search

StevenBlack / hosts

๐Ÿ”’ Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.
MIT License
26.35k stars 2.18k forks source link

[List Suggestion] Thread Crowd malware list #1565

Closed dnmTX closed 3 years ago

dnmTX commented 3 years ago

It's a small,community driven malware list. PROS: Frequently updated(info is a bit outdated,would recommend monitoring first) As of today,intersection: 94 domains only

CONS: Might be a pain to report false-positives,if any. No License present

Threat Crowd

https://www.threatcrowd.org/feeds/domains.txt

Steve @StevenBlack your call ๐Ÿ‘

StevenBlack commented 3 years ago

This is a 96 domain intersection with our base list.

$ ghosts --intersection -c https://www.threatcrowd.org/feeds/domains.txt
----------------------------------------
Base hosts file summary:
----------------------------------------
Location: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Domains: 66,393
Bytes: 2.0 MB
----------------------------------------
----------------------------------------
Compared hosts file summary:
----------------------------------------
Location: https://www.threatcrowd.org/feeds/domains.txt
Domains: 3,465
Bytes: 55 kB
----------------------------------------
intersection: [1empiredirect.com ad-noise.net ad-void.com adblade.com adsbizsimple.com adservicestats.com advancing-technology.com afkarehroshan.com amazinggreentechshop.com arabtechmessenger.net ato.mx avidnewssource.com aynachatsrv.com bazandegan.com brittlefilet.com business-made-fun.com businessdealsblog.com businessdirectnessource.com businessedgeadvance.com cdn.krxd.net charging-technology.com charmedno1.com coffeehausblog.com cpx.to cqcounter.com cribdare2no.com customerscreensavers.com damavandkuh.com darakht.com dowelsobject.com downloadmpplayer.com eclkmpsa.com etahub.com exacttarget.com fnlpic.com following-technology.com forgotten-deals.com foroushi.net functional-business.com gar-tech.com ghalibaft.com globalnetworkanalys.com goldadpremium.com goodbizez.com gowin7.com gumgum.com havakhosh.com honarkhabar.com honarkhaneh.net housedman.com industry-deals.com islamicmarketing.net linkbucks.com listennewsnetwork.com log.kuwo.cn lsassoc.com mashinkhabar.com meevehdar.com melding-technology.com merrymilkfoods.com mimicrice.com mnet-ad.net monster-ads.net nickleplatedads.com noticiasftpsrv.com nowruzbakher.com owlsr.us parkingcrew.net parskabab.com phoneysoap.com pixel-geo.prfct.co platads.com poponclick.com posed2shade.com puhtml.com quickupdateserv.com quik-serv.com rampagegramar.com rapidlyserv.com rehabretie.com roshanavar.com rubriccrumb.com selective-business.com selfpwn.org sendfwd.com serv-load.com sherkatkonandeh.com sherkhundi.com skippyfile.com slayinglance.com speedynewsclips.com spotscenered.info streamate.com successful-marketing-now.com suddenplot.com sync-eu.exe.bid]
Intersection: 96 domains
StevenBlack commented 3 years ago

Nominally this is a 2.7% intersection ratio, which seems a bit low.

But it purports to be a malware list, so that's probably closer to an OK ratio โ€” purely gut feel about that.

Still though, how does a small list outpoint a larger curated consensus list by about 37:1? Are we collectively that bad on the malware front? Seems doubtful.

The intersection as a readable list.

1empiredirect.com
ad-noise.net
ad-void.com
adblade.com
adsbizsimple.com
adservicestats.com
advancing-technology.com
afkarehroshan.com
amazinggreentechshop.com
arabtechmessenger.net
ato.mx
avidnewssource.com
aynachatsrv.com
bazandegan.com
brittlefilet.com
business-made-fun.com
businessdealsblog.com
businessdirectnessource.com
businessedgeadvance.com
cdn.krxd.net
charging-technology.com
charmedno1.com
coffeehausblog.com
cpx.to
cqcounter.com
cribdare2no.com
customerscreensavers.com
damavandkuh.com
darakht.com
dowelsobject.com
downloadmpplayer.com
eclkmpsa.com
etahub.com
exacttarget.com
fnlpic.com
following-technology.com
forgotten-deals.com
foroushi.net
functional-business.com
gar-tech.com
ghalibaft.com
globalnetworkanalys.com
goldadpremium.com
goodbizez.com
gowin7.com
gumgum.com
havakhosh.com
honarkhabar.com
honarkhaneh.net
housedman.com
industry-deals.com
islamicmarketing.net
linkbucks.com
listennewsnetwork.com
log.kuwo.cn
lsassoc.com
mashinkhabar.com
meevehdar.com
melding-technology.com
merrymilkfoods.com
mimicrice.com
mnet-ad.net
monster-ads.net
nickleplatedads.com
noticiasftpsrv.com
nowruzbakher.com
owlsr.us
parkingcrew.net
parskabab.com
phoneysoap.com
pixel-geo.prfct.co
platads.com
poponclick.com
posed2shade.com
puhtml.com
quickupdateserv.com
quik-serv.com
rampagegramar.com
rapidlyserv.com
rehabretie.com
roshanavar.com
rubriccrumb.com
selective-business.com
selfpwn.org
sendfwd.com
serv-load.com
sherkatkonandeh.com
sherkhundi.com
skippyfile.com
slayinglance.com
speedynewsclips.com
spotscenered.info
streamate.com
successful-marketing-now.com
suddenplot.com
sync-eu.exe.bid
lightswitch05 commented 3 years ago

Per https://threatcrowd.blogspot.com/2016/02/crowdsourced-feeds-from-threatcrowd.html the data is licensed image

StevenBlack commented 3 years ago

I'm totally willing to concede that our list is far better at advertising, privacy and tracking than we are at malware protection.

And malware is off-the-scale in terms of better safe than sorry.

lightswitch05 commented 3 years ago

To me, it looks like the way this list works is people searching for a domain on the main website threatcrowd.org and then voting in the section "Is this malicious?". Surely there are safeguards about how many votes are required before something is added/removed from the list, but it looks to be a wholly 'crowd sourced' list vs. curated. Perhaps I'm misunderstanding and there is a manual process behind the scenes.

These feeds are not a substitute for the scale of auto-extracted command and control domains or the quality of some commercially provided feeds. But crowd-sourcing does go some way towards the quick sharing of threat intelligence between the community. 1

(emphasis mine)

lightswitch05 commented 3 years ago

Perhaps @threatcrowd over at https://github.com/AlienVault-OTX/ApiV2 would like the chime in

StevenBlack commented 3 years ago

Thanks Daniel @lightswitch05 that's some great input you're providing here.

scafroglia93 commented 3 years ago

info -> we removed it from nextdns as it is no longer up to date

dnmTX commented 3 years ago

we removed it from nextdns as it is no longer up to date

You are NOT a member or associated in any way to NextDNS so please...spare us all that.... No one here is even close to be impressed by you so far...if ever โ—

scafroglia93 commented 3 years ago

Nobody ever said they were part of nextdns; I'm saying that I know this list since I had it included in the threat intelligence section.

Source -> https://github.com/nextdns/metadata/issues/136

PS -> I don't care about your personal aspects

PS1 -> there are a lot of FP like aruba.it (italian hosting provider)

PS2 -> Now Threatcrowd is Alienvault (but there's no any domain list)

threatcrowd commented 3 years ago

Hey thatโ€™s correct that list is no longer updated. If youโ€™re looking at blocking malware domains, Iโ€™d suggest you take a look at https://github.com/Neo23x0/signature-base/tree/master/threatintel

dnmTX commented 3 years ago

@threatcrowd thanks for the prompt response ๐Ÿ‘

Steve @StevenBlack i'm closing this. Reopen if needed.