia
Added Tacoda
Added Clickbank
Added Kanoodle
Added AdbRite
Added more Webtrends
Added AdRevolver
Added VibrantMedia (OM) - this company's "ads" are injected into a webpage and
deceptively appear as double-underlined links. This affects any browser
with JavaScript enabled.
Added Contextweb (OM) - like VibrantMedia's Intellitxt, Contextweb is also a
"contextual" advertising service that injects bogus links into webpages.
Added Omniture
Added Overture
Added Meta4
Added AdWatcher
Added DVLABS

CRUD.CONF
Added Interphase Communications - Porn 'n' spam
Added 15X - Grand Cayman-based ISP that is home to quicknavigate.com and possibly other trojans. This is for DNS only; any DNS requests to these IPs could be indicative of some sort of trouble.
Added Optical Jungle - Porn service, and also a haven of cyber-squatting.
Added Mediatech Internet - Cybersquatting service, much like Oingo.
Added Site5 - Cybersquatting service, much like Oingo.
Added Namegiant - Cybersquatting service, much like Oingo.
Added Reflex Publishing - Cybersquatting service.
Added Sago Networks - Cybersquatters/site impersonators.
Added Source Investments - Porn/spam service.
Added Dotster/iHoldings - Cybersquatting service. The latter address range is a much broader range that covers Interserve, the host service for iHoldings. Many cybersquatting spaces exist on Interserve; I have not observed anything else on this netblock BUT cybersquatters and fake sites. This may well be one of the most important netblocks to filter.
Added Inhoster - porn 'n' spam.


DECEMBER 31, 2005

PARASITES.CONF
Added Remote Approach (CL) - Despite the low severity rating, this should be
filtered by everybody, regardless of what operating system(s) you use, since
just about every computer has Adobe Reader 6.0 and later on it. According
Remote Approach's own website, this could be used for more nefarious
purposes. (See http://www.remoteapproach.com/remoteapproach/tour-faq.asp).
It also affects non-Windows users; all you need is Adobe Reader 6.0 or later
and you are at risk. While Adobe has created a partial fix for this problem
as of Adobe Reader Version 7.05, the patch does not actually deactivate this
feature which Remote Approach uses - it only notifies users that a Remote
Approach tag exists in a PDF document and allows them to allow or deny
contact with the Internet. Therefore, unless you can be 100 percent sure that
your users will deny Adobe Reader access to the Remote Approach site, then it
is essential to filter Remote Approach in your firewall. It is also
recommended, if you do HOSTS file or some other DNS filtering, to also add in
www.remoteapproach.com or *.remoteapproach.com.
Added new Transponder/VX2 detection (at-games.com)
Added new Coolwebsearch/Pilosoft (CoolWebSearch)
Added Searchfeed (?L)
Added Search* (??) - this netblock is home to various search "toolbars",
possibly CWS variants.
Added Interactual (CL) - this is DVD player software included in many DVD
movies, and is also packaged with some versions of CyberLink PowerDVD 6 and
greater. It also installs Flash Player 5, which is not a current version and
may contain security flaws.
Added more 180solutions/Zango/ISTBar (CS) (BTW, they make a possibly
spyware-enabled instant messaging client - beware) The ISTBar version is part
of the Gamma-line of spyware. The large netblock in the second list could
be reduced to 66.152.92.0/24, but will produce less protection. Also, they
have a a Java hijacker that can attack Firefox - still investigating, see
http://keygen.name/bestof.html
Added more IPInsight (CS)
Added new Favoriteman (CS) - This is one of the most dangerous forms of
spyware and should be filtered in all firewalls, regardless of browsers used
or security policy. 
Added Net-nucleus (Getmirar) dropper (CS)
Added AdManager/Accipiter/Engage (RM) - check out ads.cc214142.com
Added more Doubleclick - important to filter (CS)
Added more Searchbar (CS)
Changed Searchalot (CS)
Added (and deleted) some Gator (CS)
Added Effectivebrands (CS) - CAN ALSO AFFECT FIREFOX/MOZILLA BROWSERS.
This is also a rootkit and dropper.
Added new C2Media detection (CS)
Added more Friendgreet worm/AdultFriendFinder/FriendFinder, etc. (CS)
Added more New.net (CL)
Added Overpro (OL)
Added X10ClearStream (OL)
Added Fastfind (CL)
Added Hyperlinker (RS) (credit Andrew Clover of doxdesk.com)
Added W32/sdbot-ADD (CS) - This installs a rootkit as well as spyware/adware.
Added GAMsys (RL) (credit Andrew Clover of doxdesk.com)
Added SpecificMedia (a.k.a. GogoTools) (RS)
Addeed more IEPlugin (CS)
Added more BargainBuddy (CM)
Added new BrilliantDigital (RL)
Added Various (CM) - This network is home to some spyware sites, but
primarily in primarily a cybersquatting service (domainsponsor.com)
Added Malicious Torrent Search Engines TO OTHER SITES (This only
applies to BitTorrent users - it blocks a number of malicious or phony
Torrent search engines, some disguised to look like legitimate ones.)
Added VibrantMedia to Advertising Sites - they operate a service called
Intellitxt, which is a "contextual advertising" service,. However,
unlike most other contextual ads, like Google's AdSense, this actually
places links WITHIN webpages. It turns certain keywords in a webpage
into links, which are actually advertisements - much like many kinds
of spyware/adware. Unlike most true spyware or adware, however, this
uses Javascript and thus works against any browser. This used to be X10.
Added Paypopup (CM)
Added new Speedera (OL)
Changed PayPopup (CM) Moved from Single IP list. This service is
closely associated with spyware-installing sites, and some spyware may
use ads served from this service.


