October 2006 - Posts

Mon, Oct 30 2006 0:39

HOSTS File Update [10-30-06]

The HOSTS file was updated today ... Smile
http://www.mvps.org/winhelp2002/hosts.htm

Shameless plug: got another mention this weekend from the Kim Komando Show
(I always see a spike in traffic when she does ...)
Even a dedicated page: Block malicious programs ... thanks Kim!

Posted by winhelp2002 with no comments
Sun, Oct 29 2006 9:55

Improved "Certificate Error" in IE7

I thought I'd show the new "Certificate Error" in action on one of the known culprits (msoftware.info) I was checking up on ... this is from one of these "Rogue/Suspect" sites selling scam products.

When you attempt to order this product IE7 throws up an error warning the user [screenshot1] then if you continue the Address Bar is displayed in red. [screenshot2] Needless to say you don't want to purchase anything from these type people ...

# [Marko Novakovic]
127.0.0.1  erornuker.com
127.0.0.1  msoftware.info
127.0.0.1  secure.msoftware.info
127.0.0.1  www.msoftware.info
127.0.0.1  online-scan.com
127.0.0.1  www.repair-pc.net
127.0.0.1  www.repair-registry.net
127.0.0.1  download.scanandrepair.com #[Symantec.ScanandRepair]
127.0.0.1  www.scanandrepair.com #[Rogue/Suspect]
127.0.0.1  www.scanpc.org
127.0.0.1  yieldmenager.com

Even McAfee SiteAdvisor list this as a red site ...

 

Posted by winhelp2002 with no comments
Sat, Oct 28 2006 4:34

Interesting list of deactivated Domains

While preparing for the next HOSTS update I've found an interesting list of deactivated domains.

justcounter.com (Win32/TrojanDownloader.Agent.AIB)
Status: Parked and deactivated (no valid DNS)

jupitersatellites.biz (Trojan.Jupillites)
Status: Domain Registration Expired
Notice the other related domain names that prey on good name of well respected security products
drwebupd(dot)com - this is not Dr.Web Anti-virus
lavasoftupdate(dot)com - this is not Lavasoft Antispyware
outpostsupport(dot)com - this is not Outpost Firewall

Kudos to Google and Yahoo for not providing any Sponsored Links for the search term "outpostsupport"

vogservice(dot)com (HTML/TrojanDownloader.Agent.AO)
Status: deactivated (no valid DNS)
This is one of the sites that uses the "Web-Attacker Control panel" to generate exploits

Zango/180Solutions (Adware.180Solutions) has quietly started deactivating some of their sites
flingstone.com | n-case.net | radiopranks.com | searchbrowser.com | searchbarcash.com

Even Gator has deactivated several of their sub-domains ... Imagine that!

Posted by winhelp2002 with no comments
Fri, Oct 27 2006 1:11

IFrame Exploits

Following up on "Halloween sites tricking users with malware" it appears to me the sites mentioned have been hacked and a IFrame has been injected, that if activated infects the visitor with several nasties.

I would advise disabling that option in IE - it is the single most exploited setting!
Internet Options | Security tab | Custom Level button
Scroll down to: Launching programs and files in a IFrame
Select: Disable (IE7 by default is already set to Prompt)

Note: the culprit involved is already listed in my HOSTS file ...

 

Posted by winhelp2002 with no comments
Wed, Oct 25 2006 23:55

Another fake codec site

Got a tip today about another fake codec site: keycodec(dot)com

The download is another in the TrojanDownloader.Win32.Zlob family, but the scary part is the "Terms of Use"

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to VIDEOKEYCODEC or its affiliates during this process. Licensor may offer additional components through our version checking/update system. These components include:
(a) "Internet Explorer Security Plugin 2006": Internet Explorer toolbar that protects your computer while you browse by setting high level of security for suspicious hosts.
(b) "Public Messenger ver 2.03": Popup advertising module that opens Internet Explorer ad windows when you are connected to internet.
(c) "Internet Security Add-On": your Internet Explorer homepage will be changed.
(d) Security software: antivirus/antispyware application.

http://whois.domaintools.com/keycodec.com
They only registered 3 days ago and already they are in "Blacklist Status"

The item (d) above mentions - Security software: antivirus/antispyware application which is usually one of the variants from the Innovative Marketing Group (remember WinFixer)
winantispyware(dot)com
winantivirus(dot)com
systemdoctor(dot)com
errorsafe(dot)com
drivecleaner(dot)com

Speaking of WinFixer ... looks like they are being sued, although after reading the complaint it appears to be a weak case due to lack of research on the proper parties involved?

You can add the following to your HOSTS file until an update is released ...
127.0.0.1  www.keycodec.com #[TrojanDownloader.Win32.Zlob.a]

 

Posted by winhelp2002 with no comments