Blocking malicious sites with Adblock Plus · 2008-07-03 11:48 by Wladimir Palant

Note: Sorry, comments are closed now (2010-09-28). While it is great that lifehacker decided to mention my two years old blog post, I don’t really feel like reading comments from people who didn’t bother to read my blog post. If you need some info on Malware Domains list or want to comment on it — malwaredomains.com is where you should go. If you want to comment on the lifehacker article — please do so on lifehacker.com.

I was reading about yet another wave of attacks exploiting a Flash vulnerability. It turned out that the Flash vulnerability used was already fixed but that doesn’t really matter — Adobe seems incapable of updating users to a secure Flash version in a timely fashion. So Firefox users were at risk here as well, and the continuing waves of SQL Injection attacks inserting malicious iframes into trusted websites didn’t exactly make the situation better.

Yet the domains participating in the attacks are known, so there must be a way to block them. Of course I checked the malware filter in Firefox 3 first, yet it didn’t recognize the sites as malicious. It might have been that the sites were too new, yet the information on Google for some of the older domains indicated that these have been scanned and nothing objectionable could be found. Not sure what Google’s scans look at, but I guess they simply have a different focus — the idea is to block sites the user might go to unintentionally rather than malicious Flash objects that could be easily served with ads for example.

I searched for other lists of malicious domains and quickly found one aggregating multiple sources of information including Dancho Danchev’s blog posts I linked to above. The list is mainly meant for DNS servers, but why not try to use it in Adblock Plus? The script to convert the list was easily written, discussing the matter with the author of the list and finding hosting for the Adblock Plus filter subscription took somewhat longer — but now it is all done.

So now Adblock Plus users can add a subscription with slightly over 40000 filters that will block access to the known malicious domains. It is the first time I tried Adblock Plus with so many filters, and the good news is: the slowdown during browsing is in the area of single-digit millisecond numbers, that’s not noticeable. The bad news: loading/saving the list still takes a while (noticeable as browser startup/shutdown delay). In Firefox 2 this took around 20 seconds which is why I recommend against using this subscription there. The big surprise was Firefox 3, there the delay is only 3-4 seconds. Congratulations to everybody who helped optimizing JavaScript, the results are really incredible!

Using this filter subscription will also require 20 MB more memory and up to 25 MB download bandwidth per month. I’ll continue working on performance optimizations, but if you can live with the performance cost and want to try it already: click here to subscribe to the list in Adblock Plus (listed on the usual list of filter subscriptions as well of course).

Commenting is closed for this article.