Hosts News

Spamdexing to promote Malware

Spamdexing is becoming an ever increasing problem ... sadly with no letdown in sight. In this case these culprits purchase and set up a huge amount of what I call throw-away domain names. Then they use special software to post bogus topics to Forums that usually fail their software updated. Then search engine index these sites and ... well you can guess the rest.

In the above example you can see they use the names of famous female stars to entice you into clicking the (highlighted) link.
Google Results: 1 - 10 of about 175,000 (wow that's a lot of posting!)

Different female stars ... same trick ... click here to see a Movie from some site you never heard of ...
Google Results: 1 - 10 of about 128,000

Are these two sites related? you betcha! But not just two sites, there are 149 sites hosted on this server. And every one of them redirects to a Trojan.Codec site. If a certain Trojan.Codec site gets shut down, they simply redirect you to a different site, so the link Spammed to all these Forums remains valid.

Now you take the amount of posts per domain name and multiply that by the amount of sites just running on this one server and you can see why Spamdexing is such a problem.

Bogus Download Plugin Required

From a tip I got today ... now this is a novel approach ... landing on "vxsoftus(dot)org" which turns out to be a fake "Crackz" site offering a method to steal legitimate software. However as you can see a special "Download Plugin" is required ... yeah right! Actually no matter which link you click you get the same bogus message.

I just love the last statement above: "Start the installation and return here afterwards" somehow I doubt that will happen.
Well let's click the download and see what happens ... uh-oh! ...

This is a good lesson on why you should stay away from these Crackz/Warez type sites ...

Bogus Flash Video Error

Landing on "thebestfilmsproduction(dot)com" the visitor is presented with a typical "Click here to view video", which when clicked plays a short flash adult video then appears to generate an error ... yeah right!

This error prompt is totally bogus ... but it's a fairly new scam, as these Flash Videos are becomming more popular. However ask yourself why would the video play for 10 sec. then generate a prompt? ... because they coded it that way.

Sadly "VideoAccessCodecInstall.exe" is not very well detected at VirusTotal (12.5%) = Trojan-Downloader.Win32.Zlob.cbi
The three sites involved were just registered via (you guessed it) EstDomains - August 22

More Exploit sites

Landing on "voyeurcampic(dot)com" my Antivirus (NOD32) jumps up with the following warning ...

NOD32 halts the loading of any further content and offers to Terminate (I like that description) the connection. So I investigate that site first thru Google and then check the Whois info ... oh this is not good!

Well as you can see Google reports that "This site may harm your computer" ... yeah I'd say so ... so checking the Registration info we find that it's Hosted at Intercage Inc (well known for allowing exploits) and Registered thru EstDomains and then the Whois info is protected/hidden by "PrivacyProtect.org".

Seems like they went thru a lot of trouble to hide their identity ... and they are running quite a few sites with similar exploits.
216.255.186.82 = 59 sites
216.255.186.83 = 15 sites
216.255.186.84 = 10 sites

I already had the sites in the first two IP addresses listed in the HOSTS file and I've added the 10 from the last one ... wow 84 sites all linked to each other not counting other outside sites that may link to them ... ever get the feeling the Internet is becoming a dangerous place?

Ok ... let's see what McAfee's SiteAdvisor says : "No results found" even though that site was registered in July 07.
How about "ExploitLabs LinkScanner" = "Congratulations! LinkScanner Online did not find any exploits." ... ouch!

Be careful out there folks ...

Codec sites and why they exist

Landing on "sexy-party(dot)net" the visitor is presented with about 40 large clickable adult images (no other content) which if clicked redirects to another site (example) "fan-porn(dot)com" that urges the user to click here for free Movies. As I've pointed out many times before these "free movies" are more than you bargained for ...

Fortunately IE7 prevents the automatic loading of the Trojan.Codec file, because it certainly downloads without even clicking the "click here" link above ... IE6 users will not be so fortunate and should upgrade ...

There are hundreds of related sites that all contain the same redirect, and the visitor is usually infected with a Rootkit and a whole host of other malware. Lately the Antivirus detects are running sadly at about 30% ... so do not depend on your AV to catch these type infections.

What's worse the majority of these "Codec/Zlob" related sites are run by the same people. They register hundreds of new domains at a time to avoid detection or being shut down by their Hosting company. Now the folks at CastleCops (MIRT Team) do a good job of sending abuse reports to these ISPs trying to get these sites shut down.

The sad part is they (ISPs) may shut down these sites one-at-a-time, but they continue to allow the same people to just register another site and resume with their activities ...

As you can see above "hotelcodec(dot)com" existed for only a few days, then the traffic was picked up by "totalcodec(dot)com" then shut down, and on and on ... now it's "vivacodec(dot)com" ... all registered by the same person ... duh! If these hosting companied really wanted to make a difference they would not allow these guys to keep registering new sites.

Spyware Terminator not ready for Prime Time

Reading the latest review at PCMag about Spyware Terminator ... looks like it's not ready for Prime Time.

"Incomplete malware removal put another system into a blue-screen death spiral, crashing and rebooting over and over. But Spyware Terminator's tech experts identified the problem by rooting through a crash-dump file. They recommended a manual removal technique that put this system back on track"

How are you supposed to contact "Spyware Terminator's tech experts" when your machine won't boot? ... duh! The majority of folks would simply download their product, install and run a scan ... how would you know who to call?

"From the Crawler Toolbar in Internet Explorer or Firefox you can launch a spyware scan, get information about the current site's security rating"

Toolbar? ... what Toolbar ... seems Neil failed to mention that you must accept their Toolbar in addition to Spyware Terminator. Oh well ... from the looks of the review the Toolbar doesn't offer much either.

"Spyware Terminator looks tough and talks tough, but when it comes to protecting your system against malicious software and phishing, it's a wimp."

Ouch ... appears Crawler needs to do some major rewriting of their application ...

Now I must say that the HOSTS file had entries that pertained to crawler.com, due to their Toolbar being detected as adware. However in scanning their latest download "CrawlerToolbarSetup.exe" it scans clean at VirusTotal. With that in mind I am removing those entries and this will reflect in the next update.

MVPS HOSTS File Update 08-18-07

The MVPS HOSTS file was recently updated [08-18-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (613 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

Advertisers and Domain Parking

Landing on "militarymoms.eu" a "Parked Domain", where the clicks are controled by Overture (Yahoo Advertising) and as you can see below the link routes you to a known Malware infection (Trojan.Codec)

It appears that Yahoo has failed to keep an eye on what some of these underhanded Domain Parkers are doing. Redirecting clicks (Pay-per-Click) just for the sake of a few cents is not new, but let's hope they get better control over those using their services. This is not the first time I have blogged about "free3xmovies", where Clickz are promoting the same Malware site. It's all about the $$$ folks no matter how they get it ...

Luckly I have *.overture.com listed (recommended) in the Internet Explorer Restricted Zone, so I get a prompt before the redirect is completed. This way I can see where the click is going and clicking No kills the connection.

DANGEROUS: LinkScanner Online has found
[Trojan Fake Codec]
 
Detail:  Exploit: Trojan Fake Codec
  This appears to be a fake codec. An increasingly common ploy is to offer to play a free video, and then to tell you that your computer cannot display the video, and needs a new codec, and "Click here for the new codec". The victim is prompted to install the codec, and sometimes gets to see the video, and sometimes doesn't, and usually is able to uninstall the "codec". What the victim doesn't realize is that it usually leaves behind a rootkit.

McAfee's SiteAdvisor states basically the same with a little more detail ... "rc23.overture.com" will be added to the next HOSTS file update. Now just to be fair I should point out that Google Adsense is also involved, but as you can see above (highlighted in red) that entry is already blocked.

Another Video ActiveX Error

Landing on "freeeepornmovies(dot)com" the visitor is greeted with the following bogus Error ...

Which leads to "installmoviepro(dot)com" ... another Trojan.Codec infection. However this site has a new twist ... you also get prompted to change your "Search Provider" and HomePage ... yeah right!

Notice the "favourlinks.com" entry? ... the reason I point this out is this entry previously existed in the HOSTS file, however I was contacted recently by the owner of FavourLinks stating they were new owners and their site was now a safe (normal) search portal. So I had a look and could find nothing malicious there and decided to give them the "benefit of the doubt". As you can see they are back to associating themselves with known Trojan installers and malicious sites.

Well back you go into the HOSTS file ...

Symantec detects a possible malicious entry in the HOSTS file

I have received a few inquires about a new entry in the HOSTS file, wanting to know if this was correct or a false-positive. I created a brief explanation in the HOSTS FAQ but I thought I'd expand on it a bit here ...

The Symantec (Norton 2007) message most users see:

"A malicious entry in your hosts files could prevent LiveUpdate from retrieving updates for your Symantec products, including anti-virus updates. Generally, Symantec LiveUpdate server entries should not appear in your Windows hosts files. Update has detected a potential security compromise on your computer: one or more entries should not appear in your Windows hosts files."

