Hosts News

Bogus Connection Software

Landing on "advertising(dot)trafioko(dot)kapo(dot)bestpage-com(dot)biz" the viewer is presented with the following:

Hopefully you should know better than to fall for this trick/scam ... but sadly some still do ... "Tested 100% virus free" liar liar!

Now IE7 / Vista running in "Protected Mode" blocks the instant install of this trojan ... this is why it is never a good idea to turn off UAC as it disables the IE7 Protected Mode and exposes the user to unnecessary risks. And as you can see NOD32 also provides a layer of protection via IMON (Internet Monitor) a feature that most freeware AV programs do not have.

Bogus Video Codec Extension

 Working off a tip from the MIRT Team ... landing on hqmovieclub(dot)com you see the following bogus message ...

However this one is not your basic codec infection rather you end up with: Trojan.Win32.Agent.ahp
There are over 40 other (adult) sites associated with "WmvMediaLease" all cross-linked with each other.

ValueClick cuts ties with the WinFixer Group

There has been no official notice yet but it looks like ValueClick has severed it's ties with the WinFixer Group.

I have checked quite a few of the links that I had previously mentioned [1] [2] [3] and they now no longer redirect to "adfarm.mediaplex.com".

hxxp://go.winantispyware.com/NTY2Mg==/2/3345/ax=1/ed=1/ex=1/af6/
now redirects to: (URLs disabled)
hxxp://www.winantispyware.com/download/2007/index.php?mtrt=swp_was_common&aid=swp_was7&lid=3345&affid=pp_1594734724&p=was&ax=1&ed=1&ex=1

Although it took 25 days since the suits were contacted at ValueClick, this is great news for the end-user. Hopefully the rough treatment by myself and others [1] [2] caused them to cleaning up their act. I imagine this also has a lot to do with their pending FTC investigation.

When Hosting Services fail to act

Recently Brian Krebs wrote an article that mentioned a disturbing fact ...

There is no "notice and takedown" law specifically requiring ISPs and Web hosts to police their networks for sites that may serve malicious software.

Well there should be! Now I know not much can be done about foreign ISPs, however the majority of them do have offices in other countries, or run their traffic thru other Networks. Failure to act in a timely fashion not only harms the end-user it generates mistrust in the safety of the Internet itself.

A good example of this is ddl-help(dot)info (85.17.65.7) which also hosts several other sites.

What is disturbing is the fact that F-Secure reported this site in 2005!

We have reported the abuse to the ISP hosting the website.

Yet the malicious files still exist today ... Sophos has had a detection since 7 March 2005, so the ISP (AASYS.BIZ) can not deny it didn't know or wasn't notified. They should act within 48 hrs. or the reporting authority should be able to file a complaint and some kind of sanctions should be taken against the offending ISP.

It's not just that one site that is malicious either and there is no excuse for these to still exist ...

When Giants Collide

Over the last few months there has been a big change in the Internet Giants. Google buys YouTube and then DoubleClick. To a lesser extent Yahoo buys RightMedia, and now Microsoft buys aQuantive ...

For Google, DoubleClick was a good fit as they were already in use at YouTube, and why pay for your advertising when you can own the company ... makes sense to me ...
Traffic Rank for youtube.com: 4
Traffic Rank for google.com:  3
Traffic Rank for doubleclick.com: 221

For Microsoft, aQuantive was a good fit as MS/MSN was already using atdmt.com
Traffic Rank for microsoft.com:  12
Traffic Rank for atdmt.com:  427

Yahoo already owned 20% of RightMedia so they just purchased the other 80%.
Traffic Rank for yahoo.com:  1

It will be interesting to see how things play out in the next few months ... the Microsoft/aQuantive deal is set to finalize in the first quarter of 2008, and the Google/DoubleClick deal is pending.

Yahoo already uses DoubleClick, but once the deal is completed will Yahoo pay Google to run their advertising? ... I think not, maybe that's where RightMedia comes in? Yahoo also uses advertising.com (now owned by AOL) but AOL uses Google for their search engine.

I think we shall see some rather big changes in the advertising world once everything settles down.

