Hosts News

Another bogus Codec site

Landing on the following site the visitor is presented with yet another variation of the same bogus prompt ...

You do not need this bogus "video decoder" as there is no movie to view ... just another infection!

The download from "codecvids" is detected as: Trojan-Downloader.Win32.Delf.ddz

Another bogus movie player site

As you can see below this site is designed to look like a "click to play" movie site ... however in this case no movie is ever played. Instead after several redirects the visitor is prompted with the fake ActiveX prompt ...

Notice how both images imitate a video player ... folks don't fall for these stupid tricks ...

The download is detected as: Trojan-Downloader.Win32.Zlob.eks
Note the last entry in the result column is 502 indicates that entry is blocked by the HOSTS file ...
"stvfirm(dot)com" = Inhoster Hosting via ESTDOMAINS/PrivacyProtect (no big surprise there!)

Update: (11-26)  - although the "stvfirm" entry was blocked, that entry was added after the last HOSTS file update.
Sorry for any confusion ...

What's in your holiday/family incident response toolkit

The folks over at The SANS™ Institute have an excellant article on "what's in your toolkit"
It's nice to see the MVPS HOSTS file is included ...

Personally I like to load my tools on several USB sticks, as this prevents having to use the Internet to download any needed utilities until the machine is cleaned up.

MVPS HOSTS File Update 11-19-07

The MVPS HOSTS file was recently updated [11-19-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (631 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

Bogus Flash Player prompt

 Landing on the below site the visitor is presented with the following bogus Flash Player prompt ...

While this is a new face on an old trick (bogus ActiveX prompts) it results in the same type infection - Trojan.Zlob
Clicking any of the above button traps the visitor with no way out ... however you can use "Alt + F4" or use the Task Manager to kill Internet Explorer.

Clicking "OK" leads to an ".exe" from "newoutserv(dot)com" ... there are several other related sites with the same prompt.

seedbead(dot)org
starzvideos(dot)net

Symantec detects suspicious entries in the MVPS HOSTS file

Well here we go again ... another security program with a poorly written detection ... seems Symantec added a new update SecurityRisk.URLRedir which they describe as "detection for suspicious entries added to the hosts file"

The following entries are (falsely) detected as suspicious:

dl.jiangmin.com
ads.mcafee.com
directads.mcafee.com
sdc.mcafee.com
sdc.ca.com
sdc.mcafee.com
wdcs.trendmicro.com
om.symantec.com
tc.symantec.com

Looks like they are detecting anything related to a Antivirus program regardless of what the entry is ... except for "dl.jiangmin.com" which McAfee describes as "Upon execution it connects to “dl.jiangmin.com” and adds “BaiduBar.dll” as Browser Helper Object for the Internet Explorer and installs itself as the toolbar"

The above entries are all legit and should not be removed ... if these entries are the only ones detected after a scan, you should set them to Ignore. The "sdc" entries are all 3rd party tracking Cookies from WebTrends. The "om" and "tc" entries are actually 3rd party tracking cookies from Omniture. [more info]

DoubleClick serves up DoubleSpeak

eWeek has an article "DoubleClick Serves Up Vast Malware Blitz" which describes problems with DoubleClick serving up malicious content related to none other than the WinFixer Group ... however a few of (DoubleClick) their comments struck me as nothing more than doublespeak ...

"DoubleClick officials told eWEEK that they have recently implemented a security monitoring system to catch and disable a new strain of malware that has spread over the past several months.

The sites involved are ultimately responsible for any malicious code delivered through their ads or sites."

How is it that the content is being served up from DoubleClick's servers, but the website itself is responsible for malicious content? Seems that DoubleClick has been aware of this problem for quite a while now ... so whatever system they have implemented isn't working very well.

In another article dated Jun 21, 2007 ... "While evidence of rogue networks exists, isolated occurrences of malicious ads are more common in Edelman's experience. In early June, he identified an ad for a product called DriveCleaner that ran on Friendster.com and was served through DoubleClick's DART servers. The ad attempted to take over Friendster and replace the URL in the address bar with another, according to Edelman."

"We very rarely come across cases like this," said Sean Harvey, senior product manager of the DART platform at DoubleClick. "As a technology provider, we have a strong support team. They contact us and we can put a SWAT team on it and shut it down in real time."

A "SWAT Team" ... "a strong support team"  huh? Looks more like DoubleClick is too busy puffing themselves up for a Google takeover than worrying about managing the content they are serving ...

In another related (WinFixer) story eWeek describes quite a few other large advertisers and major sites that have been hit with the same problem = the WinFixer Group ... Sandi Hardmeier and I have been reporting about the tactics of WinFixer for quite a while ... "Attack of the WinFixer Clones" while it's good that the problem has finally reached the mainstream press, what now?

All the clones supported by WinFixer (and there are hundreds) are hosted by foreign providers ... so not much you can do there. However it appears that the services that sell advertising need to do a much better job researching who they are selling to ...

Notice that none of these recent new articles mention anything about what recourse there is to the visitors that were duped by these malicious ads ... one solution is to use a HOSTS file to avoid the majority of these problems.

Bogus Video Player Error

Landing on "pornflash(dot)tv" the viewer will see the following bogus error ...

Simply visiting this page with olders Windows versions you will get whacked automatically from "zerocodec(dot)com" which is detected as another varient of Trojan.Win32.DNSChanger. Matter of fact "zerocodec(dot)com" is registered to the same person, (although the Whois info is most likely bogus also) as in my previous blog (vivacodec(dot)net).

Vivacodec has been in the news lately as the Codec gang has finally made the leap to infecting MAC machines also ...

Both sites are hosted at Cernel which seems to be home of the majority of the Codec infections ... lately these codec sites only seem to last a few days (until someone reports them) then they simply register a new site and start all over again. I suspect this gives Cernel the chance to state ... "see we are shutting them down" ... but then why does Cernel allow the same person to register another site and continue operations? ...

A new approach from the Codec gang

Landing on the following site you'll see the (bogus) message ... "may require special application to run" ... yeah right!

Scanning at VirusTotal: Result: 10/32 (31.25%) = Trojan.Win32.DNSChanger.qb ... sadly this is better than usual ... vivacodec is hosted at Cernel, which hosts about 90% of the codec sites.

MVPS HOSTS File Update 11-01-07

The MVPS HOSTS file was recently updated [11-01-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (629 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm