Implement a filterlist export for Tor2web import with known pattern of malware

[fpietrosanti]

This ticket is to implement a filterlist export for Tor2web import with known pattern of malware.

That way a tor2web node would be able to important such list to apply malware blacklist.

[juhanurmi]

Search API that returns a list of domains

I implemented a nice test version that returns a plain text list of the domains. It can be used as a malware feed and Tor2web blocklist.

This is how it works

• Query format is key=value and the location of the API is /search/API
• Accordingly, the search is /search/API?q=key=value
• Key can be title, server_header, text, h1 or h2
• The value is what you are searching for
• Examples: title=alert, server_header=openresty, text=ahmia, h1=Hidden Service, h2=Hidden Service
• Query key=value must be shorter than 120 chars

For instance, as we know that the title element of CTB-Locker site is "Recovering the private key for the CTB-Locker encryption", see https://ahmia.fi/search/?q=CTB-Locker, we can search this title pattern using the API: https://ahmia.fi/search/API?q=title=Recovering%20the%20private%20key%20for%20the%20CTB-Locker%20encryption

Very useful for those who are hunting malware servers on Tor. This list can be handled to Tor2web as a blocklist.

Let's take another example: F-Secure published, see https://www.f-secure.com/weblog/archives/00002777.html, that there is a new malware called OphionLocker. We can easily find more of it's servers just by searching https://ahmia.fi/search/API?q=h1=please+enter+your+hwid

In general, if we are interested to look for a list of sites that are seized by FBI and Homeland Security we can just look one of these sites and see that there is a title element "Alert!" and after this look similar sites https://ahmia.fi/search/API?q=title=alert