Hosts News

Out of touch lately

Sorry for the lack of posting lately ... below is what my daughter woke up to Monday morning ... [story here]

Thankfully no one was hurt, but she lost the majority of her belongings ... although insured it sure causes havoc in your life when you have no place to live and no clothes to wear.

I'm working on a new update to the HOSTS file and hopefully it will be ready shortly, but my main concern right now is taking care of family ...

Another nasty Spamdexing site

Spamdexing sites have become extremely dangerous ... usually these type sites lead to an adult site or "Fake Codec" site.
However the following not only tries to load a Rogue/Suspect Anti-Spyware Product, this one comes with a nasty payload.

Notice there are several redirects, and the entry highlighted in red which produces the "Remote Data" prompt ... yes I've mentioned this prompt many times before, but this one is a MPack Exploit ...

I ran the highlighted URl thru LinkScanner and the results are:

DANGEROUS: LinkScanner Online has found [Q4-06 Roll-up package]
"This is a set of exploit scripts mostly from the end of 2006. It includes an MS06-042, a SetSlice, an MDAC, a WinZip, and a QuickTime. It is typically encrypted using a wide variety of javascript obfuscators, but is usually about the same source code underneath. Recently it sometimes includes an ANI exploit from April 2007."
[or]
The second most common exploit is the still-widespread Q406 Roll-up package, accounting for 19.24 percent of new exploit reports. The package had dominated the survey since it debuted in December 2006. Coming in third with six percent of all occurrences was the TROJAN FAKE CODEC, a social engineering scheme devised by Russian cybergangs. "The big Russian gangs are finding new ways to trick people," Thompson said. [source]

In case the fake scanner above looks familar, it is from the same people (PayTech) that I reported before ... sadly PayTech controls about 50 other "Rogue/Suspect Anti-Spyware Products" ... while the above exploit may be an older one it will certainly trash your machine unless you are up to date on all the latest Windows Updates and all your other applications.

What is wrong with the FTC?

This recent news article "Two Men Get Five Years For Sending Pornographic Spam" gets lots of coverage, which is fine and the culprits got what they deserve. However the FTC announced on Oct. 1 - "FTC Permanently Halts Media Motor Spyware Scam" which if you really look at the details of the settlement ... you have to ask yourself "What's wrong with the FTC"

The Spammers get over 5 yrs in jail and were fined $100,000, ordered to pay $77,500 to AOL, and will forfeit over $1.1 million in illegal proceeds from their spam operation. 

While the "MediaMotors" gang who infected 15 million computers gets fined $330,000 out of $3.6 million, the total revenue from the alleged scam, the FTC said. Media Motor, once downloaded, added software that changed consumers' home pages, tracked their Internet activity, altered browser settings, degraded computer performance and disabled antispyware and antivirus software, the FTC said. [source]

What a joke! ... spam my inbox and you get jail time ... infect my machine and you get fined roughly 10% of the ill-gotten gains. Huh? that type of fine is nothing more than another meager cost of doing business.

NOD32 gets a work-out

Going thru the many databases I use for malware research, my Antivirus NOD32 gets a good work-out ...

The above is just from the last several weeks ... naturally the vast majority of these malware sites get added to the HOSTS file. That's why it's so important to keep your HOSTS file current ... armed with just NOD32 and my HOSTS file using Windows Vista ... I have yet to encounter a malicious site that has been able to compromise my setup. That's right ... no 3rd party Firewall, no Antispyware (I disabled Windows Defender) ... now that's a pretty good testament to the improvements in Vista.

MVPS HOSTS File Update 10-10-07

The MVPS HOSTS file was recently updated [10-10-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (625 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

Attack of the WinFixer Clones

Lately there has been a huge increase in the WinFixer affiliates/clones ... although these clones go to great lengths to hide their true idenity, you can sniff them out if you know where to look ... WinFixer is run by "Innovative Marketing" and their main distrubtion host is SetupAHost based in Canada, although WinFixer also has setup servers in several other countries.

Acting on a email tip from Sebastiaan S I browsed over to "performanceoptimizer(dot)com". Clicking the Download button redirects to a (https) payment site. Both of these sites are related and using the same IP address (190.15.73.254) However as you can see below there is already a problem ...

To show you the SetupAHost connection you have to look at the (https) traffic and the details which is displayed below and clearly shows (highlighted in red) SetupAHost.

Now if you browse over to "freerepair(dot)org" on the same IP address ... oh my even my AV (NOD32) knows it's WinFixer!

Another clone of the same IP Address is CryptDrive which Symantec describes as:
"CryptDrive is a misleading application that may give exaggerated reports about potential risks on the computer."

Sadly I though we had convinced ValueClick to break their ties with WinFixer ... but it looks like that is not the case.
Yes "ad2cash" is on the same IP as the above and there are quite a few other examples of the below ...

How long does it take to setup a malicious site?

Looks like you can register your site and start serving up malware all in the same day.

First you set up a bunch of throw-away sites to use for Spamdexing, then you post a huge amount of links which leads to:

"freeclipoftheday(dot)com" was registered today (Upl Telecom S.r.o) using PrivacyProtect to hide their identity ... clicking any of the button in the above bogus prompt leads to "iorproject(dot)com" registered Oct. 1 ... scanning the file "setup.exe" at VirusTotal results in a very poor detection rate (5/32 (15.63%) ... Trojan-Downloader.Win32.Zlob.dbr

Notice there are several redirects ... these are the throw-away sites used for Spamdexing, and the last redirect "getsomepornmovies(dot)com" was also registered today (Upl Telecom S.r.o)

Folks these Codec/Zlob infections are becoming very dangerous as some of the newer variants are now hijacking the LSPs
(Layered Service Providers) which requires a special removal tool (SmitFraudFix) yet other variants install a rootkit and most versions produce pop-ups on your machine (falsely) indicating that you are infected and then wanting you to download and scan your machine with a Rogue Antispyware product.