Remove Malware domains

[nicolaasjan]

Prerequisites

• I verified that this is not a filter issue
  • Filter issues MUST be reported at filter issue tracker
• This is not a support issue or a question
  • Support issues and questions are handled at /r/uBlockOrigin
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
• I tried to reproduce the issue when...
  • uBlock Origin is the only extension
  • uBlock Origin with default lists/settings
  • using a new, unmodified browser profile
• I am running the latest version of uBlock Origin
• I checked the documentation to understand that the issue I report is not a normal behavior

Description

Similar to #984.

I've been watching this list for quite some time now and virtually nothing changes...

The last entry is:
usibw.top phishing private 20200518

usibw.top is a dead domain by now...

I really think it's worth considering the removal of this once great list.

Example of a better alternative at this point would be:
https://gitlab.com/curben/urlhaus-filter (?)

A specific URL where the issue occurs

n/a

Steps to Reproduce:

n/a

Expected behavior:

n/a

Actual behavior:

n/a

Your environment

• uBlock Origin version: v1.27.11rc2
• Browser Name and version: Firefox 77.0.1
• Operating System and version: Linux Mint 19.3

[gorhill]

Replacing both malware list with Online Malicious URL Blocklist?

The other list, Malicious URL Blocklist, is too large to have it enabled by default, and though uBO can efficiently store it in memory, the large size is an issue because:

• Default lists have to be part of the package, so this has a negative impact on the size of the package
• In Chromium, the storage used figure climbs to 37 MB (from ~20 MB)

[nicolaasjan]

Replacing both malware list with Online Malicious URL Blocklist?

The other list, Malicious URL Blocklist, is too large to have it enabled by default, and though uBO can efficiently store it in memory, the large size is an issue because:

* Default lists have to be part of the package, so this has a negative impact on the size of the package

* In Chromium, the storage used figure climbs to 37 MB (from ~20 MB)

https://gitlab.com/curben/urlhaus-filter/raw/master/urlhaus-filter-online.txt
would be fine , I guess.

I have it in my Custom Filters and it is updated very frequently.

However, I read somewhere that the format is not entirely UBO compatible.
Is that true and if so, is it up to Urlhaus to address that?

[gorhill]

I looked at the list and it's fine. Ideally, entries for which there is a path should be prefixed with ||, but given how unique those paths are, it's highly unlikely to lead to false positive. For example:

ak.imgfarm.com/images/nocache/vicinio/100000417/19562-111117113753/[email protected]

Would normally be written as:

||ak.imgfarm.com/images/nocache/vicinio/100000417/19562-111117113753/[email protected]

But the filter is so unique that I really don't see the need for the ||, and actually it's being stored slightly more efficiently without the || (because one less condition to evaluate). So I am fine to have the list as is.

[Yuki2718]

However, I read somewhere that the format is not entirely UBO compatible.
Is that true and if so, is it up to Urlhaus to address that?

Add the list and pick a URL from it for downloading .exe, and then access the site and it will be downloaded without an issue. $document or $all modifier is needed to prevent it.

[gorhill]

Yes, I overlooked this. Maybe the best way to approach this is for a list to be able to hint at its primary purpose so that uBO parses the filters to ensure they apply to requests for the main document as well.

[Yuki2718]

Yes, I overlooked this. Maybe the best way to approach this is for a list to be able to hint at its primary purpose so that uBO parses the filters to ensure they apply to requests for the main document as well.

Is that worth troubling? I wonder whether @MDLeom can simply add $all, even for all the rules if choosing specific rules is trouble for him.

[nicolaasjan]

However, I read somewhere that the format is not entirely UBO compatible.
Is that true and if so, is it up to Urlhaus to address that?

Add the list and pick a URL from it for downloading .exe, and then access the site and it will be downloaded without an issue. $document or $all modifier is needed to prevent it.

Yes, when I enter the URL (.xpi file) Gorhill mentioned above I get this:

[VernonStow]

I noticed today that the Urlhaus author has added $all to the entries targeting specific bad file downloads for the filterlists recommended for uBO. Much appreciated!

https://gitlab.com/curben/urlhaus-filter/raw/master/urlhaus-filter-online.txt

[gwarser]

...ajax-made/1^$all

Hmmm, ^ should be removed or replaced by *.

https://gitlab.com/curben/urlhaus-filter/-/commit/859dfd03c6e9e5af6f1fac29bc9b22d1e0046111

[gorhill]

Great, this means I can go ahead with this. So both current malware domain lists will be removed from stock lists and replaced with Online Malicious URL Blocklist.

[Yuki2718]

Hmmm, ^ should be removed or replaced by *.

Can I ask about what is the exact problem? I mean if ajax-made/1_ or such doesn't proceed.

[gwarser]

Can I ask about what is the exact problem?

?

https://gitlab.com/curben/urlhaus-filter/-/commit/859dfd03c6e9e5af6f1fac29bc9b22d1e0046111#0329d79171f0f92caecdb36bd26a669696d1042b_103_106

[gorhill]

The ^ is not really a big issue, it's just that it's not really needed. The filters will be dealt with properly by uBO with the ^, but semantically the filters are better without it. I also consider that semantically the * is also not needed, it appears all those URL-based filters are complete, I don't think any of them is truncated mid-token.

[Yuki2718]

@gwarser @gorhill Thanks!

[curbengh]

Maintainer of urlhaus-filter here. Currently urlhaus-filter-online.txt uses:

||example-bad.com/bad-page.html^$all

Should I use the following syntax instead (i.e. remove the ^)?

||example-bad.com/bad-page.html$all

[gorhill]

Yes, second form is better, it's semantically correct -- the ^ is equivalent to regex /[^%.0-9a-z_-]|$/ -- I don't think it's something we expect after the pattern in your case.

Thanks for maintaining that list, I consider this helps make uBO better.

[curbengh]

Updated the script. The filter will be updated in ~10 hours.

Thanks for maintaining that list, I consider this helps make uBO better.

No problem. I'm a longtime uBO user, always wanted to contribute.

[lipici]

i updated to uBlock Origin development build v1.28.1b5 but Malware Domain List 1,104 used out of 1,104 and Malware domains 26,838 used out of 26,853 didnt moved to custom list and https://gitlab.com/curben/urlhaus-filter hasnt be added

L.E: appears only after you purge cache and update filters

[sith-on-mars]

Does that mean now the new Online Malicious URL Blocklist can completely replace both Malware Domain List and Malware Domain?

If yes, could you please update the recommended lists in different blocking modes, like this page?

[gwarser]

https://github.com/uBlockOrigin/uBlock-issues/wiki/_compare/c65978da28d98a402840957bbb11c25b36ad699c...f68f791486395a7b15860ccd4ce5a12fbd51061d