Hosts News

Another poorly detected Trojan.Zlob

Landing on "thesuperxxx(dot)com" the visitor is presented with a bogus "Message Box Object error"

Clicking any of the above buttons leads to prompts "You must install ... yada yada" to view the movie. There are 10 other sites involved in this latest Trojan.Zlob (Codec) infection. All these sites will be added to the next HOSTS file update.

Running "VideoAccessCodecInstall.exe" thru VirusTotal, you can see it is not very well detected. 12.5%

These type infections are becoming so rampant that they are now the #1 detection at "Microsoft Malware Protection Center" and that's just the ones that Microsoft detects, which Microsoft usually does not detect very well ...

Did you know you can run the "Malicious Software Removal Tool" (MSRT) anytime? Usually you only see the "Quick Scan" from Windows Update monthly, however you can get (mrt.exe) to run a "Extended Scan". Simply locate "Windows\System32\MRT.exe", right-click and select > SendTo > Desktop (create shortcut). Next right-click the new icon on your Desktop and select: Properties. From there you can change the "Target" to a desired option.

/Q or /quiet - Use quiet mode. This option suppresses the user interface of the tool.
/? - Display a dialog box that lists the command-line switches.
/N - Run in detect-only mode. In this mode, malicious software will be reported to the user but will not be removed.
/F - Force an extended scan of the computer.
/F:Y - Force an extended scan of the computer and automatically clean any infections found.

An undocumented switch that I use ... if you have more than one hard drive (or partition) is to add the drive letter if you only want to scan one drive. Otherwise MSRT will scan all drives ... and it takes a while ... more info here.

C:\Windows\System32\MRT.exe /f D:

Where "/f" runs a extended scan and "D:" scan only drive D. The results are recorded here: "Windows\Debug\mrt.log".
Folks this is not a replacement for your Antivirus, simply another (free) tool you can use if you suspect you are infected.

Note: I ran the above and it did NOT detect: "VideoAccessCodecInstall.exe" (noted above)

Several new Rogue Antispyware products on the loose

It seems like every week there is a new rash of Rogue Antispyware products, and the list keeps growing and growing. One of the latest is "spywarelocker(dot)com", which uses bogus scan results in an effort to get the unsuspecting user to purchase their products.

Never believe these "Success Stories" as these are bogus also ... I highlighted "Mark Warner" above to make my point ... I seriously doubt there is such a person at PC Guide or that he would give such a review ... why? well I Googled the name and look what pops up ...

Every one of the products listed above is also a Rogue AntiSpyware ... these culprits can't even make up their own reviews!
If you read Symantec's detection of SpywareLocker you'll see they also mention "Similar Security Risks" (DrAntiSpy) yet another Rouge product. My NOD32 detects SpywareLocker as: Win32/Adware.SpySheriff

85.255.119.131  spywarelocker.com
85.255.119.132  malwaremonitor.com (SpywareLocker clone) - McAfee SiteAdvisor write-up
85.255.119.134  secure.payfoundation.com (Creation Date: 18-Sep-2007)

Rogue Security Software:  Security software that uses deceptive means for installation and purpose. Once installed, the rogue software usually uses scare tactics to inform the user that spyware or malware is installed on their system. The rogue security software then claims to offer remediation in exchange of payment. These applications can come bundled with other malware that serve other purposes. This software usually comes in the form of Anti-spyware, or Anti-virus applications.
Source: CA Antispyware

MVPS HOSTS File Update 09-21-07

The MVPS HOSTS file was recently updated [09-21-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (626 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

How safe are MySpace Trackers

Well certainly not this one ... I landed here quite by accident while researching something else ...

As you can see (again) Vista/IE7 jumps up with a warning prompting the user prior to allowing ... in this case another exploit to enter the system. It appears to me that StalkerTrack has been hacked and malicious code injected into the site.

I've highlighted the culprit (in red) above, which will be added to the next HOSTS file update. The sad part is how popular StalkerTrack seems to be, and how many innocent MySpace users have added links to this tracker to their MySpace pages.

As you can see Google has already determined this site to be a risk, but look at the amount of results = 185,000! Now I do not use MySpace, however due to it's popularity it is becoming a target by the evil-doers. So MySpace users be careful what you add to your site ... you just might be unknowingly promoting malware ...

Ad-blocking software comes under fire

I read an article today on CNET stating that ad-blocking software may be illegal ... yeah right! The article goes on to make a mis-leading analogy to removing/avoiding TV ads from taped programs. For it to be illegal (to block Internet content) there would have to be some law that made blocking of ads an illegal act. Is there any such law?

Although Mozilla Adblock Plus was primarily mentioned you can see that ad-blocking software in general is the focus.

There was a statement from a lawyer stating: "The second argument claims that a Web site's terms of service are a "browsewrap" or "clickwrap" agreement that are legally binding. To apply, the notice must be "conspicuous enough to the visitor, so they they're aware that their visit is governed by these terms,"

Ok, I'll buy that ... however you must place a "Terms of Service" click-able agreement prior to allowing each visitor access to your site. Think that will fly? ... certainly not. Ever look at a typical web sites TOS? It is worded in such a way as you are required to hold them harmless for any damage, even from 3rd parties (Trojans, viruses, etc.) that may occur from visiting their site. Well if you can't guarantee that, then I have a right to protect myself by whatever means necessary.

Just recently I blogged about visitors that were attacked by Trojan infested banners from RightMedia/Yahoo being displayed at MySpace and other sites. I could cite many more examples ... but I have a few more thoughts ...

How about if my browser blocks pop-up ads ... is that illegal? Well according to the whiners you are "essentially engaged in theft of resources" ... oh please! Or how about this one ... suppose I have my browser set to block all 3rd party Cookies, to protect my privacy am I impacting the host site’s revenue model?

Are you going to sue every major 3rd party Firewall vendor because they offer ad-blocking features? You'd better have some deep pockets if you are ... Why do you think there are so many programs that offer these ad-blocking features? It's because that's what people want! The biggest reason is, the Internet has been trashed by mainly these "commercial" sites that have the false impression that more ads = more revenue. Wake up ... your visitors are tired of being bombarded with Flash ads, banners and an untold amount of other bandwidth hogging advertising junk.

Hopefully (soon) the nay-sayers will realize that they have the "opportunity" to make $$$ ... not the right.

Can you spot the fake

Hopefully it should be easy to spot the fake ... at first I thought this was some kind of a Phishing site, but it appears they are using all the content from CNet's MP3 site for some unknown reason. Well other than to infect your system. As I mentioned before any time you see that warning "Remote Data Services Data Control" watch out! ... this is NOT from Microsoft! This is the generic warning IE7 throws up when an exploit is trying to enter the system.

The culprit is "nnew-adult(dot)info" (highlighted in red below) detected as: Win32/TrojanDownloader.Nurech.NAT ... which is already included in the HOSTS file. Both "get-it-fast" and "nnew-adult" are both hosted at "Rbusiness Network" which is well known for hosting malicious content and exploit sites.

As you can see the content of the bogus page is being entirely drawn from CNet. Also notice the "activex.microsoft.com" entries, this is what Windows generates when a prompt has been interrupted ... that's a good thing ... I'm going to try and contact someone at CNet and see if they will drop Rbusiness Network a friendly little note ...

Beware of Misleading Advertisements

Beware of advertisements that offer to scan your machine for errors! You may end up with more than you bargained for ...
Clicking on the below ad routes you to "spyshredder-scanner(dot)com" ...

Well let's see if I have any of the above issues or errors ... oops!

Yeah my system "might be at risk!" ... but it looks like it's from visiting your site. As you can see they try to automatically load a ".cab" file while preforming a bogus scan in the background. Then they pop-up another bogus alert that malware has been detected. Fortunately NOD32 has detected the real malware ...

Even if you click the Ignore button spyshredder-scanner still tries to install itself ... which doesn't really surprise me.
Thus another candidate for the HOSTS file.

RightMedia implicated again in Trojan attack

Brian Krebs posted an article "Banner Ad Trojan Served on MySpace, Photobucket", although this is not the first time RightMedia (now owned by Yahoo) has been discovered serving up malicious code via their servers. I blogged about this previously, as has Sandi Hardmeier reports "Right Media was implicated in the distribution of winfixer malware".

Brian goes on to report "The banner ads in question were traced back to an ad network exchange run by a company called RightMedia, which was recently bought by Yahoo!. The ads were being delivered to RightMedia's network from a third-party ad server. According to ScanSafe, those third-party servers included in their rotation several malicious ads that used Macromedia Flash files to load an invisible "iFrame" (used to insert content from another Web site into the current Web page)."

Folks I have mentioned several times before to disable this option in Internet Explorer:
Launching programs and files in a IFrame = reset to Disable ...
This is the single most exploited setting in Internet Explorer!
There are no legitimate sites that I know of that use this option ...

This next statement really baffles me ...

"A RightMedia spokesperson said the ads have been identified and banned from the exchange. "However, we cannot control what happens elsewhere on the Net."

Well if you can not control what runs thru your server ... who does? duh! Their spokesperson seems rather flippant about the whole situation. I suspect anyone that was infected by this latest attack would expect a better response from RightMedia/Yahoo. Even worse there is no mention of this on their site or blog ...

Not to worry folks as RightMedia and their many clones are already included in the HOSTS file ... just another example of advertisers that can not be trusted.

Jamespot hacked

Landing on "jamespot(dot)com" the visitor is presented with the following Internet Explorer 7 warning ...

Folks any time you see that warning "Remote Data Services Data Control" watch out! ... this is NOT from Microsoft! This is the generic warning IE7 throws up when an exploit is trying to enter the system.

Can you spot the culprit below? ... it took me a few to find it (hidden in an image) ... "xt_img.gif"

I highlighted (in blue) the culprit and pasted the code above (in gray) which when decoded revels the entry highlighted in red.
Note: Jamespot is not the culprit here, there are simply another site/server that have been hacked and 3rd party malicious code injected. I have contacted them and hopefully this will not take too long to correct ...

Once the entry highlighted in red was added to the HOSTS file and Jamespot was revisited, IE7 no longer generates the warning. This just goes to show that users should upgrade to Vista and/or IE7 ... as the Vista version runs in "Protected Mode" and is less subjected to exploits.

Beware of Imposters

It recently came to my attention that it looks like a large portion of the content of my HOSTS file was being used in another so-called HOSTS file ... not only is this a copyright violation, it also violates the software license posted on my site.

Disclaimer: this file is free to use for personal use only. Furthermore it is NOT permitted to copy any of the contents or host on any other site without permission or meeting the full criteria of the below license terms.

And then to top it off this so-called HOSTS file gives itself the highest rating on their site ... imagine that!

Well let's see what this 6 star file is all about ... I ran it thru the software I use to validate that each entry returns a valid reply. Oh my ... 83 dead entries, but that can't be because they display that none exists in their file.

Then I checked the [suspect] file for sites that are Parked and should no longer exist ... uh-oh 103 entries. Gee looks like you lose a few "stars" for that. Folks I could really care less what their (unqualified) opinion is of my file or what "Rating" it gets, but I thought I would address a few of these non-existent issues. As it seems they are now providing a mis-leading "Service" to optimize your HOSTS file which you have to pay for.

% Text - "the least amount of space wasting chit chat text"
Huh? "space wasting where? Since the operating system does NOT read the "comments" into memory, where does this "space wasting" exist? Besides this is addressed in the HOSTS FAQ - What are all these comments after the entries?

"The comments are included in the shipped version to allow the end-user to determine (if needed) why the entry exists. Over time the amount of entries has grown to a point where it's too easy to forget why they exist without them. This is also done for obvious legal reasons."

Well I guess that takes care of that myth ... besides I doubt you would know why an entry would exist as it seems that you do not provide any of your own content. Looks to me more like it's content copied from other HOSTS file and then you call it your own.

% Dead - "0.08%" - This is also addressed in the HOSTS FAQ

"The HOSTS file is verified prior to each new update. This is accomplished by verifying that each entry returns a valid DNS (similar to Nslookup) then these (dead) entries are either removed or commented. These comments are entered as "#[server down?]", in some cases the hosting server is down, thus returns no DNS. In other cases the domain may have been suspended for abuse, or the registered owner has let the domain expire. Domains that are expired or down for extended periods are removed."

Again another mis-leading statement used to promote their "6 star" file ... oh wait seems they have lost a few stars ...

Major Engine Links Blocked

Here we go again ... another mis-leading statement. There are NO legitimate search engines blocked in my file. There are entries that block ads, banners, or some "Sponsored Results". However I suspect this whining is for another reason.

Oh I see ... the entries (displayed in red above) in my file block the "ads" you are trying to promote on your site. Is that what you call "Search Engine censorship"? ... I have shown many times in this blog that "Sponsored Results" can not be trusted. Perhaps you should spend some time on Benjamin Edelman's site, where you'll find he has documented this also. Or "Report Shows 7 Percent of Sponsored Links Dangerous" ... so I should expose the users of my file because you think this is censorship? Think again!

Sponsored results are those paid to be placed in search results by advertisers.

"Among adult keyword search results, risky sites increased by 17.5 percent since December 2006, and risky sites now number 9.4 percent of overall adult search results. Driving this increase was a dramatic 72.2 percent increase in the percentage of risky adult sites within sponsored results."

I think the above should address any misconception about "censorship" ... and in my opinion anyone using their HOSTS file are being exposed to additional risks.

Regular readers of this blog know the research that goes into the content of my file. After providing a HOSTS file for the last 9 years I think I know what should exist and why. Taking an active participation in the Security community and exchanging information with others also helps to provide viable content ... but I guess you wouldn't know about that?

MVPS HOSTS File Update 09-06-07

The MVPS HOSTS file was recently updated [09-06-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (143 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (623 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

The sad state of Antispyware Programs

Last week PCWorld conducted another Antispyware test "Best Vista Antispyware" ... the results are scary!

Of particular note is the sections marked as "Inactive samples" for both adware and spyware ... the article defines this as:
"An inactive sample is like an application you've downloaded and haven't yet installed."

First I have to wonder where is SunBelt's CounterSpy? ... anyway the results do not give much hope to the average user that gets unexpectedly infected by a download that is bundled with a host of (unwanted) goodies ... it doesn't look to me like any of these programs do a very good job at "disinfecting" your system.

In the Adware section it is not good enough to detect "Active samples" ... where 4 out of 5 were 100%, but they need to do a much better job at removing what they detect. The Spyware section is even worse ... so what are you supposed to do?

1) Do not depend on freeware Antispyware programs to give you adaquate protection ... 
2) Dealing with Unwanted Spyware and Parasites