Hosts News

Malware from Adult Cartoon sites

It looks like everybody is getting in on the act ...

Landing on alivegirls(dot)com the visitor is prompted with (how many times have we seen this?)

Which leads to enhancevideos(dot)com yet another Trojan.Codec infection. Sadly there are several other related sites that use this same method of infection ... playing the sound in the background while prompting the visitor that they need to download a "Missing ActiveX Object" ... yeah right ...

The above shows the links between these culprits ... from McAfee SiteAdvisor

Clickzs promoting Malware

Clickzs (Netsaits BV) a "website traffic monitoring" service is directly involved in promoting Malware. As you can see below their links redirect to known Malware (Trojan.Zlob/Codec) sites.

cz4.clickzs.com/tgp.php?pussye&75&CJ1&free3xmovies.com/movies/hardcore/index.php?id=464
redirects to:
hxxp://free3xmovies.com/movies/hardcore/index.php?id=464

cz4.clickzs.com/tgp.php?pussye&75&CJ1&wxw.bigvideosonline.com/index.php?id=464&style=blue
redirects to:
hxxp://wxw.bigvideosonline.com/index.php?id=464&style=blue

cz4.clickzs.com/tgp.php?pussye&75&CJ1&wxw.x-ratedclips.com/5sv/mix6/s1g1/gallery6.php?id=464
redirects to:
hxxp://wxw.x-ratedclips.com/5sv/mix6/s1g1/gallery6.php?id=464

As you can see the redirects are all to the same Malware related sites. These sites are all rated red by SiteAdvisor, or run a check with LinkScanner from Exploit Prevention Labs and you'll see:

McAfee SiteAdvisor results [1] [2] [3] "In our tests, we found downloads on this site that some people consider adware, spyware, or other unwanted programs."

ClickZs are things that bad that you need to associate yourself with these culprits?
This was first reported by the Webmasters at AskDamageX Forum

BitTorrent users Beware!

"BitTorrent is a method of distributing large amounts of data (P2P) widely without the original distributor incurring the entire costs of hardware, hosting and bandwidth resources." [Full Wikipedia description here]

Seems the Cash4Downloads folks have teamed up with CidHelp (C2Media/LOP) to distribute "free software" for users looking for BitTorrent programs. So let's see what they offer ...

As you can see ... "no spyware, no adware, no malware" ... oh really? I scanned the download at VirusTotal

Get-Torrent-2.0.0.0-setup-0350.exe

BitDefender 7.2 2007.07.19 Trojan.FatObfus.A
DrWeb 4.33 2007.07.18 Trojan.Packed.149
F-Secure 6.70.13030.0 2007.07.18 Trojan.Win32.Obfuscated.dt
Ikarus T3.1.1.8 2007.07.18 Trojan.Win32.Obfuscated.en
Kaspersky 4.0.2.24 2007.07.19 not-a-virus:AdWare.Win32.Lop.bo

[or]
BitRoll-2.2.0.0-setup-0410.exe

Avast 4.7.997.0 2007.07.18 Win32:Trojan-gen. {Other}
BitDefender 7.2 2007.07.19 Trojan.Agent.AOJ
DrWeb 4.33 2007.07.18 Trojan.Packed.149
F-Secure 6.70.13030.0 2007.07.18 Trojan.Win32.Obfuscated.en
Ikarus T3.1.1.8 2007.07.18 Trojan.Win32.Obfuscated.en
Kaspersky 4.0.2.24 2007.07.19 not-a-virus:AdWare.Win32.Lop.bo
Microsoft 1.2704 2007.07.18 Trojan:Win32/Busky.C
Symantec 10 2007.07.19 Torrent101

There are about 15 other related sites all hosted on the same IP address (69.72.144.122) however the majority of the downloads are redirected and actually coming from 67.15.107.166. I would highly suggest adding that IP address to the Internet Explorer "Restricted Zone" as this will prevent the download.

As you can see in the VirusTotal results several Antivirus vendors have their own descriptions, but I can assure you these are CidHelp (C2Media/LOP) related.

Symantec.WinZix states: "The program may then download a copy of Adware.Lop on to the computer."
McAfee SiteAdvisor.torrent101.com download analysis shows the following Registry edits are made:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow]
ADD netbios-wait.com=""
ADD netsearchsoft.com=""

Now netbios-wait and netsearchsoft are both C2Media/LOP sites ... looks like the world of BitTorrent can be a dangerous place. Especially if you install one of these "no spyware, no adware, no malware" programs.

Is Microsoft getting into the Adware business?

Folks if Microsoft ever develops this, it will be game over for users that believe that Adware is a Security/Privacy risk. Hopefully someone at Microsoft will come to their senses before they cause a riot!

"Overall, the software is like adware that figures out what ads to display based on files on the hard drive and what's being displayed on the screen at a given moment. The advertising software, which could be part of the operating system, a standalone app, or an application feature, would use information gleaned from documents, music, computer status messages, and e-mails as context for ads. However, the software could conceivably gather information on every file on a user's hard drive and send it to advertisers, and the application does little to assuage security and privacy concerns."
[full story here]

"would use information gleaned from documents, music, computer status messages, and e-mails as context for ads."

Isn't that the definition of Spyware? ... does MS actually think anyone would actually agree to this? I can see it now ... offer some new "feature" for free in exchange for spying on your habits. Oh Microsoft what are you thinking?

MVPS HOSTS File Update 07-08-07

The MVPS HOSTS file was recently updated [07-08-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (141 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (595 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

Is Micro Bill Systems legit or Ransomware

There has been a lot of discussion lately about the tactics of Micro Bill Systems. Is their software legit or does it hold your PC hostage and use scare tactics to bully you into paying for access to their (adult) sites?

From their "Terms and Conditions"
12.5 If You choose to ignore the payment reminders and do not pay the Membership Fee, You hereby understand and acknowledge that the prompt reminders may become more frequent and that You may lose the ability to use Your computer until You have submitted payment. The payment reminders will be active while your computer is online or offline. [emphasis mine]

Wow! talk about hijacking your machine ... I wonder if that is even enforceable?

A Micro Billing spokesman stated: The software that has been described on this forum can ONLY be downloaded from visiting one of our clients sites. Our software is not spyware nor is it embedded as a trojan. [emphasis mine]

Well let's see what VirusTotal has to say about their download (MBSAuthenticate_19.exe)

Looks to me like quite a few of the major Antivirus vendors disagree ... however a few of the vendors have changed their detection description lately. Why? seems MBS has threatened legal action ...

But what about those who enlist antivirus software to remove the MBS product? MBS says it is considering legal action against Jacques Erasmus of Prevx, following comments he made previously in the Guardian about the company; it wants to stop Prevx's product from removing its software. Symantec - which sells the Norton security products - has already agreed to such demands. [link here]

"We are taking legal action against a number of companies that promote their software as being able to remove our software," Bateup says. "Their actions constitute an offence since they are inducing consumers to breach their contracts with us. We are taking legal action against all companies that list our software as malware or spyware.

Symantec changed their detection (13 February 2007) from "Adware" to "SecurityRisk.SexxPass"
"SecurityRisk.SexxPass is a security risk that adds certain domains to the trusted sites list in Internet Explorer. This means that downloads can occur automatically without explicit user consent."

Funny I saw no mention of "adds certain domains to the trusted sites" in their Terms. Appears Prevx dropped their detection completely? ... Looks to me like MBS picked the smallest company to threaten ... I doubt Kaspersky will change theirs (Trojan.Win32.Agent.afi)

Now I found no evidence of their sites auto-installing the software, but the tactics are highly questionable. I seriously doubt their "Terms & Conditions" would hold up in court here in the US, but it seems just the costs of a legal battle have caused a few of the vendors to change their detections ... very sad ...

In my opinion if the vendors software can not pass a VirusTotal scan, then they are a risk to the end-user.
How To: Remove Micro Bill Systems

LimeWire and Media Usage Rights Acquisition

I saw several messages posted on Forums relating to "LimeWire and Media Usage Rights Acquisition". While LimeWire is Adware/Spyware free, the files you download (P2P) may not be ...

I'm a real novice on Limewire, so I'm hoping you will excuse me if this is a dumb question. I downloaded a track and tried to play it, but a window opened, called Media Usage Rights Acquisition, with the address mediaprovider(dot)info. I opened the window and it started downloading a program, which I thought would allow me to play the music. I still can't get the music to play, but now I have a program called Mirar that I can't uninstall. It has stuck itself into my toolbar and I can't make it go away. Any suggestions? [link here]
[or]
I have recently downloaded lime wire. the first three music track downloads played no problem, now the tracks are suddenly protected and take me to media usage rights acquisition (Zango.com) or Mediaprovider(dot)info . Both wanting me to download software in order to play the tracks. [link here]

Ok, so let's browse over to "Mediaprovider(dot)info" and see what's up ... uh-oh!

Adware.Mirar attempts to find Web pages that are related to the Web page currently being viewed. It also displays advertisements based on the URLs and search terms used while navigating the Internet. It will also attempt to download and install the Mirar toolbar from a predetermined Web site. This toolbar is also detected as Adware.Mirar.

Having to download additional software just to play a file you already downloaded should be a clue that something is not right. And you may just find yourself under a RIAA Investigation (Recording Industry Association of America)

When Advertisers distort the Truth

XSC Incorporated displays the following about their products ... doesn't sound so bad? ... or does it?

Well let's see ... browsing over to "smutvidoftheday(dot)com" we find an offer of free videos every day. Oh really ...

Somehow I never related "Contextual Advertising" to the description that NOD32 shows. McAfee's SiteAdvisor also found that you get "ErrorProtector" (WinFixer) and a few other unknowns ...

When we installed and ran SmutVidOfTheDay (WATCH_PORN_MOVIES.exe), it contacted the following network servers.
url.cpvfeed.com
adfarm.mplx.akadns.net
www errorprotector.com
report.errorprotector.com
setuphost.vo.llnwd.net
crl.globalsign.net
ulog.errorprotector.com
searchme101.com

Be very careful folks of the choices you make ... you may get more than you bargained for! ...

Firefox Users Beware

Firefox users beware ... Zango and Trojan.Codec malware pushers want your browser ...
landing on "sex(dot)stylishvideo(dot)com" the viewer is presented with the following ...

The bogus message that you need to install "Media Codec" is a typical Trojan.Zlob infection,

Trojan-Downloader.Zlob.Media-Codec often silently downloads and installs rogue security programs such as SpywareQuake, SpyFalcon and WinAntivirusPro, but may install other malware as well. Some variants of Trojan-Downloader.Zlob.Media-Codec have backdoor functionality, giving a remote attacker the ability to control and use the infected machine for malicious purposes

But what I find interesting is the other message in the 2nd highlighted section - "Opera & Firefox Users - Click Here" ... well that's the first time I've seen that. So what happens when you click the link ... Oh my! several different Trojan.Codec or Trojan.Zlob will whack you. Then for good measure you get prompted by Zango too ...

I thought Zango said they were cleaning up their act, yeah I know, they have said that before. But yet we still see them on hard-core adult sites in the same company as known malware ... just more lies!

Dangerous Searches

Over at Exploit Prevention Labs they have been detailing the dangers of certain search terms. So I thought I'd see what they were talking about ... "Googling" up on of their terms, and well sure enough the third link finds a innocent site that has been hacked and some dangerous malware injected ...

What we find is several malicious sites have been injected into the above page ... thankfully the exploit is blocked by the HOSTS file ... "google-counter(dot)com" detected as Win32/Spy.Banker.CKW and is also a "Google.Warning" site.

I've mentioned these type hacks before and this is another reason why it's so important to keep your defenses updated. It's sad to say that this type exploit is becoming more and more prevalent, where it's easier for malware writers to hack servers than it is individuals. Most of the time these servers have not been keep updated and the rest of us suffer ...

Note: there are 10 other sites running from that IP address and they all have the same exploit, so this tells us the server has been hacked, not the above site. I've contacted them about this issue ... we'll see ...

Update: July 03 - I'm glad to report that the problem has been corrected ...

Another bogus Video plugin error

Landing on "streamule(dot)com" the user is presented with several (adult) videos to view ... which play for about 15 seconds then produce the following bogus message ...

If you "Click here" you are redirected to "win-ftp-plugin(dot)info" which tries to install this "plugin" detected as Trojan-Downloader.Win32.Zlob.and ... people don't fall for these stupid tricks ... why would the video play just fine for a while then produce a message that you need some other software to view the video ... because they code it that way ...duh!

Thanks to the MIRT Team for the tip ...