Hosts News

Innovative Marketing dies a slow death

I reported on Sep 8, 2008 that the sites "innovativemarketing.com" and "setupahost.net" were no longer resolving ... I've been watching the other associated domains and they are now no longer reachable ... it looks like the WinFixer Gang has decided to let their older domains die a slow death.

The list of sites is too long to post here and sadly they still have a major presence in many other areas. You can see the chart I put together a while back showing the Innovativemarketing/SetUPaHost connection and the associated IP blocks ... the majority of these now no longer exist.

Other News: I was recently awarded Microsoft MVP (Consumer Security) for the 10th year in a row ...

This also marks the 10th year I have been supplying a HOSTS file ... my how time flies ...

More fake PornTube malware

I have posted many examples of these fake PornTube sites that serve up malware (Trojan.Zlob/Codec) ... "privacy-kit" has gone from a "Rogue Security Program" (March 2007) to serving up malware via a software program (YTFakeCreator) that creates fake "YouTube" style pages. There are now thousands of these type fake PornTube sites.

What's interesting in the above, is the fake Internet Explorer Information Bar (highlighted in red) sadly the download "MediaPlayerUpdate-28-i386.exe" was not detected when submitted to VirusTotal.

So why do we see so many of these type sites? ... in my opinion it's due to the malware authors being unable to successfully exploit an "updated" Windows Vista machine. I have yet to find a site that I have visited that was able to invade my system ... and believe me I visit thousands each week, which are mainly malware related.

Sure the "social-engineering" aspects do trick many unsuspecting people ... but this method only works when users are fooled into clicking on malicious downloads or allowing installs from untrusted sources ...

Bogus Adobe Flash Player extension

Landing on the following, the visitor is presented with several click-able adult images ...
that once clicked results in the bogus Adobe Flash Player prompt ...

Naturally there is no such thing as a "HD H.264 Extension" ... however still some people fall for these bogus prompts.
The download "AdobeFlashPlayerExt.exe" is detected as: Trojan.Win32.Obfuscated.gx [VirusTotal results]

porntube-vip(dot)com is hosted at Haldex Ltd [88.208.0.0 - 88.208.31.255]
Landing on one of the other sites sharing the same IP address results in:

MVPS HOSTS File Update September-23-2008

The MVPS HOSTS file was recently updated [September-23-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (142 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (604 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

A bogus MP3 Audio Codec prompt

Landing on the following site the visitor automatically sees a bogus prompt ... not only that as you can see in the "Information Bar" a file was automatically downloaded. So users with older browser versions may find themselves infected without any interaction ...

"download-soft-free4all(dot)net" was only registered yesterday ... and hosted at Noc4hosts Inc (Tampa Fla)
which is yet another haven for Zlob/Codec malware domains ...

Klikdomains suspended

Just days after Security Fix exposed "Klikdomains" and the connection to "VIVIDS MEDIA GMBH" ... the following sites were suspended:

klikdomains.com - Status:SUSPENDED [whois info]
Note: This Domain Name is Suspended.
In this status the domain name is InActive and will not function.

klikvipsearch.com - Status:SUSPENDED [whois info]
kliksoftware.com - Status:SUSPENDED [whois info]

However don't be fooled into thinking that the Klikadvertising Group are dead ... as I pointed out in my last post they are still going strong ... I suspect the closing of those domains are just a ploy to avoid any more bad press ... another example I ran accross today ...

The majority of the above sites are Klikadvertising related, as noted by the "klick.php?" ... and the highlighted in red box shows
and guess where those sites were Registered? ...

wordsearch-online.com - Registration Service Provided By: VIVIDS MEDIA GMBH [whois info]
search-adult-online.com - Registration Service Provided By: VIVIDS MEDIA GMBH [whois info]

Let's not forget - "KLIK Media GmbH" (klikoffers.com) owns about 29 other domains [whois info]
Which is also related to "Nelroy Ltd." (klikvip.com) owns about 19 other domains [whois info]
And where "klikadvertising.com" and "klikvip.com" are both running on IP blocks from Axxa Commerce

Hopefully keeping the pressure on will force more action and shut down these criminals ... well we can hope can't we?

Directi and EstDomains continue to suspend thousands of malware sites

I have been keeping a close watch on the amount of suspended sites in the MVPS HOSTS file ... rescanning everyday lately and removing the sites that no longer return a valid DNS ... the number is huge yet again ...

Strangely enough not all of these domains are related to EstDomains ... but who's complaining! Sounds like some of these other hosting services are getting nervous about their reputations or being exposed as associated with these cyber-criminals ... folks I've been doing this (maintaining a hosts file) for over 10 years and this is the largest clearing of malware related sites in the history of the Internet!

Interesting enough Brian Krebs has another in his series of articles "Fake Antispyware Purveyor Doubles as Domain Registrar"

"Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing privacyprotect.org service for all Web site names registered through Klikdomains.com, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone. Directi currently is investigating most of the remaining 50,000 domains registered through Klikdomains.com, Turakhia added."

Imagine that! ... those of us in the security field have long known of the antics of KlickDomains and their related domains ... so I thought I'd show a few examples ...

Notice how this site is designed to look like one of Microsoft's pages ... now is "petitmortfilms" really a search portal? ... no there are literally thousands of these type sites with content and links provided by the KlickAdvertising Group ...

Clicking on a few of the listed links ... you can see how Klickadvertising routes their search thru several IP addresses and setting a 3rd party Cookie (so they can get paid) and then to obviously malware related sites ... now the entry for "r.looksmart.com" is listed in the hosts file due to LookSmart's dealings with Klickdomains. I'm not saying LookSmart is evil ... but if you deal with scumbags, you'll get blacklisted ...

Speaking of Blacklisted both of those IP addresses are! [here] [here] now here is another example ...

Gee ... does that page layout look familiar? ... I've highlighted (in red) the next link I clicked ... now imagine where that really takes you ... yup Klickdomains get paid to redirect you to another malware site. In case that "virusremover.dll" doesn't look familiar, I reported on it here ...

If you look at the below output from Microsoft Fiddler ... you can see the same IP addresses involved, etc. not only that the link I clicked "spywarexp2008" wasn't even real ... so you never know where you'll end up ... but you can bet it's not good!

The download from "av-xp2008" is detected by Kaspersky as "Backdoor.Win32.Frauder.ee" and the site is maintained by the "Pandora-Software Group" (innovagest2000sl) ... so not all the evil-doers are being suspended, but we'll take all we can get!

Hundreds more malware domains suspended

As I reported the other day about the thousands of suspended domains ... it appears that even more domains have been suspended. After I removed the huge list of previously suspended domains from the MVPS HOSTS file ... I waited a day or two and rescanned the file to validate the entries. Much to my surprise their were hundreds more malware domains that no longer return a valid DNS ...

This seems to coincide with several other reports "Joint statement from Directi, HostExploit and KnujOn" stating: "HostExploit and Knujon did share with Directi a separate list of additional web sites known for badware that belong to Atrivo, enabling Directi's abuse team to swiftly suspend them."

In a previous post I showed ... "Directi False Whois Suspended Account" owns about 11,853 other domains"
Now I find the following: "Directi False Whois Suspended Account" owns about 12,176 other domains" [source]

On Friday, August 22 I mentioned about the amount of malware related sites running at "mynick.name" ... however today that number sure has changed!These fake Antispyware related sites were running from various hosting services and IP blocks all over the world ... looks like someone finally caught up to their antics ...

 [source]

SecurityFix has also posted more related news "Scammer-Heavy U.S. ISP Grows More Isolated" ... I imagine the Cyber-criminals are really scrambling trying to register new domains, etc ... as the amount of suspended domains account for a rather large source of revenue ...

While I'm on the subject of suspended domains ... the bogus Antispyware programs I showed were being hosted at Yahoo were suspended over the weekend ... thanks to Kimberly for alerting Yahoo ...

And let's not forget ... "innovativemarketing.com" and "setupahost.net" which were the original WinFixer Gang ... good riddance! ...

More fallout on the suspended malware sites

Knujon News reports "Directi is now severing ties with Estdomains amid complaints that the Eastern European company makes it too easy to register sites that are used by spammers and scammers. "Just the reputation loss and the confusion because of these linkups has been more detrimental to us than the commercial gain from that one-off sale," said Directi CEO Bhavin Turakhia. "We felt it was the right move morally." [more here]

Many of these suspended domains that I previously mentioned involved InterCage and their ties with ESTDomains ... now where "Directi" was involved I find the following when checking the Whois of some of these suspended domains ...

"Directi False Whois Suspended Account" owns about 11,853 other domains" ... Wow! ... imagine that!

As McAfee's blog points out many of these malware related sites are now registering with ProtectDetails as the heat is now on ESTDomains. When checking the locations I find they are both hosted at InterCage ... how convenient ...

Protect Details, Inc
Saint Petersburg, RU
69.50.180.157  protectdetails.com
[InterCage, Inc] Assigned IP block > [69.50.160.0 - 69.50.191.255]

ESTDomains Inc
Wilmington, Delaware
216.255.176.238  estdomains.com
[InterCage, Inc] Assigned IP block > [216.255.176.0 - 216.255.191.255]

Hopefully Brian Krebs proposed article on ESTDomains will turn up the heat even more ... resulting in even more suspended domains ...

Another fake Security prompt

Now this is one (bogus prompt) that you don't see every day ... check the page title ...

Naturally if you click the (made to look like a Microsoft Security prompt) "click here to get full real-time protection" ... yeah right!
The only thing you'll get is a real-time infection ...

As you can see the entry in red (infectionscanner) was blocked by an entry that already existed in the HOSTS file ...
All the below are managed by "TORS BUISINESS LIMITED - Andreas Ellinas"

Yahoo hosting Fraudware on their servers

While tracking down several new fake Antispyware sites ... I happened to notice the below are all hosted by Yahoo.

# [Yahoo via various][68.180.128.0 - 68.180.255.255]
68.180.151.16  antivirus-2008.org
68.180.151.17  antivirus-2008-noadware.com #[Win32/Adware.PowerAntivirus]
68.180.151.16  bestantivirus2009.com #[Win32/Adware.PowerAntivirus]
68.180.151.18  officialantiviruslab.com #[Win32/Kryptik.E]
68.180.151.18  onlineantivirus2009.com #[Win32/Kryptik.E]

VirusTotal result for the download from "antivirus-2008.org" [here]
MY AV (NOD32 v3) detects the downloads from the other sites as either "Win32/Adware.PowerAntivirus" or "Win32/Kryptik.E"

As you can see the above is a typical fraudulent fake Antispyware that attempts to infect your machine ... nothing new there ... but hosted at Yahoo? Makes you wonder who's asleep at the wheel over there? ...

These all fall within the IP block assigned to Yahoo (68.180.128.0 - 68.180.255.255)
The above sites all have the same "page title" (International Virus Research Lab) and contents, etc ...

InterCage suspends thousands of malware related sites

Only a few days after an article in the Washington Post and a detailed report by HostExploit [PDF] [Video] they (InterCage) have suspended thousands of malware related sites. Which is good news ... but it makes you wonder if these sites will simply be transfered elsewhere, or the criminals will just register thousands of new sites and continue with their activities ... since these culprits depend on the revenue generated by their illegal activities, I predict they will pop-up elsewhere very soon.

I happened to notice this myself (amount of suspended domains) when running a program I use to validate the DNS of each entry in the HOSTS file. Usually it returns a hundred or so sites that have either expired or suspended, Parked, etc. ... (since the last update) however this time the amount was huge!

Although the "comments" (must read) to the article by "Emil Kacperski" appear to be nothing more than the usual spin ... mainly complaining why other hosting domains are not mentioned ... it seems that exposing the activities by InterCage has produced some results ... for now. It will be interesting to see the outcome of Brian Krebs other scheduled related articles ...

Symantec LiveUpdate Security Warning revisited

I've blogged about this several times ...[here] [here] however as I am frequently asked about this (false) prompt (mostly from new MVPS HOSTS users) I thought I would address this again ... especially after seeing a response from one of their (very) uninformed commenters on their Forum ...

"I did not read in detail the links you provided, so this may not directly answer your question, but it may help you understand what is happening here."

Then why bother ... if you are not going to "read in detail the links" ...

And then goes on to say:

"So in your case what has happened is that a piece of malware has modified your HOSTS file to include entries for 'tc.symantec.com' and 'om.symantec.com'." ... talk about mis-informed ... duh!

If you had bothered to read the links then you would not (hopefully) make such a truly false statement.
Here is a typical prompt Symantec users see ...

If Symantec users click the drop-down arrow there is an option for:
"Leave the entry in the hosts file (do not warn me about them later)" (then this is no longer an issue ...)

Let me be very clear ... these are NOT entries from Symantec ... although they try to disguise them as such ... they both are 3rd party entries from Omniture ... and they do NOT prevent Symantec products from updating themselves ...

As you can see "om.symantec.com" is actually an alias for "symanteccom.112.2o7.net" and the IP addresses are all controlled by Omniture.

