Hosts News

HOSTS File Update

Updated the HOSTS file today ...
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (121 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (495 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

VirusBursters replaces SpywareQuake

Running a check today I noticed that SpywareQuake has been dropped (no longer returns a valid DNS reply), however it has been replaced by VirusBursters which is run by the same people as Malwarewipe, Spyaxe, SpyFalcon, SpywareStrike, VirusBurst.

The new version is not very well detected after running a check of the download via VirusTotal. The irony is McAfee has a write-up here, which they updated 11/17/2006, however the download was not detected by McAfee at VirusTotal.

You can find removal instructions here, although I'm not sure it's been updated to detect this new version ... I have left a message for the author just in case.

The HOSTS file will be updated and a new version released in a few days with the needed entries as there are 19 sub-domains that are being used for the download ... VirusBursters are typically installed via the various Trojan.Zlob (fake codec) sites ...

Can Sponsored Links be trusted?

Can search results Sponsored Links be trusted? ... not always and a lot depends on who you use for searching. A prime example is to search for the term "antispyware" a very common subject, but the "Sponsored" results can be quite different.

IE7 Live Search on page 2 shows "Winantispyware" ... oh my!
Or search on Yahoo for the same term and on page 2 you get "Winantiviruspro" which is the same company. So what do you get from Google? Kudos to Google for not allowing these guys to purchase a Sponsored Link and in fact if you try to click a link for Winantispyware you get a Google/StopBadware Warning.

So who is Winantispyware? ... here are some interesting comments

Rogue/Suspect Anti-Spyware Products & Web Sites
WinAntiSpyware 2006, winantispyware.com winsoftware.com softwareprofit.com, aggressive, deceptive advertising (1, 2, 3); same company as WinAntiSpy 2005

Webroot SpySweeper: WinFixer/WinAntiSpyware may be installed by a direct download but may install via a Trojan Horse or popup advertisement.

SunBelt CounterSpy: WinAntiSpyware is a rogue antis-pyware product which pesters users with scareware tactics to purchase the product.

StopBadware Report | Symantec Detection | Tenbril SpyCatcher | PcTools | McAfee SiteAdvisor

It's time for Microsoft and Yahoo to get their act together and stop allowing these type products to purchase Sponsored Links ... it doesn't always have to be about the $$$ ... sometimes it's just the right thing to do!

Oh Google make up your mind

While researching a few suspicious sites I ran across a warning from Google ...

Ok so I visit StopBadware.org to see what harmful content is on that page and I find this:

You landed on this page because members of the public reported this website to StopBadware.org as hosting or distributing badware. Though our researchers have not yet reviewed this website, once they do, this warning page will be replaced with a detailed report on the site's badware.

But what I really find disconcerting is that although this page may be harmful, Google is advertising providing a service on that page!
From a View Source on the page I find:

While the StopBadware project is no doubt useful to the general public, it's a little hipacritical that one of their Corporate Sponsors is advertising providing a service on such sites ...

Edited: to correct "advertising" with providing a service ...

Oh what a Screensaver!

Following up on a tip today about a bundled install from Relevence Marketing ... let's see what we get from their download "PuppyScreenSaver.exe" which is not really a screensaver but a Trojan Downloader that once run downloads a bundle of files ... first the file was submitted to VirusTotal ... oh look what we get ...

Imagine that! ... they rest of the files had similar results and this is what the end user gets ...

All of our Products are listed in windows Add/Remove Programs.
To remove them, Please enter your "Start Menu", Navigate to the "Control Panel",
Open the "Add or Remove Programs" area, and then select and remove whatever you have installed.
Here are the names our various softwares install as:

A SuperScreenSaver - Babes
A SuperScreenSaver - Puppies
Holdem-U
MyAdultExplorer
PuzzleDesktop
SmartShopper
SuperScreenSavers-Babes
SuperScreenSavers-Puppies (Trojan-Downloader.Win32.Agent.auv)

The next HOSTS update will contain the following new entries:

I also found that they are doing business with PrimaryAds ... although PrimaryAds promotes they are not involved with any questionable affiliates ... hmm
http://mvps.org/winhelp2002/blog/aff-primaryads.gif

Yet another IFrame Exploit

I found another site that has been hacked and several exploits have been injected into the page. The culprit is well known for hacking sites and Forums that do not have their latest updates installed ...

