Hosts News

The Year in Review

As the year comes to a close ... it appears that Trojan.Zlob/Codec remains the #1 threat. This is mainly due to the coordinated effort of the Malware writers and the Rogue Anti-Spyware community ...

While the detection rates have become better for the commercial Antivirus/Antispyware products, the "freeware" versions have failed to keep pace and are no longer recommended as a first-line of defense ...

The huge rise in the amount of "Rogue Anti-Spyware products" really surprised me this year. Even exposing these fakes has done little to stem the tide ... what I would like to see is all the "Mag" sites run several reviews on these bogus products and get the main-stream media involved in exposing all the parties involved.

So folks remember it's important to keep all your software updated, as the trend now is to attack the 3rd party products as the malware writers are finding it harder and harder to attack Windows itself.

I'll leave you with the following from August of this year ...

"The most interesting part (for me) however was the "Defense Evaluation / Blacklisting" part. When applied on their dataset the very famous hosts file maintained by winhelp2002 blocked all infections, although it contained only a minority (12%) of the domains." [source] (emphasis added)

eMusic Toolbar

I have been contacted several times this year regarding the entry for eMusic  in my HOSTS file ... so I thought I'd give them a second look, since they were previously detected as "Adware.eMusic" by the majority of Antivirus/Antispyware programs.

I highlighted the "It's safe. No spyware, adware, or malware" ... OK sounds good ... let's click the download and see ...

Well this didn't start out so good ... matter of fact after disabling NOD32 and scanning the file at VirusTotal (results here)

AntiVir = DR/Comet.BE.2
BitDefender = Adware.StarWire.A
ClamAV = Adware.Comet-20
Fortinet = Adware/Comet
Kaspersky = AdWare.Win32.Comet.be
NOD32v2 = Win32/Adware.Comet
Prevx1 = Generic.Malware
VBA32 = AdWare.Win32.Comet.be
Webwasher-Gateway = Trojan.Dropper.Comet.BE.2

No Adware they say? ... looks like eMusic needs to change the wording on their site. Better yet quit pushing Toolbars created by 3rd parties that are known adware bundlers ... but then that would cut down on the revenue they generate from these type installs ... yeah it's all about the mighty $$$ ... so do you think should I leave the entry for eMusic?

Beware of fake DNS Error pages

These sites have created their pages to look exactly like a typical (Microsoft IE7) DNS Error page ...

Notice the links for "AntiSpywareSuite" ... which is yet another WinFixer clone ... and the download is from:

hxxp://content.onerateld.com/antispywaresuite(dot)com/AntiSpywareSuite/install_en.exe (URL disabled)

Other sites with the same exact fake page ... all hosted at: Ukrtelegroup Ltd via ESTDOMAINS/PrivacyProtect

404dnspage(dot)com
dns404page(dot)com
errors404(dot)com
ieerrordns(dot)com

AntiSpywareSuite is hosted at Eukhost_ltd via Webstarshosting Inc which is home to hundreds of WinFixer clones ...

Another fake free Movie site

Hopefully regular readers of this blog do not fall for these offers of "it is absolutely free" ...

Accessing the above site you see the typical "ActiveX Object Error" bogus prompt ...

Clicking any of the above button results in (codecmeg4049.exe) Trojan.Win32.DNSChanger.akt (VirusTotal results)
Both sites involved are hosted (where else) Cernel which is typically home to the majority of these type infections.

Another malicious fake scanner site

Following up on an email tip from Adrienne ... what's interesting while the fake scan is running the site tries to download/install "Install2486.cab" ... however my AV kills the download ... 

Clicking on any of the links on the page results in the site downloading "Install2486.exe" ...

This site is hosted at Hostfresh via ESTDOMAINS/PrivacyProtect which also is home to several other related fakes ...

58.65.238.130  stopingspy(dot)com
58.65.238.130  online-guard(dot)net
58.65.238.130  liveprotection(dot)net
58.65.238.130  liveantispy(dot)com
58.65.238.130  killspy(dot)org
58.65.238.130  guard-center(dot)com
58.65.238.130  dr-protection(dot)com

58.65.238.131  scanner.online-guard-adv(dot)net
58.65.238.131  scanner.dr-protection-adv(dot)com

HostFresh (Hong Kong) reportedly has ties to "Russian Business Network" (RBN)

AntiSpywareControl yet another Rogue/Suspect Anti-Spyware Product

Landing on the following site the viewer is presented with not only a "IFrame.Exploit" and the typical adult content, but several interesting banners ... (MVPS HOSTS file users are already protected from the IFrame.Exploit)

Look familiar? ... well let's see where this leads us ... (as if I didn't know ;)

"Independently certified" ... and "100% free of viruses, adware and spyware" ... oh what a claim! Even if you try to cancel the (fake) scan the download is still loaded.

Seems my AV doesn't agree ... so who would you believe? ... yeah me too ...
And as you can see below there are several other culprits involved all WinFixer related ... including Limelight Networks.

The download is the same exact filename (install_en.exe) as the one from "SpyGuardPro" which also produces the same detection results from VirusTotal.

Christmas comes early

This year the wife and I decided to treat ourselves to a new flat-screen ... Samsung HP-T5054 50-inch Plasma HDTV

Although the photo doesn't really do the picture quality justice ... it sure is a big jump from a 32" !!
I can't wait to try this out as a PC Monitor ... enjoy the holidays everyone ...

Limelight distributes hundreds of Rogue Antispyware products

Looks like Limelight is involved in distributing hundreds of Rogue Antispyware products ... the majority of these are from "LocusSoftware" which I have mentioned before. However I found an interesting video produced by Symantec that shows all these clones ... and there are hundreds! So let's take "SpyGuardPro" as an example ...

Oops ... Google has flagged this as a malicious site ...

Ok ... let's go there and see ... appears my AV (NOD32 v3) doesn't like it either ...

As you can see the download is attempted from "content.onerated.com" which is running from ... you guessed it.
Limelight Networks server. Scanning the download (install_en.exe) at VirusTotal revels the following:

This is the same exact file (install_en.exe) that I've mentioned before, and just to leave no doubt, this is the same installer detected by SunBelt which was used by WinFixer. So all LocusSoftware is doing is changing the embedded URLs within the file for each of the hundreds of clones it creates as seem in the Symantec video above ...

87.117.252.11  spyguardpro.com (hosted at Eukhost_ltd)
87.117.252.11  sale.spyguardpro.com (hosted at Eukhost_ltd)
204.16.204.56  jsp.spyguardpro.com (hosted at Setupahost)
204.16.204.56  protect.spyguardpro.com (hosted at Setupahost)
85.12.60.13     ykeeper.spyguardpro.com (hosted at Euroaccess)

Although it's doubtful that (US) officals can do anything about the foreign locations, they can certainly question the unsavory practices of LimeLight since it is a US company ...

"knock-knock" = "who's there?" The FTC (we can only hope!)

More malware found at Limelight Networks

Seems the harder I look the more malicious content is found running from Limelight Networks ... at least Google has flagged on of the previous entries I mentioned as malicious ...

[emphasis added]

It appears Limelight has moved several of the previous entries to another server within their network ... then I found a few more (highlighted below)

[Limelight Networks][208.111.128.0 - 208.111.191.255]

208.111.129.28  download.cdn.winsoftware.com
208.111.129.28  sec.storageguardsoft.com
208.111.129.28  software.protectdownloads.com
208.111.129.28  setuphost.vo.llnwd.net
208.111.129.28  locator.contentsvc.com

[Limelight Networks][69.28.128.0 - 69.28.191.255]

69.28.154.169  xml.spywarelabs.com
69.28.154.169  install.spywarelabs.com
69.28.154.237  bsa.safetydownload.com [WinFixer Trojan]
69.28.154.237  content.onerateld.com
69.28.154.237  cdn.drivecleaner.com
69.28.154.237  cdn.downloadcontrol.com

[more here]
[more here]

[Limelight Networks][68.142.64.0 - 68.142.127.255]

68.142.98.227  www inexplorer.com
68.142.98.227  toolbar.inexplorer.com
68.142.98.227  inexplorer.com [Whois Info]

Now this one is actually detected as a virus! ... W32/Pate virus which you can see via McAfee SiteAdvisor that includes the VirusTotal results ... and yes I have contacted Limelight twice via email ... (Ticket ID: llnw #456387) no reply as yet.

Beware of Ransomware

After reading a blog post by fellow Microsoft MVP "Donna's SecurityFlash" I thought I'd do a little follow-up ...

"The ransomware was included in adware “Uccplay.” Victims are led into thinking the adware is a multimedia player, but when they install it, the program copies all video files stored on the computer to a hidden folder and removes the original files. Victims have no choice but to open the ransomware to access their video files, which then opens up a “certification” box that actually links to mobile phone payment."

What I found was a lot more than "adware" from Uccplay ... which is a "Google.Warning" site ...

Just visiting this site is hazardous! ... as you can see it immediately attempts to install a ActiveX, which is blocked by Windows Vista. However that's not all it tries to do ...

Look at all the ".cab" files this site tries to load! ... Yikes! ... I downloaded the "down.iedoumi(dot)com" cab file and scanned it at VirusTotal [results here] which is mainly detected as: Trojan-Downloader.Win32.Delf.bpn

FYI: "down.iedoumi(dot)com" is also a Google.Warning site ... gee I wonder why ... while the files from "microadsystem" are detected as: TR/Dldr.FakeAV.F.1 [results here]

Then "comclean.co(dot)kr" = Spyware.Comclean ... although the ".cab" file is only detected as suspecious at VirusTotal.
Seems a little ironic that the same page that tries to infect you also tries to load a (unknown) Antivirus program too ...

Bogus Video Plugin Error

Landing on the following site (trooperporn(dot)com) the viewer is presented with yet another bogus error prompt ...

If you click [choke] Continue ... well I didn't get far as NOD32 v3 jumped up with the following ...

There are several other sites involved ... including "results-google(dot)info" which tries to load a script, which generates a pop-up for DriveCleaner (Innovative Marketing) ... seems like these culprits are everywhere lately.

Really make you wonder why LimeLight Networks would associate themselves with Innovative Marketing/SetUpAHost ...

Another malicious IFrame Exploit

Landing on the following site NOD32 v3 immediately jumps up and cancels the connection ...

The culprits in this case are well known (Attackers target unpatched QuickTime flaw) and already exist in the HOSTS file.

So off I go to Google to see what else I can find ... seems Google has determined this is a malicious site also ...


Ok let's see what ExploitLabs Linkscanner has to say ...


Now while I was at Google I noticed a new link/site scanner from PC Tools - BrowserDefender

Yikes ... looks like PC Tools has a little fine tuning to do yet ... although I see it's still in Beta ...

"hardcoremoviesreview" is hosted (no surprise there) at Intercage via ESTDOMAINS/PrivacyProtect
"2005-search" and "search-biz" are hosted at Ukrtelegroup Ltd via Wuster Ltd Group Wuster controls a huge amount of sites that all run exploits or redirect to sites that do ...