Skip to content

Fake windows secuirty and blocking *.co.cc websites?

Featured Replies

Mother-in-law has had 2 occasions in recent days whilst browsing where she's come across the fake security browser window.

She's been taught well not to click or do anythink, and I've talked her through killing firefox. On re-starting the nasty download page is shown which has been a .co.cc domain, yet this time firefox shows it's blocked for being a bad site, and the last site visited seems to work fine. The site was listed in google, and had a 'noton safe' logo which is why she went there, and leaves non-ok sites alone.

Today done a full Microsoft malware removal tool scan, malware bytes in safe and normal log-in's and a full scan in Norton 360 which replaced Mcafee.

I've had them before (even myself) and Mcafee didnt always detect, neither did firefox but Norton seems to have an anti-tamper protection and that's showing it is fine and hasnt been compramised. I'm happy there doesnt appear to be any typical signs of infection the fake AV apps install.

But I'd like to make life a little easier for her by stopping any *.co.cc domains from being accessed. In Mcafee this was pretty easy, Norton seems to have this locked down, and it seems Win 7 struggles and often ignore the hosts file so looking for another option.

Are there any good add-ons for firefox that will block everything from these Chinese domains?

Not that I've ever found. At work, I use a local BIND server with a copy of the list from malware-domains.com (lots of .co.cc on there), which gives a lot more flexibility.

As a workaround, you could look into using Norton's DNS service or something like OpenDNS, both of which claim to offer malware blocking.

edit - Info and setup instructions for Norton DNS here - http://nortondns.com/faq/

Edited by gavinchappell

Might be possible to cobble something using a PAC file so that it tries to route all requests to *.co.cc to a proxy server which doesn't exist?

But DNS option would be more thorough as it'd work for cases where they trigger links to sites by IP address instead of domain too.

PAC file would sort of work but only for browser traffic. Any malware "drive-by downloaders" probably aren't written to respect proxy configs so will just go directly, if they get onto the system in the first place. And there's no DNS lookups involved when accessing something directly by IP address so DNS won't help there, the only thing you can do to stop that is block the IPs in some kind of software firewall, or if you have the right sort of router then null-route them on the router itself.

I wonder if I could knock up a system which uses the malware-domains data I mentioned to create a PAC file...might give it a try tomorrow at work, could be a reasonably useful enhancement for the system I already have which creates BIND zone files. Do we think enough people on Briskoda might be interested in such a system to make it worth hacking together?

Edited by gavinchappell

And there's no DNS lookups involved when accessing something directly by IP address so DNS won't help there

When I say "DNS option" I mean an option which includes DNS (eg. DNSBL)...any permitted request should then need to correlate (or not, depending if you go white- or black-) to an IP address on said list whether it needs to be resolved or not.

If she's using Firefox, install Adblock Plus as well.

Spybot search and destroy, google it is free, you update weekly, and you can immunise yourself to threats ,and remove malicious threats. A compoter guy recomended it to me, supprised how many things it found that all the security software missed :thumbup:

I also find Kaspersky better than Norton maccafee etc and free for 3 computors if you bank with Barclays

Malware Bytes Anti-Malware tends to be better than Spybot these days (I do this a lot in my day job). Spybot has suffered of late because it's a personal project for someone and he just can't keep up with how fast the malware world changes as well as keeping a full-time job which he needs to because his software is free. Used to be excellent a few years back, but I don't rate it now. Malware Bytes on the other hand has a huge company and many times more resources thrown at it because they offer a premium product and support/consultancy in order to fund the free product better.

http://www.malwarebytes.org/products/malwarebytes_free

When I say "DNS option" I mean an option which includes DNS (eg. DNSBL)...any permitted request should then need to correlate (or not, depending if you go white- or black-) to an IP address on said list whether it needs to be resolved or not.

It's early and I'm probably missing something so I can't work out what you mean. If I try and connect to, say, http://1.2.3.4 in a browser (or indeed as part of a malware downloader) then even if I have my system configured with a DNSBL-enabled DNS server then it won't ever get checked because I'm using an IP address already, my browser/downloader will just head off to that IP quite happily. The only time I would expect a DNSBL to block anything is if I try and go to http://malware.domain.com which would then be resolved to localhost or some kind of honeypot address, or if I looked up the IP address manually and it returned a result.

Not sure if this would work but you could try adding this in the HOSTS file

127.0.0.1   .co.cc

I've never tried it with top level domains.

Edited by Aspman

I don't think that works, it only replaces the A record for that single domain (in this case "co.cc" itself). You'd still be able to resolve sub-domains which are "infected".

Is is not possible to create a list with peerblocker for something like this? I've not tried myself...

It's early and I'm probably missing something so I can't work out what you mean.

In your scenario you're correct, if you were just relying on DNS resolution it wouldn't work...you'd need all requests to be checked against the DNSBL and then permitted/denied, there are various plugins and proxies that'll do this sort of thing.

Ahh, I see. So I ask for http://1.2.3.4 through a proxy, and the proxy does a separate DNS lookup for "4.3.2.1.dnsbl.com" or similar, if it gets a result then the connection stops, if not it proxies the data as normal? That makes more sense, must have been the key bit of info I wasn't taking in earlier :)

That makes more sense, must have been the key bit of info I wasn't taking in earlier :)

In fairness, I can see why me referring to it as "the DNS option" may've left some details unclear. :D

  • Author

Thanks all.

Monitoring having added adblock plus.

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.