Lists the address 'om.symantec.com' as being in the hosts file and ask what action to perform:
1.Leave the entry in the hosts file (warn me about them later)
2.Leave the entry in the hosts file (do not warn me about them later)
3.Remove the entry from the hosts file (Recommended)

Simply select Option #2 and this message should not appear anymore ...
The entry "om.symantec.com" or "tc.symantec.com" are both actually 3rd party entries from Omniture (2o7.net)
Note: these entries do not affect "LiveUpdate" nor are these entries specific to LiveUpdate, Symantec uses these on all of their pages and the message above is just a generic message.

One or more CNAMEs were encountered. om.symantec.com is really symanteccom.112.2o7.net
One or more CNAMEs were encountered. tc.symantec.com is really symantec.tcliveus.com

Where "om." = Omniture and "tc." = Touch Clarity (Omniture acquired Touch Clarity in the first quarter of this year)

As you can see above the Privacy Policy is actually from TouchClarity (Omniture) and not from Symantec ... folks this is nothing new, many companies disguise their entries (see below) including several other Antivirus companies.

127.0.0.1  sdc.mcafee.com #[statse.webtrendslive.com]
127.0.0.1  wdcs.trendmicro.com

Example of other alias entries used by Ominture

As you can see above the "om." entry in not specific to the Symantec entries ...

Hacked .gov sites

Following up on a post at SunBelt about "Hacked .gov sites" and I have to slightly disagree with their statement:

"No, not a terrorist attack — just simple stupid hacks to redirect people to porn and other junk. Largely used for search engine optimization."

In my investigation I found that the (.gov) sites mentioned do a lot more than "redirect to porn", etc... not only are these sites hacked - most likely failure to update their server software, but once the links were planted, they then spammed quite a few Forums and ".edu" sites with links back to "dinuba.ca.gov"

hxxp://dinuba(dot)ca(dot)gov/minutes/062805CCMRDAMIN/06/free-movies.html

As you can see the link redirects several times and you end up landing on a Trojan.Codec site ... ouch!
And folks this infection is not very well detected - File VideoAccessCodecInstall.exe Result: 2/32 (6.25%)

The sad part is that the people that run these "Parked Domains" decided to get in on the act and use one of these sites listed above as a "Sponsored Result" and then run it thru Google's AdSense ...

Notice the highlighted above and the description is basically the same ... this is just two examples, there are thousands of these parked pages with the same description ... (Results 11 - 20 of about 220,000) many hosted by "sedoparking.com" and routing the links thru "pagead2.googlesyndication.com" (Google AdSense) thus generating a commission for themselves by anyone clicking the Sponsored Links ...

As many of you know "pagead2.googlesyndication.com" is an entry in the HOSTS file along with several for sedoparking.com, just because of situations like this. In my opinion "Sponsored Results" can not be trusted.

It's a shame that the people responsible for maintaining their servers don't do a better job, if they did a majority of these type attacks would never occur ...

Should Goverment sites use 3rd Party Tracking Services

Recently I received an email from one of my HOSTS file users that was concerned about sending his information filled out on a ".gov" site that routes thru BraveNet - a 3rd party Tracking Service.

The site in question is "West Nile Virus Report a dead bird in King County"
http://www.metrokc.gov/health/westnile/deadbird.htm

As you can see when you fill out the requested information for this report -
Name, Phone Number, and Email address, the disturbing part is when you press Send, as you can see it is sent thru
hxxp://pub2.bravenet.com/emailfwd/senddata.php

Nowhere on their site do they disclose that your information is being routed thru a 3rd party
[Terms of Service] [Privacy Policy] nor do they take into account that if "*.bravenet.com" is an entry in the Internet Explorer "Restricted Zone" that the report will fail ...

Metrokc.gov also fails to disclose that in sending this report that BraveNet also sets a 3rd party "Tracking Cookie"

Set-Cookie: HASCOOKIES=1; expires=Tue, 01 Aug 2017 03:46:42 GMT; path=/; domain=.bravenet.com

This type of activity has come into question before "WhiteHouse.gov Uses Cookies, Bugs" and basically erodes the public trust in Government sites ... I find this another "What were they thinking?"

MVPS HOSTS File Update 07-31-07

The MVPS HOSTS file was recently updated [07-31-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (143 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (604 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute