search

T145 / black-mirror

Blacklists and whitelists built by open code, so you know what goes into them.
GNU Affero General Public License v3.0
186 stars 12 forks source link

[feature]: Use lists from Hydra Dragon Antivirus #216

Open HydraDragonAntivirus opened 3 days ago

HydraDragonAntivirus commented 3 days ago

Contact Details

semameirhan555@gmail.com

What's your idea?

This project could really use Hydra Dragon Antivirus 21.6 million Website and IPv4 IPv6 blacklist as optional https://github.com/HydraDragonAntivirus/HydraDragonAntivirus/tree/main/website

Code of Conduct

T145 commented 3 days ago

Interesting project, but there's not a lot of documentation in general. I have a few questions about your website lists:

  1. If you're only recommending your IPv4 and IPv6 lists to be added to Black Mirror (which from my understanding are website/IP_Addresses.7z and website/ipv6.txt respectively), why are they not updated at least daily (as IPs are extremely volatile)?
  2. Where do you get the information that's in the lists?
  3. Regarding domains, what is your criteria for blocking them? There seem to be a lot of porn and drop-shipping/scam sites.
HydraDragonAntivirus commented 3 days ago

I looked every blacklist from internet and tested in my AV real time website filtering. I don't have so much time to update automatically. I updated this list always manually instead of automatically. My flags generally based on tracking cookie, spam, malware, botnet, phishing, scam, suspicious websites, greyware, mining etc. Here is my old messgae which I credit too many websites Hydra Dragon Antivirus active sources: virusshare.com FossAV BatchAntivirus Abusech Steven Black Ultimatehostblacklist github https://vxug.fakedoma.in/samples/ https://www.usom.gov.tr/ malwares.com clamav.net https://www.reddit.com/r/netsec/comments/gp1rm/list_of_malicious_domains_and_ip_blocklists/ https://winhelp2002.mvps.org/ future plans: https://www.iblocklist.com/subscribe virussign.com heuristics: https://bazaar.abuse.ch/browse.php?search=file_type%3Abat and Hypatia database maybe waiting for 10k pdf malwares.com still waiting for access https://www.youtube.com/watch?v=4U_AAtMel94 https://www.vx-underground.org/ I should add Linux malware database. non-active source example: https://justdomains.github.io/blocklists/ so big https://www.reddit.com/r/Malware/comments/7fabu5/sites_to_download_malware/ plans: I realized that I can improve my self at open source virus detection and reverse engineering Currently my antivirus right now is the best open source antivirus in the world and I should unite my project with clamav and improve his heuristics and I need api and also need check are system files deleted also use rootkit hunter also auditd detect init 0 etc. should be added is shutdown etc. runnied realize them new active source: https://malshare.com/daily/?C=M;O=A https://github.com/phpMussel/Signatures

T145 commented 3 days ago

Thanks, that helps a bit. Due to IPs changing so much, and wanting to focus on feeds that update daily regarding IPs, I'll pass on that section. Moving on to the domains list, I've begun doing more triage and found illegal entries, like the following:

# 007freepics.com Issue 489 # ... (which makes it clear you're using TheBlocklistProject)
[1rx.io] # ... Which I'm guessing comes from MVPS, or a similarly-formatted list
clk.rtpdn*.com # ... And other wildcard domains
# And thousands of "blogspot" domains! I wouldn't consider Blogspot sites to be actively malicious anymore.
HydraDragonAntivirus commented 2 days ago

https://www.virustotal.com/gui/domain/ydozochojojkherindarorikhastjmeaa.blogspot.com

T145 commented 2 days ago

(Just a side note that if English isn't your native tongue feel free to respond in whichever language you prefer!)

I'm not sure what that's supposed to prove? It has a garbage domain name, so most services that "intelligently" detect phishing or fraud services are going to flag domains that look like that. If you feel that Blogspot domains need to remain in your list, you're free to do with your provisions as you see fit. I'm only offering my advice.

I try to make Black Mirror as practical as possible, and in my experience Blogspot domains haven't been used in significant cyber attacks or phishing schemes. They only serve to bloat lists, and from my recollection originate from the UT Capitole lists. If you're seeking to block porn, great! But your implied mission statement having "Antivirus" in the name is that you're focused on security only. This is why I spell out what I'm blocking and why in a manifesto, b/c I want people to know what they're using.

HydraDragonAntivirus commented 1 day ago

Yeh you are right. I should not keep blogspot.