This is a 2-prong attack using 2 IFrame entries and a malicious Javescript, the first IFrame is detected by NOD32 as "JS/TrojanDownloader.Agent.BI" the second is "HTML/TrojanDownloader.Agent.AU" and then to top it off as you can see in the IE7 Info Bar a "Microsoft Data Access exploit" which is from the Javascript.

VirusTotal results on the page itself ...

AntiVir = found nothing
Authentium = found nothing
Avast = found nothing
AVG = found nothing
BitDefender = found nothing
CAT-QuickHeal = found nothing
ClamAV = found nothing
DrWeb = found nothing
eTrust-InoculateIT = found nothing
eTrust-Vet = found nothing
Ewido = found [Not-A-Virus.Constructor.Perl.Msdds.b]
F-Prot = found nothing
F-Prot4 = found nothing
Fortinet = found nothing
Ikarus = found nothing
Kaspersky = found [Constructor.Perl.Msdds.b]
McAfee = found nothing
Microsoft = found nothing
NOD32v2 = found [probably a variant of HTML/TrojanDownloader.Agent.AU]
Norman = found nothing
Panda = found nothing
Prevx1 = found nothing
Sophos = found nothing
TheHacker = found nothing
UNA = found nothing
VBA32 = found [Trojan-Downloader.HTML.Agent.aq#6]
VirusBuster = found nothing

Note: the website owner was notified but no reply as yet ... that's why the URL was removed.

After placing the 2 malicious sites in the HOSTS file and revisiting the site there was no pop-up from NOD32 or a prompt from IE7 about the "Microsoft Data Access" ... be safe out there folks! The next update will contain the needed entries to block this attack and hopefully the Antivirus community will update their databases soon.

Microsoft sues Screen Saver Creator

Microsoft Files Suit Against Creators of Spyware-Bearing Celebrity Screen Saver
http://biz.yahoo.com/prnews/061114/sftu116.html?.v=67

This suit involves one of the defendants named in this court action:
Court Shuts Down Media Motor Spyware Operation

Of note (from the pdf files) in the suit is the following excerpt:
IDENTIFICATION OF SOFTWARE PROVIDERS
IT IS FURTHER ORDERED that the Corporate Defendants and Individual Defendants shall, within five (5) days of service of this Order, prepare and deliver to the Commission a completed statement, verified under oath and accurate as of the date of entry of this Order, identifing with as much detail as possible (including, but not limited to, name, address, phone number, email address, instant messaging identification or "handle," website, and affiliate identification code) of all persons and or entities that have provided Software that the Corporate Defendants and or Individual Defendants have installed, either directly or through their affiliates, on consumers' computers. For the ERG Defendants, this list should include, but not be limited to, the persons and or entities that provided the programs commonly known as: Look2ME, 7FaSSt, AdRotator, AdMedia, SearchingAll, the Mirar Toolbar, ClickSpring;UCmore; CasClient; Z-Quest; CmdServices; Puity Scan; Backdoor.DSNX, Webhancer, Ezula, CoolWebSearch, ABetterinternet, DyFuCA, e2give, Prutect, Safesurfing, Qoologic, BookedSpace, begin2search DollarRevenue, Popuppers, WebNexus, Yazzle and Winsync. Addictive Technologies and Media Motor.

It looks like MediaMotor will have to disclose any dealings with the above (Adware/Spyware) companies. Which by the way looks like a "who's who" of the entries in my HOSTS file ... hopefully the disclosures will be as revealing as the wealth of info from the DirectRevenue case

pcbutts1 ... the saga continues ...

Recently I was notified that pcbutts1 has plagiarized my HOSTS file, edited the header and is now offering it as a download via the various Newsgroups ... this is not the first time he has claimed one of my files as his own.

Although the header in the HOSTS file was edited he forgot to remove one of my comments at the end of the file, which just goes to show this is another blantant attempt at taking credit for someone else's work ...

Even McAfee's SiteAdvisor gives his site a red flag warning ... with 2 pages of negative comments! There is also quite a few other posts warning of the actions of this person and unauthorized downloads.

Needless to say stay far away from any downloads or advise from pcbutts1 ...

Another "codec" site

As fast as they get detected and shutdown, more just pop-up

Hosted where else? Inhoster/EstDomains 85.255.118.155 dvdaccess(dot)net
The "Terms of Service" provides an interesting read:
THIRD-PARTY SOFTWARE As the Software is freeware, the Licensor reserves the right to install third-party software in conjunction with the main Software product, if you disagree with this please do not install the main Software.

So what is this (unidentified) 3rd party software?  umm ... no thanks

It sure is nice to have an Antivirus product that scans Internet traffic on the fly rather than scanning after the file is downloaded or opened!

"Rogue/Suspect Anti-Spyware Products" Revisited

It makes you wonder just how many Rogue products one company thinks is enough?
At the moment it looks like "Nelroy LTD" has decided on 15! ... Beware of Imposters!

67.15.15.177  get.adarmor.com
67.15.15.177  get.adwarebazooka.com
67.15.15.177  get.adwarepunisher.com (server down?)
67.15.15.177  get.breakspyware.com
67.15.15.177  get.fixerantispy.com
67.15.15.177  get.hitvirus.com
67.15.15.177  get.razespyware.net
67.15.15.177  get.remedyantispy.com
67.15.15.177  get.spyanalyst.com
67.15.15.177  get.spycut.com
67.15.15.177  get.spydefence.com
67.15.15.177  get.spyiblock.com
67.15.15.177  get.spyofficer.com
67.15.15.177  get.spywaredisinfector.com
67.15.15.177  get.thespyguard.com (server down?)

All of the above you'll find listed here: Rogue/Suspect Anti-Spyware Products
With the typical description of: uses flawed, inadequate detection scheme; same app as AdwareBazooka, AdwarePunisher, RemedyAntiSpy, SpyCut, SpyiBlock, Spyware Disinfector, SystemStable, & The SpyGuard

The vast majority of the sites mentioned as "Rogue/Suspect" are included in the HOSTS file

More fake codec sites

I got a tip today about 2 more fake "codec" sites ...

ivideocodec.com (Creation Date: 31-Oct-2006) same owner as the previously mentioned keycodec.com
IP Address: 85.255.118.197 (Estdomains/Inhoster)

Other related codec domains:

85.255.118.194  strcodec.com
85.255.118.195  vccodec.com
85.255.118.195  mmcodec.com
85.255.118.196  xpassgenerator.com
85.255.118.196  winmediacodec.com
85.255.118.196  videoscodec.com
85.255.118.196  softcodec.com
85.255.118.198  mypornmagpass.com

vidcodecs.com (Creation Date: 31-Oct-2006)
IP Address: 69.50.188.107 (Estdomains/Intercage)

Other related codec domains:

69.50.188.108  powercodec.com
69.50.188.108  medcodec.com
69.50.188.108  imcodec.com
69.50.188.109  hqcodec.com

You can add the following entries to your HOSTS file until a update is released ...

127.0.0.1  www.ivideocodec.com
127.0.0.1  www.vidcodecs.com #[Trojan-Downloader.Win32.Zlob.atu]

Another nasty Javascript exploit

From: SANS Internet Storm Center Alert

The de-obfuscated URL goes to (dont click!!) js.pceb.cc, which resolves to 85.255.114.158, which is - surprise surprise - the address range of INHoster in Ukraine. Although we are wary of excessive block-lists, we have repeatedly recommended in the past that you block this range   85.255.112.0 - 85.255.127.0

Now look who else resides on that IP address:

85.255.114.148  wrkd1s2tr.biz
85.255.114.148  outpostsupport.com (Win32/TrojanProxy.Daemonize)
85.255.114.148  lavasoftupdate.com
85.255.114.148  drwebupd.com

Just mentioned these characters the other day ... you can add the following entry to your HOSTS file, until the next update.

127.0.0.1  js.pceb.cc #[Trojan.Win32.Rootkit.E]