Even when you run a traceroute you can see above where it ends ... below is just a partial list of the Omniture entries and the IP addresses ... which shows that some sites prefer the "2o7.net" while others prefer to hide their identity as in the case with Symantec ...

 Note: it appears that Symantec is no longer using "tc.symantec.com" on their site ... most likely after I exposed this issue last time ... where they were using the Privacy policy from a 3rd party (Omniture) and not their own. So this entry will be removed and will reflect in the next update ...

Folks I can not control these false-positive prompts from Antispyware/Antivirus products ... believe me I've tried ... but they refuse alter their scanning techniques, so all I can do is try to explain why these entries exist ... then you can decide for yourself if you have a malware infection ... or a poorly writen scanner detection. There is no such thing as a infection that only alters the HOSTS file ... so if that's all that shows up in a scan then check it out or ask ... I will gladly assist in determining the cause ...

Can Sponsored Results be trusted?

I've commented about this subject before ... and I have still not changed my mind ... NO No No ...

Recently the SunBelt blog touched on this, and I thought I'd provide a good example ...

"Tested by g0Ogle" ... I think not! ... if a user happens to click that "Sponsored Link" ... they end up here ...

So not only do these culprits want to whack you with a infectious ActiveX (virusremover.dll) they also want you to click the "Remove All" button to install their fake antispyware program and all the other nasties that come with it ... my AV NOD32 v3 however doesn't think that would be a good idea ...

Submitting "virusremover.dll" to VirusTotal gives the following Result: 23/36 (63.89%)

Notice that Ask routes their Sponsored Result thru Google then redirects to the (un)desired site ...
"avxp-2008(dot)net" is yet another site maintained by the "Pandora Software Group"

I could provide many more examples ... but you get the idea ... even these "Parking Services" use these type of practices in their fake Sponsored Results on "Parked" sites ... and that why I include many of their sites as entries in the HOSTS file ... everyone is glad to take the $$$ provided by these clients, but very few services are willing to investigate these clients prior to hosting their content ...

Where have I been lately?

Due to the overwhelming amount of malware sites cropping up lately ... I just haven't had the time to document and blog ... so I've just been concentrating on investigating and adding a huge amount of new entries to the HOSTS file ...

One of the biggest offenders is the group running from these servers ... hosting mainly fake Antispyware sites and products ...

As you can see right now they control 763 domains (sites) and they are adding new sites by the hundreds ... ugh!
Hopefully I can get back to my normal schedule ... if these culprits ever slow down ...

Rogue Antispyware Adware-Download

Following up on a post at Donna's SecurityFlash regarding several new Rogue Antispyware programs ...
now visiting the named site (adware-download(dot)com) you are redirected via "clickbank" to ... oops!

My AV NOD32 intercepts the request and displays the above warning ... thus killing the connection.
And this occurs prior to the browser checking the HOSTS file ... which adware-download is already listed.

The actual link via clickbank is below (URL disabled)

hxxp://freewslink.adalert.hop.clickbank.net/hop/?CBRehoppp2=hxxp%3A%2F%2Fwww.adwarealert.com%2Findex.php%3Fhop%3Dfreewslink&vend=adalert&code=00000000000000&affi=freewslink&parms=&key=F14F7E2F6AB3619C0D5FE930AAD751A6

I complained to the staff at ClickBank many many times about their lack of policing their affiliates ... but they appear to take no action ... thus they have become a haven for these Rogue Antispyware programs ... and there are many! I've even had them complain and threaten legal action because I added them to the HOSTS file ... of course they have no grounds for such an action ...

Adware.Clickbank or Adware.ClickDLoader

MVPS HOSTS File Update August-06-2008

The MVPS HOSTS file was recently updated [August-06-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (161 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (702 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

MVPS HOSTS File Update July-07-2008

The MVPS HOSTS file was recently updated [June-05-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (159 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (692 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

MsMVPs server down

As some of you may have noticed, this blog was not accessable for the last several days ... let's just say they had some issues that needed attention ... hopefully everything has been addressed and sorry for any inconvience ...

Beware of bogus Flash Error

Landing on the following site the visitor is presented with a totally bogus "Flash ActiveX Object Error" ...

Folks there is no such error ... don't fall for these scams ... otherwise you'll end up with what Kaspersky describes as
Trojan-Downloader.Win32.FraudLoad.bgn ... although not very well detected as yet - VirusTotal results here ...

As usual clicking any of the above buttons downloads "MediaTubeCodec_ver1.376.0.exe" from s-soft08freeware(dot)com