Hosts News

Updated the HOSTS file

The MVPS HOSTS file was recently updated
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (125 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (515 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

Another VideoCash site to avoid

Just as soon as VideoCash dropped "5starvideos.com" (now Parked) most it was likely too well detected ... however you can see the kind of traffic they were generating ...

Unfortunately they have registered a new domain Dec 25th to take up the slack ... keypromanager(dot)com

VirusTotal results:

AntiVir 7.3.0.21 12.27.2006 DR/Zlob.Gen
Authentium 4.93.8 12.22.2006  no virus found
Avast 4.7.892.0 12.21.2006  no virus found
AVG 386 12.26.2006 Downloader.Zlob.FWQ
BitDefender 7.2 12.27.2006  no virus found
CAT-QuickHeal 8.00 12.26.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.26.2006  no virus found
DrWeb 4.33 12.27.2006  no virus found
eSafe 7.0.14.0 12.26.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.99 12.27.2006  no virus found
eTrust-Vet 30.3.3271 12.23.2006  no virus found
Ewido 4.0 12.26.2006  no virus found
Fortinet 2.82.0.0 12.27.2006 W32/PE_Patch
F-Prot 3.16f 12.22.2006  no virus found
F-Prot4 4.2.1.29 12.22.2006  no virus found
Ikarus T3.1.0.27 12.27.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 4.0.2.24 12.27.2006 Trojan-Downloader.Win32.Zlob.biq
McAfee 4926 12.26.2006  no virus found
Microsoft 1.1904 12.27.2006  no virus found
NOD32v2 1939 12.26.2006  no virus found
Norman 5.80.02 12.26.2006 W32/Suspicious_U.gen
Panda 9.0.0.4 12.27.2006 Suspicious file
Prevx1 V2 12.27.2006  no virus found
Sophos 4.13.0 12.26.2006  no virus found
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.137 12.24.2006  no virus found
UNA 1.83 12.26.2006 TrojanDownloader.Win32.Zlob.97DC
VBA32 3.11.1 12.26.2006  no virus found
VirusBuster 4.3.19:9 12.26.2006 novirus:Packed/Upack

Another nasty Codec

Yet another fake codec site ... but this one whacks you just by visiting the site or one of the more than 50 affiliates that automatically redirect you to this site.

Notice than there is no Cancel button, only an Ok ... the bad part is even if you click the RedX button it whacks you anyway ... SANS - Internet Storm Center has a very informative write-up on this nasty Trojan.

These "codec" Trojan sites are mostly found on links from adult related sites that offer "Free Movies", so be careful folks and remember "Free" usually comes with a price ...

Scumbag vs. Scumbag

In a recent developement after MessengerPlus! was chastized for the advertising content that was displayed to the user when the "Sponsored Program" (Circle Distribution aka: C2Media/LOP) is installed ... so what's the big deal?

The text in their EULA allows for them to replace the users HOSTS file ... so their work-around was to rip-off the entries from my HOSTS file and insert them into their own version of a HOSTS file. They are doing this in an obvious attempt to block WinFixer from displaying ads on the users screen.

What's laughable about the whole situation is that they are trying to prevent one of their own advertisers (RightMedia) from running ads that they pay for ... duh! Makes you wonder what the WinFixer guys are going to do to Circle Distribution as they are not only blocking WinFixer, but also several of their other (unwanted) programs ... this could get interesting!

Fake codec with a twist

These codec sites have a new twist ... they are now displaying the typical fake codec message from Windows Media Player.

However this new version automaticall redirects the viewer and the Trojan.Zlog file is automatically loaded ...

This new (fake) codec site was only registered Dec. 11 and I've found about 60 (adult) sites already using it ...
NOD32 detects the download as: Win32/Small.FB trojan

HOSTS File Updated

The MVPS HOSTS file was recently updated [12-15-06]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (123 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (503 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

Another fake Video ActiveX Object

Looks like VideoCash has changed vendors already ... seems like they do every few days ...

Clicking the link leads to activexmediaobject(dot)com which is registered where else? ESTDOMAINS
There website layout is exactly the same as the one I reported previously ... it looks like VideoCash is switching from the fake "codec" sites to "activex" (VAX) ...

Another fake codec to avoid

I found this fake codec site using a new social engineering trick ... they play the (adult) movie in Windows Media Player from a small pop-up but as you can see it's blank. While the movie plays the sound is audible but no video ... this is to trick the viewer into clicking the link displayed to download a "Video Access ActiveX Object". The guys at SunBelt reported a similar site, which the download is nothing more than another Trojan.Zlob version.

So who is behind all these fake codec installs? Generally the VideoCash folks, just look at their offer ...

While VideoCash pays up to $0.44 to the site operator they generate much more revenue with their downloaded bundle. This generally includes (at least) a Rogue Antispyware program, which they recieve 50-75% commission per install ...

Zango offers Teen Porn

While researching several suspect sites today I ran across a disturbing find ... Zango offering Teen Porn!

I had to cover up the images with the View Source as they are too graphic and disgusting. As you can see above in the link description "Free exclusive teen pictures and movie galleries" there is no doubt the intention is to offer Teen Porn. What's next ... incest and kiddie porn? ... have you people no morals at all?

I imagine Zango's advertisers would be real proud of where their $$$ are being spent ...

It seems like a day doesn't go by that Zango isn't in the news for something ... in light of all these ongoing events I think it's time for the Zango CEO Keith Smith to resign. Obviously Zango's top management has lost control of itself, perhaps the FTC should assign someone full-time in-house to keep a watch over them. How many incidents does it take before a company like this gets shutdown?

Note: do not visit the sites mentioned as there are links that also lead to Trojan.Zlob infected sites ...

Another IFrame VML exploit

Following up on a SunBelt blog post ... I noticed the site mentioned wasn't really the problem but the IFrame exploit contained on the page, which produces a Information Bar pop-up in IE7

In researching this culprit I found that the same exploit is being served up on several other sites. 2 of which were discoved by the Microsoft Search Defender project as seen here ... in the first two examples these sites now contain the same IFrame exploit. I suspect these servers have been hacked since Microsoft reviewed them and the IFrame injected.

These culprit sites will be included in the next HOSTS file update ... as the IFrame page was scanned at VirusTotal and was only detected by AntiVir as: EXP/HTML.VML.Gen

Zango does hard core Porn

In a follow-up to Zango Tries To Reinstall Trust, our favorite Zango watcher paperghost posts a more detailed write-up ...

So what do I find as a Google Sponsored Link?

Visiting the site (caution contains adult images) which is nothing more than a page of hard core adult thumbnail images with links to follow thru ... however clicking the follow thru links (note the 302 in the Result header) all redirect to Zango.

McAfee SiteAdvisor has a warning.
When we tested this site we found links to zango.com, which we found to be a distributor of downloads some people consider adware, spyware or other unwanted programs.

Next the viewer is presented with the following prompt in Windows Media Player ...

Don't you just love the phrase "Seekmo supported content" ... and this from a company that is supposed to be cleaning up their act ...

Google restricting porn in searches?

Read an interesting story which mentions Google may be restricting some adult related topics in it's search results. So I decided to conduct a search on the term mentioned in the story = "porn" ... "Results 1 - 10 of about 86,300,000 for porn" wow that a lot of hits, must be a popular topic ...

However following the links from the results reveals some disturbing results ...
Result #4 is a link that once clicked on redirects the user to a known Trojan download site, which then redirects (via IFrame) to another known culprit offering "free adult movies". These free movies are the ones once downloaded prompts the user that they need a "codec" to play the download ... yup the "codec" infects the user with a variant of the Trojan.Zlob ... ouch!

Result #4 is a blind link from one of these "Make a shorter link" sites, so a word to the wise, never trust these type links. When in doubt about a suspicious link you can copy and paste the link here and safely view the results.

Note: The entry in red above indicates that site was blocked by an entry in the HOSTS file ...
Google / StopBadware Warning for that site ...
Content on this site is bundled with several components that reportedly behave as a Trojan horse that is installed as a codec. Installation of this Trojan horse is not disclosed to the user. (Deceptive installation)

Results #4, 12, 23, 80, and 82 all redirect to the same few "codec" sites ... McAfee SiteAdvisor shows these same few sites involved ... so be careful on what you click on! Free isn't always the results you expected.

As part of the infection bundle you also get (code on page)
BEGIN LINKCODE #10999 Product: WinAntiVirusPRO 2006 which is yet another Google/StopBadware Warning site ...