Hosts News

HOSTS file update 01-31-07

I've updated the HOSTS file today ... you may notice a bigger than normal increase in the file size. This is due to the tremendous explosion of these Trojan.Codec related sites. It must be profitable or they wouldn't be registering so many new sites ...

http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (133 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (553 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

Google adds new Warning to harmful sites

If a users search results from Google happens to turn up a known harmful site, the user will see the following:

Notice the new "This site may harm your computer" warning (view here) ... so what happens if you ignore this warning and proceed anyway? ... duh! Don't do it!

As you can see above the user is prompted with the typical bogus missing Video ActiveX Object, but also highlighted above the viewer gets whacked with a IFrame Exploit ... actually it's several ...

And just for good measure you get whacked with Win32/Exploit.WMF, see the last 2 entries in red above. Now my Antivirus NOD32 jumped on that and blocked it even though that exploit has been patched.

Folks I can not stress enough how important is is to have all the latest updates and versions installed on your machine. The above "scripted windows" prompt does not appear in IE6.

I would recommend adding 85.255.116.203 to your IE7 Restricted Zone, the sites mentioned will be added to the next HOSTS update ... due in a few days.

Oh what a nasty place

Landing on xmoviesportal(dot)com results in the below prompt which is another IFrame Exploit from 85.255.117.53

And if that's not enough, clicking a link redirects you to videoaxobject(dot)com which is yet another Trojan.Zlob infection ... nice place huh?

I would recommend adding 85.255.117.53 to your IE Restricted Zone, the other sites mentioned will be added to the next HOSTS file update.

Same scam different approach

Landing on an adult site and clicking a link results in the below bogus message ... "Special media software" is required ... yeah right ... it's nothing more than another Trojan.Zlob infection.

However the "codec" file (videosaccess.exe) that tries to install is coming from an IP address: 205.252.48.12, since you can not add IP addresses to a HOSTS file, I would suggest adding that address to your IE Restricted Zone. Once you have done that and if the above occurs, you'll see the following prompt which effectively blocks that address from downloading the malware file.

I scanned the file at VirusTotal and it is not very well detected yet ... you can see the SunBelt Research results here ... notice at the bottom of the report that Ultimate Cleaner also gets installed. Ultimate Cleaner is a Rogue/Suspect product that is already included in the HOSTS file ...

Bogus ActiveX Error

Looks like the Trojan.Codec guys have come up with a new scam ... trying to make you believe that an error has occured. I've found two different type error boxes from two different culprits.

Even if you click Cancel, you guessed it you can't get out ... another box appears prompting you to install "Image ActiveX Object" (which doesn't exist!) if you click Continue you are redirected to imagemediaax(dot)com which is registered to ... who else? EstDomains (85.255.116.250)

Now this one shows a slightly different (bogus) Windows error box ...

And again even if you click Cancel you get prompted with another message, which as you can see you're only option is to click Ok ... if you click the RedX, it simply loads the above message and it starts over ...

This one redirects to activexsource(dot)com ... now folks if you get stuck in this situation where it appears you can not get out ... simply click Alt + F4 which in IE7 will bring up a prompt to close all Tabs ...

Selected best of the best in Freeware

When Sites are Hacked visitors get whacked

It looks like another Game site got hacked and one line of HTML code was added to their site, which will infect unsuspecting visitors that are not using the latest versions and updates of Windows and Internet Explorer.

As you can see in the image IE7 stopped the infection and prompts the user via the Information Bar ... folks every time I've seen this prompt it is true warning. Yes I've seen this prompt more than once, here and here.

Once the culprit highlighted in the View Source was added to the HOSTS file and the page was refreshed, the prompt no longer appears ...

How Spamdexing works

As you can see in the below image below a seemly harmless ".edu" link from a Google search, can result in the user being redirected to a unwanted website that attempts to install a Trojan Codec.

The ".edu" link automatically redirects to "xxxvideossite(dot)com" site. (displayed in red = already blocked in the HOSTS file) Which automatically redirects via the "count.js" file to "givemepornvids(dot)com" which redirects to pornmoviesindex(dot)com. Once that page opens the viewer is presented with "get full-length high-quality movies absolutely for free!", however clicking any of the images redirects to the below image.

Yes you guessed it ... another Trojan.Codec infection. There are quite a few of these type sites linking to this newest Trojan.Codec site, which I'm adding to the HOSTS file for the next update (in a few days)

Another bogus Codec site

It seems like these guys setup a new bogus "codec" site every few days ... however these new versions try to install themselves automatically ... luckly IE7 stops this action, for now until they figure a way around it.

This new culprit is registered thru who else? ... EstDomains/InterCage
tvscodec(dot)com = 216.255.182.171 which is registered to the same owner as:
tscodec(dot)com = 216.255.182.173

This one is not very well detected at the moment - VirusTotal results:

AntiVir 7.3.0.21 01.09.2007 TR/Drop.Zlob.acn
Authentium 4.93.8 01.10.2007  no virus found
Avast 4.7.892.0 12.30.2006  no virus found
AVG 386 01.10.2007 Downloader.Zlob.DEZ
BitDefender 7.2 01.11.2007 MemScan:Trojan.Dnschanger.V
CAT-QuickHeal 9.00 01.10.2007  no virus found
ClamAV devel-20060426 01.11.2007  no virus found
DrWeb 4.33 01.10.2007  no virus found
eSafe 7.0.14.0 01.10.2007 Win32.Zlob.acn
eTrust-InoculateIT 23.73.111 01.10.2007  no virus found
eTrust-Vet 30.3.3318 01.11.2007  no virus found
Ewido 4.0 01.10.2007  no virus found
Fortinet 2.82.0.0 01.10.2007  no virus found
F-Prot 3.16f 01.10.2007  no virus found
F-Prot4 4.2.1.29 01.10.2007  no virus found
Ikarus T3.1.0.27 01.09.2007  no virus found
Kaspersky 4.0.2.24 01.11.2007  no virus found
McAfee 4936 01.10.2007  no virus found
Microsoft 1.1904 01.11.2007  no virus found
NOD32v2 1971 01.11.2007  no virus found
Norman 5.80.02 01.10.2007  no virus found
Panda 9.0.0.4 01.10.2007  no virus found
Prevx1 V2 01.11.2007  no virus found
Sophos 4.13.0 01.10.2007  no virus found
Sunbelt 2.2.907.0 01.05.2007  no virus found
TheHacker 6.0.3.147 01.11.2007  no virus found
UNA 1.83 01.10.2007  no virus found
VBA32 3.11.2 01.10.2007  no virus found
VirusBuster 4.3.19:9 01.10.2007 Trojan.DR.Zlob.Gen!Pac14

When Adult Webmasters complain

When Adult webmasters complain about the tactics of other adult webmasters, they must be really bad. They have even compiled lists of the culprits, which I went thru especially the ones marked as exploits.

Many of these exploit sites were related to Trojan.Zlob, or Trojan.Codec infections, however many others had multiple exploits. What I found was many of these were using IP addresses rather than site names, most likely to avoid being blocked in a HOSTS file.

To avoid these type attacks you can place these IP addresses in the Restricted Zone in Internet Explorer.
You can simply copy and paste the below ...

http://63.217.31.49
http://64.38.223.41
http://69.50.175.74
http://81.29.241.232
http://81.95.146.133
http://85.17.4.3
http://85.255.113.10
http://85.255.113.22
http://85.255.117.35
http://85.255.117.174
http://85.255.118.43
http://85.255.119.98
http://85.255.119.100
http://198.65.152.166
http://208.66.193.22
http://209.67.219.178
http://217.73.66.1

The sad state of the Internet

It's a real shame that the Internet has deterioted to the point where one security researcher stated in a recent CNet article that "The war to make the Internet safe was lost long ago, and we need to figure out what to do now." And another is quoted as saying "We are losing this war badly," he said. "Even the vendors understand that we are losing the war."

To add to the point VitalSecurity has a link to a short movie that everyone should view in order to get a real grasp on the situation of how easy it is to spam Forums, Blogs, GuestBooks and the like. Wikipedia (the free encyclopedia) has a terrific explanation of this type spam also know as Spamdexing.

I began researching the problem a few weeks ago and what I found is that there is a common denominator to these Spammers. The vast majority try to redirect the user to usually unwanted sites or worse (Trojan.Zlob and Trojan.Codec) ... after a while I began to see a pattern, where the files and sites that were actually doing the redirections were the same few time after time. So I started adding these (about 100) to the HOSTS file, marked with the comment "#[Spamdexing]".

Now this method will not prevent Spamdexing but it will help prevent the users of my HOSTS file from either being redirected to unwanted sites or from getting infected from these culprits.

Zango does Teen Porn again

While tracking down sites linking to the latest Trojan.Codec previously mentioned today ... I find Zango running on another "Teen Porn" site. You can tell from the site title below there is no doubt what this site is about.

Hey Zango is the adware business that bad you have run your content on these type sites? Since this is not the first time your content has been found on these Teenie Porn sites, it would seem you guys are nothing more than a bunch of perverts!