R3.o.lencr.org is seen as malware

r3.o.lencr.org is seen as malware on How to remove R3.o.lencr.org redirect virus | Remove Malware and Bedreiging R3.o.lencr.org | Verwijderen Malware

Are they two different things or is there also malware called r3.o.lencr.org?
Also r3.o.lencr.org is in the DNS blocklists I use
What is the actual case?

lencr.org does belong to Let's Encrypt, meaning this is certain to be a (ridiculously) false positive:
lencr.org - Let's Encrypt

The false positive is confirmed by the fact that visiting that site manifestly does none of the things stated at the first page. It doesn't change the default search engine. It doesn't change the home page. It doesn't change any other browser settings. It doesn't, in fact, do anything, it just serves a blank page unless you properly query it. All of which suggests to me that malware-remove.com is itself malware, or at least nothing but FUD.

3 Likes

@danb35 In theory there can be malware out there with a name corresponding to a legit hostname. But looking at the generic way those "blogs" are written, I suspect those sites are very big trolls. I wouldn't put much faith in those sites, let alone believe anything written there.

Also, it's unfortunate @Zounp doesn't name the DNS block list, so we can't say anything about that..

3 Likes

True. But the claim made by that site (the first; I don't read Dutch to comment on the second) is that the hostname is itself the problem.

2 Likes

You can hardly call it Dutch: it's another language translated to Dutch in an automated way. For example, "Windows 10" is literally translated to "Ramen 10" where "raam/ramen" is Dutch for the noun "window/windows". Which only strengthens my thought about the fake nature of those sites.

3 Likes

IOW, the domain that should be on the DNS block list is malware-remove.com.

4 Likes

I agree :slight_smile: I think those sites are trying to lure unexperienced people to download and install their application with who knows what inside it..

3 Likes

list.3.adblock.mahakala.is.domains

I don't know what URL that is, but the Mahakala list seems to be downloadable from https://adblock.mahakala.is/ and r3.o.lencr.org seems to be in that list indeed.

That list was also used on Pi-Hole it seems, which would present a problem for OCSP requests to LE for Pi-Hole users. However, it was disabled in 2015:

Mahakala list. Has been known to block legitimage domains including the entire .com range.

Due to so many users having issues with this list blocking legitimate domains such as microsoft.com, apple.com, xkcd.com and more (…)

That's BAD..

So it seems the Mahakala list is, well, not that good. Also, it lacks a proper site to ask for de-listing? I can't find it in any case.. Weird.. Best to ignore such a list. If it's known to have such gigantic false positives, it's the users own choice to risk that.

4 Likes

I haven’t examined this situation in particular, but I’ve seen before where security researchers examining malware mistakenly identified simple OCSP as being a botnet command-and-control vector. Basically, while the researcher is examining the actions of a piece of malware, the researcher is likely to scrutinize the list of all the hosts the malware connects to. If the malware for any reason validates OCSP for a Let’s Encrypt-issued certificate, the researcher would observe it connecting to lencr.org.

Since OCSP is often done without transport encryption, it’s usually pretty straightforward to see it’s legitimate certificate validation, but certainly everyone makes mistakes, and as of yet lencr.org is not as well-known as letsencrypt.org.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.