Special Update March 15, 2005

PARASITES.CONF
Added Searchbrowser (CM)
Added ISearch CH) - Credit to Ben Edelman for analyzing this and Mike Healan for making it news. This is apparently more than a simple IE homepage hijacker; it installs via malformed Windows Media files, so every Windows user is vulnerable. It is reportedly difficult if not impossible to remove and subverts numerous low-level Windows services including certificates. Thus, the only way to remove it *might* be to completely reformat the infected system. I do not officially give that recommendation as I have not personally analyzed ISearch/Idownload yet.
Changed RedSheriff (CL) designation to reflect the fact that it's a Java-based parasite.
Added and Changed Gamma (CH) designation to indicate that it is also a dropper and can be Java-based in some versions. There are numerous types of parasites covered under Gamma. One particular variant is a dropper that installs via the Sun Java Run-Time Environment, which affects all browsers which can use JRE. As Mike Healan of Spywareinfo.com has correctly pointed out, this is NOT due to a flaw in Firefox/Mozilla, as some are misreporting. However, due to the increasing use of alternative browsers like Firefox, more Java-based parasites can be expected. It is recommended to disable Java in your browser(s) entirely unless it is absolutely necessary to use.
One Gamma IP was added; presence of this IP indicates a successful hijack by the Gamma dropper, which installs numerous parasites.
Added Intercage dialer.
Changed Severity key above from "S" to "H" for High severity.
Deleted duplicate Mypagefinder entries.


--------------------------------------------------------------------------------

7. Not much else to say right now. Check back at www.geocities.com/yosponge
for updates. Feel free to email me with corrections, comments, questions.

Disclaimer:
The author makes no warranty as to the fitness of these filters or software
for any particular purpose, and are provided as-is. By using these filters,
the user, customers, connectees, and others agree to hold the author harmless
for any damages arising from the use or misuse of these filters.
Inclusion of a particular IP address, range, filter, or product or service
name does not necessarily state or imply any wrongdoing by any party listed
or not listed in the rules files. No defamation or obstruction of normal
operation or business is intended by the author or user, nor does the
inclusion on any filter or rule list state or imply that a product, service,
individual, or business, or any affiliate of a business, is engaged in any
illegal or unethical practice.

Copyright 2003-2005 by Sponge
