Do I still have any regular readers left? I hope so, even though I’ve greatly neglected you. I wont even bother with excuses. BUT, here’s a post to prove that I still know what I’m doing! 
So, if you’ve been following some of the other blogs (specifically, Krebs), you’ve probably seen the hubbub about ZeusTracker. If not, I highly recommend you click on that previous link and go read. It’s long, but quite interesting.
ZeuS, if you’re unaware, is a big botnet that’s used heavily in cyber crime. You don’t want to get infected by this. To those who manage networks: You don’t want your users to get infected by this.
ZeusTracker is watching for Zeus C&C traffic via honeypots and documenting the known hosts/domains/IP’s associated with them. They’ve created a nice list that can be easily imported in to iptables, Windows host files, Squid, et. al.
I run Squid on one of the gateways here, so I decided to utilize that to implement this blacklist. Squid makes this incredibly simple, which is also a big plus.
In your Squid config file, you’ll see a section that’s all about ACL’s (access control lists). If you scroll down far enough, you’ll see a section that says:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
So, the simplest way to implement a blacklist is by adding the following just below that comment. Mine looks like this:
# ZeuS C&C domains acl blocksites url_regex "/etc/squid/zeus.txt" http_access deny blocksites |
Pretty simple, eh?
‘Course, now you have to create the “zeus.txt” file, otherwise that rule isn’t going to do you any good. If you go to here, you’ll see a list of files that all contain the hosts & ip’s that ZeusTracker knows about. In this case, you want the one formatted for Squid.
Now, you’ll need for this to update, say, daily, so you’ll need to create a script and invoke it via Crontab. Here’s my stupid-simple script:
#!/bin/sh /bin/rm /etc/squid/zeus.txt /usr/bin/curl "https://zeustracker.abuse.ch/blocklist.php?download=squidblocklist" >> /etc/squid/zeus.txt /etc/init.d/squid restart |
It simply deletes the current zeus.txt file, downloads the newest version via Curl, and then restarts Squid.
This is a really quick & easy way to (help) protect your network from this trojan/worm/whatever you want to call it. I’ve noticed recently that even a user who is running a fully patched version of Windows (Vista), with Google Chrome, this thing is still capable of infecting the machine. I haven’t found any real good information on how, but from what I’ve witnessed, it appears to be a Java exploit.
Anyway, give this a shot!
Related posts:
You still have at lease one reader. I have you RSS to my homepage, and was pleasently surprised to see a new post by you. Good to hear from you again.
@gunther84: Awesome. Yeah, based on the stats, people are still reading my page.. I had a huge spike yesterday after I made this post.. lol.
Horray. A post.
Now you have at least 3 readers xD
Welcome back
Very nice post, I like the stupid-simple script. I don’t use Squid, but being a linux novice, simple scripts like these are fun for me to reverse engineer and figure out how they work. Today I learned how to use curl, woot!
It seems you still have at least 3 readers.
Useful post as always. The first thing which struck me was finding out if I had any historical hits on these sites. I knocked up a very crude bash loop which should help. Feel free to tart it up a bit:
for x in `egrep -v ‘^#|^$’ /etc/squid/zeus.txt`; do
echo “–$x–” >> /tmp/zeus.log;
grep “$x” /var/log/squid/access.log >> /tmp/zeus.log;
done
This (hopefully obviously) will produce a file at /tmp/zeus.log which will contain a line printing out each line of the zeus.txt file pre/app-ended with — and under that will be any matching lines found in your Squid access log.
A quick way to find out if you’ve got a problem is obviously:
grep -v ^– /tmp/zeus.log
which should return nothing if you’re all clean.
You don’t write, you don’t call. Have you been seeing other blogs?
Does this browser make my butt look big? Is that why you left?
Seriously, welcome back. Hope the studying went well (it was related to that wasn’t it?
you are alive!
I thought you were kidnapped by Angelina Jolie!
Yes, you still have some readers.
Maybe you’re able to post more often now? Would be great!
Hey. Welcome back.
Nice I have fallen behind on my blog too, so its good to know I am not the only one
. +1 on the readership you have left.
@humble: ha, if only.. lol
@Dicipulus: Haha.. I’m sorry! It’s just, I can’t pick just one blog!
Nah, not studying.. still in the process of building a new business.. which is taking a lot more of my energy than I could have ever imagined.
@Wicky: Awesome! I hadn’t even thought of that.
What the f*** is the matter with you? This is not spam, you a**hole!
That’s a really stupid script. It deletes the existing blacklist before downloading the new one, so if the download fails for any reason, you’ll be left with no blacklist! Don’t make stupid example scripts like that.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)
IP Address : 77.109.213.95
Remote Host :
Reverse DNS : adsl-109-213-95.kymp.net
Reverse DNS IP : adsl-109-213-95.kymp.net
Reverse DNS Authenticity : [Possibly Forged]
Proxy Info : PROXY DETECTED
Proxy Data : 77.109.213.95 | MASKED IP: 77.109.213.95
Proxy Status : TRUE
HTTP_X_FORWARDED_FOR : 77.109.213.95
First, as I stated when I posted it – it’s a stupid simple script, it’s an example.. nothing more. If you don’t like it, don’t use it, or write your own.
Oh, wait.. you run Windows.. you probably don’t know how. Would you like me to write a better one for you?
Anyway, good job hiding yourself.. you obviously didn’t read any of my other articles about proxies and headers.