MVPS HOSTS File Update 05-21-07

The MVPS HOSTS file was recently updated [05-21-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (135 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (565 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

ValueClick turns to the Dark Side

Following up on my previous post, I found a post that better describes the damage that Trojan.Zlob.N does. Sometimes the (boring) technical descriptions do not quite convey what really occurs.

I recently had a worm/virus attack that took control of IE6 and inserted a
tool bar called 'Security Toolbar' that takes you to the above www site. I
cannot remove this toolbar.

Other names that appeared in dialogue boxes, callout boxes, and file names
found when I could eventualy scan my pc are: Zlob.JQC, Zlob.JQA,
W32.Myzor.FK@yf, Trojan TJ/BZ, www.asecuritynote(dot)com/vc/07-38929322/,
www.protectionclicks(dot)com (URLs disabled)

This worm/virus disbaled my AVG virus protection, deleted my temporary
internet files and cookies, removed Windows installer, and a yellow shaped
triangular icon appeared in the tray with an '!' in its centre. It would not
allow me to access www sites such as Symantec to access its knowledge base to
try and found out about this infection. The green progress bar at the bottom
of IE6 stopped at about the 80% mark. It also removed all of my Windows
security updates!

So browsing to guardtoolbar(dot)com ... we discover several redirects and then another "adfarm.mediaplex.com" ...

As you can see the endpoint is trustedprotection(dot)com which is yet another Rogue program. So I downloaded the offered program and checked it out. Turns out this is actually a AV program from avsystemcare(dot).com, yet another Rogue/Suspect program. This is the completely bogus message you see when visiting there ...

Oh it doesn't stop there ... I submitted the file to the SunBelt Sandbox see results here, where it clearly states (along with some other nasties) in the Network Activity section:

hxxp://64.158.223.133/cm/bk/7484-42107-2054-1?1-install=1&mpuid=2401678573
which redirects to:
hxxp://adfarm.mediaplex.com/cm/bk/7484-42107-2054-1?1-install=1&mpuid=2401678573

Note: 64.158.223.133 = MediaPlex ... also mentioned inside the download (install_en.exe) is "gn.web-fastserve.com", now who is that? Well browsing there we see ... you guessed it "Welcome to MediaPlex". So now they are no longer just serving as a content provider, ValueClick is directly involved with several more Rogue programs.

Seems I was not the only one to discover this Spyware Detector - Fake Anti Spyware.AVSystem Care

Remember in the quote above ... (www.protectionclicks(dot)com)

This is the same exact image Symantec supplied in their Trojan.Zlob.N description. In the above image it states "Antivirus software was not found on this computer" ... well now we know why! According to the users description above the Trojan wiped out their AV program, then offers to supply them with a bogus product.

Way to go ValueClick! ... enjoy the Dark Side and your ill-gotten gains (for now)

Knock-knock ... who's there? (hopefully) The FTC

ValueClick involved with Trojan.Zlob.N

Following up on a recent Symantec security article Trojan.Zlob.N ... notice that several of the posted images show one or more programs from the WinFixer group. Of particular interest is the following:

The Trojan will then connect to the following Web site and attempt to download other potentially malicious files: lbgate(dot)com

Ok, so I venture to lbgate(dot)com which redirects to: (URLs disabled)
Fetching hxxp://lbgate(dot)com/ ...
HTTP/1.1 302 Found
Date: Fri, 18 May 2007 07:47:09 GMT
Location: hxxp://checkssecurity(dot)com/soft/

So what do we find at checkssecurity(dot)com? ... oh no not again!

I've highlighted in red the two links that you also see in the View Source on the page ...

hxxp://go.systemdoctor.com/MzcwMg==/2/142/ax=1/ed=1/ex=1/sc1/
redirects to: (View safely here)
hxxp://adfarm.mediaplex.com/ad/ck/47067?mpt=1179475189&aid=swp_sdr&lid=142&affid=pp_2322432905&ax=1&ed=1&ex=1

This again leaves no doubt that ValueClick is getting a commission from undesireable sources ... which Symantec describes as:

Trojan.Zlob.N is a Trojan horse which displays fake error alerts on the compromised computer in an attempt to trick the user into downloading potentially malicious software.

Both Sandi Hardmeier and myself have been in contact with ValueClick over this matter several times over the last three weeks, however there doesn't seem to be much progress on their end ... really makes you wonder what they are waiting for.

More info on the WinFixer/ValueClick connection [1] [2] [3] (there is more, but you get the idea)

Google warns 10 percent of sites are dangerous

Recently Google released a report that states 10% of sites are dangerous ... ouch! [pdf here]

Let's take a look at one of these and see what we find ... browsing to bestfamilysex(dot)info

Now let's see what's behind the warning ... oh my! there are several IFrame Exploits (highlighted in red)
Note: the Result entries listed as 502 already exist in the HOSTS file ...

Looks like Google is justified in blocking access to this site! It's a shame that Yahoo and MSN don't adopt a similar policy to protect their visitors.

Who is behind all these Codec sites?

While investigating yet another Trojan.Zlob codec site passtosites(dot)net ... it makes you wonder what is behind all these sites as they seem to appear and disappear as fast as I can add them to the HOSTS file.

Previously I had mentioned Videoscash as one culprit, (they offer $0.44 per install) and now I see AviCash have raised their rates.

AVICASH - Making money with video plugin installation

$0.37 UNITED STATES (US)
$0.32 UNITED KINGDOM (GB), CANADA (CA)
$0.20 SPAIN (ES), IRELAND (IE), FRANCE (FR), ITALY (IT)
$0.15 GERMANY (DE), BELGIUM (BE), NETHERLANDS (NL)
$0.10 AUSTRALIA (AU), DENMARK (DK)
$0.05 NORWAY (NO), MEXICO
$0.01 OTHERS

passtosites(dot)net states: SiteTicket is a software which grants you access to a bunch of different useful files all over the Internet. Everything you wanted is now absolutely FREE of charge!

The only thing free of charge there is a Trojan.Zlob infection ...

Blog Spammers examined

Recently I have been receiving a lot of spam to the "Comments" section of my blog ... nothing new there, but these all seem to be from the same spammer. So I thought I'd see why ...

Well I went over to the Forum at "tabletpcbuzz(dot)com" to see what the big attraction was ... oops! looks like they are hacked and several Javascripts have been injected there ...

As you can see the two highlighted in red sites are the culprits (already existed in my HOSTS file) anyway if you examine the javascripts they redirect the viewer to two other sites ...

The golden-keys(dot)net script redirects to "thecanadianmeds.com"
The balticaffliate(dot)com script redirects to "viagraforlove.com"

Now neither of the medical enhancements sites are malicious, but they are the source of major spammers. If you do a Google Search on golden-keys you get: Results 1 - 10 of about 26,200.

If you search on "thecanadianmeds.com" you get Results 1 - 10 of about 769,000 and the majority are all spam links posted to various blogs and Forums ...

Sandi Hardmeier mentioned something about this yesterday ...
"This is scary... do we have to check every damned URL of every comment just in case it's a dangerous site?"

Yes, I suggest Sandi you do ... as it seems anymore no site can be really trusted ...

Another Video ActiveX Object

Landing on "sweet-cindy(dot)info" ... a typical hard-core adult site (with a Teen theme)... oh what do we find?

The first site highlighted in red shows the WinFixer group hawking their bogus products (nothing new) and if you have been following this blog lately, the "go.drivecleaner.com" link routes you thru ... you guessed it "adfarm.mediaplex.com"

hxxp://go.drivecleaner.com/MTUzODQ=/2/5669/ax=1/ed=2/ex=1//
redirects to: (view safely here)
hxxp://adfarm.mediaplex.com/ad/ck/45688?mpt=1178437888&aid=swp_dc&lid=5669&affid=pp_2190830023&ax=1&ed=2&ex=1

The second highlighted site is your typical Trojan.Codec site ... actually that one redirects several times until you end up on "videosoftwareax(dot)com" which Kaspersky detects as: Trojan-Downloader.Win32.Zlob.btc

So here again we have ValueClick getting a commission via some highly questionable methods ... no wonder they are reported to be under a FTC investigation. And after reading this story ValueClick can not deny they were not aware of the problem.

Edelman singled out ValueClick as a repeat offender in running advertisements for rogue security applications.

John Ardis, vice president of corporate strategy at ValueClick, admitted that some rogue software had slipped through its net.

This is not the first time Ben Edelman has documented ValueClick being involved with undesirable types ...

Affiliates Gone Wild!

While doing a little follow-up research on "adfarm.mediaplex.com" (ValueClick) I ran across this gem ...

Your Guide to Mediaplex Detection & Removal ... which goes on to describe the "MediaPlex infection"

Mediaplex is a tracking cookie that tracks your Internet surfing habits such as Web sites visited, and sends the information to a third-party server where it can be analyzed for marketing purposes. When installed, Mediaplex cookie can potentially record any data including sensitive information from your computer.

Now that must be one hell of a Cookie to do all that! ... of course this is a extremely exaggerated claim. There is no evidence that a Mediaplex cookie is involved in any of this type activity. It's just another example of an "Enigma Software" affiliate out of control. There is a discussion on this type activity at Spywarewarrior, however it appears to me Enigma is simply on a fishing trip to obtain info to try to put a halt to all the negative opinions they have been getting lately.

Anyway back to ValueClick ... oh my! Valueclick's Sleazy Lead-Gen Biz Creates Regulatory Risk

RBC's Jordan Rohan out with a note today arguing that Valueclick's WebClients business engages in sleazy practices that may violate DMA/IAB guidelines and, therefore, invite regulatory scrutiny.  Jordan estimates that such practices account for a third of Valueclick's revenue and, importantly, most of the company's outperformance over the past year.

"sleazy practices" ... well I can certainly attest to that given their relationship with the WinFixer group. If there is a FTC investigation I will forward all the research I have to the powers to be ...

Yahoo! to Acquire Right Media

Yahoo announced today they will acquire Right Media ... let's hope they clean up the unsavory tactics used by Right Media.

Eweek reports: The Right Media Exchange is the industry's largest emerging online advertising exchange, which serve up banner ads and other ad formats to less-trafficked parts of Web sites than traditional premium ad networks, which target busy Web sites.

"banner ads and other ad formats to less-trafficked parts of Web sites" ... now there is a statement! ... I have observed them advertising on Warez sites, and many many other highly questionable sites. Sandi Hardmeier  a long time Microsoft MVP reports on her blog "Right Media was implicated in the distribution of winfixer malware" ... ouch!

On a hunch I browsed over to Yahoo and to my dismay I find Yahoo sponsoring the WinFixer gang too! ...

And yes that link circled in red routes the user thru you guessed it "adfarm.mediaplex.com" (ValueClick) ... so not only is Yahoo getting a piece of the revenue, so is ValueClick. Looks like Yahoo has a little explaining to do ... as I have blogged about the connection between the WinFixer group and ValueClick quite a few times ... [1] [2] [3] [4]

Lawsuit Filed Against Winfixer (a/k/a ErrorSafe, WinAntiSpyware, WinAntiVirus, SystemDoctor and DriveCleaner)

A Yahoo search for "systemdoctor" (1 - 10 of about 217,000)

the #2 Result:
hxxp://rds.yahoo.com/_ylt=A0oGkmDKATdGMz8B0QFXNyoA;_ylu=X3oDMTE3M200ajU3BGNvbG8DdwRsA1dTMQRwb3MDMgRzZWMDc3IEdnRpZANGOTAwXzEyMA--/SIG=12ekm1v9u/EXP=1178096458/**http%3a//go.systemdoctor.com/MzYwNQ==/2/2291/ax=1/ed=2/ex=1/
redirects to:
hxxp://go.systemdoctor.com/MzYwNQ==/2/2291/ax=1/ed=2/ex=1/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45686?mpt=1178010176&aid=swp_sdr&lid=2291&affid=pp_139028844&ax=1&ed=2

That's in start contrast to a Google search for the same term = This site may harm your computer

HOSTS File Update 04-30-07

The MVPS HOSTS file was recently updated [04-30-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (135 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (563 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute