Hosts News

The Year in Review

As the year comes to a close ... it appears that Trojan.Zlob/Codec remains the #1 threat. This is mainly due to the coordinated effort of the Malware writers and the Rogue Anti-Spyware community ...

While the detection rates have become better for the commercial Antivirus/Antispyware products, the "freeware" versions have failed to keep pace and are no longer recommended as a first-line of defense ...

The huge rise in the amount of "Rogue Anti-Spyware products" really surprised me this year. Even exposing these fakes has done little to stem the tide ... what I would like to see is all the "Mag" sites run several reviews on these bogus products and get the main-stream media involved in exposing all the parties involved.

So folks remember it's important to keep all your software updated, as the trend now is to attack the 3rd party products as the malware writers are finding it harder and harder to attack Windows itself.

I'll leave you with the following from August of this year ...

"The most interesting part (for me) however was the "Defense Evaluation / Blacklisting" part. When applied on their dataset the very famous hosts file maintained by winhelp2002 blocked all infections, although it contained only a minority (12%) of the domains." [source] (emphasis added)

eMusic Toolbar

I have been contacted several times this year regarding the entry for eMusic  in my HOSTS file ... so I thought I'd give them a second look, since they were previously detected as "Adware.eMusic" by the majority of Antivirus/Antispyware programs.

I highlighted the "It's safe. No spyware, adware, or malware" ... OK sounds good ... let's click the download and see ...

Well this didn't start out so good ... matter of fact after disabling NOD32 and scanning the file at VirusTotal (results here)

AntiVir = DR/Comet.BE.2
BitDefender = Adware.StarWire.A
ClamAV = Adware.Comet-20
Fortinet = Adware/Comet
Kaspersky = AdWare.Win32.Comet.be
NOD32v2 = Win32/Adware.Comet
Prevx1 = Generic.Malware
VBA32 = AdWare.Win32.Comet.be
Webwasher-Gateway = Trojan.Dropper.Comet.BE.2

No Adware they say? ... looks like eMusic needs to change the wording on their site. Better yet quit pushing Toolbars created by 3rd parties that are known adware bundlers ... but then that would cut down on the revenue they generate from these type installs ... yeah it's all about the mighty $$$ ... so do you think should I leave the entry for eMusic?

Beware of fake DNS Error pages

These sites have created their pages to look exactly like a typical (Microsoft IE7) DNS Error page ...

Notice the links for "AntiSpywareSuite" ... which is yet another WinFixer clone ... and the download is from:

hxxp://content.onerateld.com/antispywaresuite(dot)com/AntiSpywareSuite/install_en.exe (URL disabled)

Other sites with the same exact fake page ... all hosted at: Ukrtelegroup Ltd via ESTDOMAINS/PrivacyProtect

404dnspage(dot)com
dns404page(dot)com
errors404(dot)com
ieerrordns(dot)com

AntiSpywareSuite is hosted at Eukhost_ltd via Webstarshosting Inc which is home to hundreds of WinFixer clones ...

Another fake free Movie site

Hopefully regular readers of this blog do not fall for these offers of "it is absolutely free" ...

Accessing the above site you see the typical "ActiveX Object Error" bogus prompt ...

Clicking any of the above button results in (codecmeg4049.exe) Trojan.Win32.DNSChanger.akt (VirusTotal results)
Both sites involved are hosted (where else) Cernel which is typically home to the majority of these type infections.

Another malicious fake scanner site

Following up on an email tip from Adrienne ... what's interesting while the fake scan is running the site tries to download/install "Install2486.cab" ... however my AV kills the download ... 

Clicking on any of the links on the page results in the site downloading "Install2486.exe" ...

This site is hosted at Hostfresh via ESTDOMAINS/PrivacyProtect which also is home to several other related fakes ...

58.65.238.130  stopingspy(dot)com
58.65.238.130  online-guard(dot)net
58.65.238.130  liveprotection(dot)net
58.65.238.130  liveantispy(dot)com
58.65.238.130  killspy(dot)org
58.65.238.130  guard-center(dot)com
58.65.238.130  dr-protection(dot)com

58.65.238.131  scanner.online-guard-adv(dot)net
58.65.238.131  scanner.dr-protection-adv(dot)com

HostFresh (Hong Kong) reportedly has ties to "Russian Business Network" (RBN)

AntiSpywareControl yet another Rogue/Suspect Anti-Spyware Product

Landing on the following site the viewer is presented with not only a "IFrame.Exploit" and the typical adult content, but several interesting banners ... (MVPS HOSTS file users are already protected from the IFrame.Exploit)

Look familiar? ... well let's see where this leads us ... (as if I didn't know ;)

"Independently certified" ... and "100% free of viruses, adware and spyware" ... oh what a claim! Even if you try to cancel the (fake) scan the download is still loaded.

Seems my AV doesn't agree ... so who would you believe? ... yeah me too ...
And as you can see below there are several other culprits involved all WinFixer related ... including Limelight Networks.

The download is the same exact filename (install_en.exe) as the one from "SpyGuardPro" which also produces the same detection results from VirusTotal.

Christmas comes early

This year the wife and I decided to treat ourselves to a new flat-screen ... Samsung HP-T5054 50-inch Plasma HDTV

Although the photo doesn't really do the picture quality justice ... it sure is a big jump from a 32" !!
I can't wait to try this out as a PC Monitor ... enjoy the holidays everyone ...

Limelight distributes hundreds of Rogue Antispyware products

Looks like Limelight is involved in distributing hundreds of Rogue Antispyware products ... the majority of these are from "LocusSoftware" which I have mentioned before. However I found an interesting video produced by Symantec that shows all these clones ... and there are hundreds! So let's take "SpyGuardPro" as an example ...

Oops ... Google has flagged this as a malicious site ...

Ok ... let's go there and see ... appears my AV (NOD32 v3) doesn't like it either ...

As you can see the download is attempted from "content.onerated.com" which is running from ... you guessed it.
Limelight Networks server. Scanning the download (install_en.exe) at VirusTotal revels the following:

This is the same exact file (install_en.exe) that I've mentioned before, and just to leave no doubt, this is the same installer detected by SunBelt which was used by WinFixer. So all LocusSoftware is doing is changing the embedded URLs within the file for each of the hundreds of clones it creates as seem in the Symantec video above ...

87.117.252.11  spyguardpro.com (hosted at Eukhost_ltd)
87.117.252.11  sale.spyguardpro.com (hosted at Eukhost_ltd)
204.16.204.56  jsp.spyguardpro.com (hosted at Setupahost)
204.16.204.56  protect.spyguardpro.com (hosted at Setupahost)
85.12.60.13     ykeeper.spyguardpro.com (hosted at Euroaccess)

Although it's doubtful that (US) officals can do anything about the foreign locations, they can certainly question the unsavory practices of LimeLight since it is a US company ...

"knock-knock" = "who's there?" The FTC (we can only hope!)

More malware found at Limelight Networks

Seems the harder I look the more malicious content is found running from Limelight Networks ... at least Google has flagged on of the previous entries I mentioned as malicious ...

[emphasis added]

It appears Limelight has moved several of the previous entries to another server within their network ... then I found a few more (highlighted below)

[Limelight Networks][208.111.128.0 - 208.111.191.255]

208.111.129.28  download.cdn.winsoftware.com
208.111.129.28  sec.storageguardsoft.com
208.111.129.28  software.protectdownloads.com
208.111.129.28  setuphost.vo.llnwd.net
208.111.129.28  locator.contentsvc.com

[Limelight Networks][69.28.128.0 - 69.28.191.255]

69.28.154.169  xml.spywarelabs.com
69.28.154.169  install.spywarelabs.com
69.28.154.237  bsa.safetydownload.com [WinFixer Trojan]
69.28.154.237  content.onerateld.com
69.28.154.237  cdn.drivecleaner.com
69.28.154.237  cdn.downloadcontrol.com

[more here]
[more here]

[Limelight Networks][68.142.64.0 - 68.142.127.255]

68.142.98.227  www inexplorer.com
68.142.98.227  toolbar.inexplorer.com
68.142.98.227  inexplorer.com [Whois Info]

Now this one is actually detected as a virus! ... W32/Pate virus which you can see via McAfee SiteAdvisor that includes the VirusTotal results ... and yes I have contacted Limelight twice via email ... (Ticket ID: llnw #456387) no reply as yet.

Beware of Ransomware

After reading a blog post by fellow Microsoft MVP "Donna's SecurityFlash" I thought I'd do a little follow-up ...

"The ransomware was included in adware “Uccplay.” Victims are led into thinking the adware is a multimedia player, but when they install it, the program copies all video files stored on the computer to a hidden folder and removes the original files. Victims have no choice but to open the ransomware to access their video files, which then opens up a “certification” box that actually links to mobile phone payment."

What I found was a lot more than "adware" from Uccplay ... which is a "Google.Warning" site ...

Just visiting this site is hazardous! ... as you can see it immediately attempts to install a ActiveX, which is blocked by Windows Vista. However that's not all it tries to do ...

Look at all the ".cab" files this site tries to load! ... Yikes! ... I downloaded the "down.iedoumi(dot)com" cab file and scanned it at VirusTotal [results here] which is mainly detected as: Trojan-Downloader.Win32.Delf.bpn

FYI: "down.iedoumi(dot)com" is also a Google.Warning site ... gee I wonder why ... while the files from "microadsystem" are detected as: TR/Dldr.FakeAV.F.1 [results here]

Then "comclean.co(dot)kr" = Spyware.Comclean ... although the ".cab" file is only detected as suspecious at VirusTotal.
Seems a little ironic that the same page that tries to infect you also tries to load a (unknown) Antivirus program too ...

Bogus Video Plugin Error

Landing on the following site (trooperporn(dot)com) the viewer is presented with yet another bogus error prompt ...

If you click [choke] Continue ... well I didn't get far as NOD32 v3 jumped up with the following ...

There are several other sites involved ... including "results-google(dot)info" which tries to load a script, which generates a pop-up for DriveCleaner (Innovative Marketing) ... seems like these culprits are everywhere lately.

Really make you wonder why LimeLight Networks would associate themselves with Innovative Marketing/SetUpAHost ...

Another malicious IFrame Exploit

Landing on the following site NOD32 v3 immediately jumps up and cancels the connection ...

The culprits in this case are well known (Attackers target unpatched QuickTime flaw) and already exist in the HOSTS file.

So off I go to Google to see what else I can find ... seems Google has determined this is a malicious site also ...


Ok let's see what ExploitLabs Linkscanner has to say ...


Now while I was at Google I noticed a new link/site scanner from PC Tools - BrowserDefender

Yikes ... looks like PC Tools has a little fine tuning to do yet ... although I see it's still in Beta ...

"hardcoremoviesreview" is hosted (no surprise there) at Intercage via ESTDOMAINS/PrivacyProtect
"2005-search" and "search-biz" are hosted at Ukrtelegroup Ltd via Wuster Ltd Group Wuster controls a huge amount of sites that all run exploits or redirect to sites that do ...

MVPS HOSTS File Update 12-10-07

The MVPS HOSTS file was recently updated [12-10-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (145 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (633 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

More on Innovative Marketing

Thought I'd show the Hosting services that are affilated with the Innovative Marketing Group ...

As you can see they spread out into quite a few areas ... other known affiliates:

LocusSoftware, Inc
United Kingdom

LocusSoftware sites hosted via Eukhost_ltd
91.186.30.75  sale.trustedantivirus.com
91.186.30.80  secure.systemerrorfixer.com

LocusSoftware sites hosted via Euroaccess
85.12.60.123  shop.pcprivacytool.com
85.12.60.30  winpcdoctor.com
winspycontrol.com
winsecureav.com

LucasSoftware sites hosted via Setupahost (Toronto)
204.16.204.56  protect.trustedantivirus.com
204.16.204.56  clean.systemerrorfixer.com
204.16.204.56  privacy.securepccleaner.com
204.16.204.56  privacy.pcprivacytool.com

PCPrivacyTool is a Security Risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Sound familar? ... the above are just a few examples of these deceptive [choke] products ...

LimeLight Networks and connecting the dots

Often times you have to look hard to connect the dots ... however it now seems LimeLight has been affiliated with the "Innovative Marketing Group" (aka WinFixer) for some time. And as of today they are still hosting files that almost every major Antivirus/Antispyware programs detect as malware ...

Landing on the below site you can see from the Microsoft Fiddler output the parties involved including LimeLight ...

As you can see the majority are blocked (Result 502) by the HOSTS file, but you can plainly see the locations involved.

[Limelight Networks (United States) - Netrange: 69.28.128.0 - 69.28.191.255]

69.28.154.167  download.cdn.winsoftware.com
69.28.154.167  bsa.safetydownload.com
69.28.154.167  setuphost.vo.llnwd.net
69.28.154.167  cdn.drivecleaner.com
69.28.154.167  cdn.downloadcontrol.com
69.28.154.237  sec.storageguardsoft.com
69.28.154.237  software.protectdownloads.com
69.28.154.237  content.onerateld.com
69.28.154.237  locator.contentsvc.com

All of the above are aliases for "setuphost.vo.llnwd.net" and there is no doubt that LimeLight is serving up these files from their network. In the above example run today the download was from:

hxxp://download.cdn.winsoftware.com/files/installers/WinAntiVirusPro2006FreeInstall.exe

Here are a few more examples (URLs disabled) you can find thousands more via a Google search ...
hxxp://bsa.safetydownload.com/winpcdoctor.com/WinPCDoctor/setup_en.exe
hxxp://content.onerateld.com/antiworm2008.com/AntiWorm2008/install_en.exe
hxxp://content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install_en.exe
hxxp://content.onerateld.com/avsystemcare.com/AVSystemCare/install_en.exe
hxxp://content.onerateld.com/winsecureav.com/WinSecureAv/install_en.exe
hxxp://content.onerateld.com/bestsellerantivirus.com/BestsellerAntivirus/install_en.exe

As you can see every one of the above products are Rogue/Suspect and all are detected as such ... so let's connect the dots and leave no doubt who LimeLight is dealing with ...

 Innovative Marketing, Inc.(innovativemarketing.com)
 1876 Hutson Street
 Belize City, BZ (aka: cdn.downloadcontrol.com)

 SellMoSoft (anonymbrowser.com)
 1876 Hutson Street
 Belize City, BZ

SetupAHost (locator.contentsvc.com)
Admin 2135 A des Laurentides Blvd., Suite 170
Laval, QC, H7M 4M2, CA (aka: setuphost.vo.llnwd.net)

Back in October I posted some info and the above connection, but I thought it was worth another look ...

Notice the two entries I highlighted in red above - SellMoSoft and Setup a Host ... this is the [choke] secure site that is used to purchase these bogus products. So as you can see this type activity has been going on for quite a while.

Remember the "locator.contentsvc.com" entry from above? Well back in March, Sandi Hardmeier blogged about flash ads and being redirected to these same type sites ...

hxxp://locator.contentsvc.com/sites/winantivirus.com/main/img/en/flash_world_end.swf

Even ExploitLabs posted similar info about infected ads and the redirects:

"mlb.mlb.com/index.jsp calls to ad.doubleclick.net
ad.doubleclick.net calls to newbieadguide.com
newbieadguide.com calls to fixthemnow.com - this is where the code comes from
fixthemnow.com calls to bsa.safetydownload.com" [emphasis mine]

Again this content is being served up by LimeLight's networks ... so I gotta ask "What are you thinking"!!
Hopefully LimeLight which seems to be a legit company, will sever their ties with Innovative Marketing Group.

Limelight Networks serving up Malware

Landing on the following bogus "Security Center" page the visitor is presented with (typical) bogus scare tactics, etc.

Clicking any link on that page the visitor is redirected (several times) and then lands on this prompt ...

What's interesting is the players involved (WinFixer related) in this scam ...

"SecurityOnPage" is paid a commission to set up the page (supplied by WinFixer) which redirects to "kukkakreck(dot)com" and if you Google that site you'll find thousands of people complaining about being hijacked.

Next is the redirect via "b2adz(dot)com" ... so who is that? Well it resides on the same IP address (190.15.73.254) as many of the other sites that are directly involved with the latest rash of Malware served up via infected ads on quite a few mainstream sites. Sandi Hardmeier (Microsoft MVP) blog has documented quite a history of this ...

Next we land of the "storageprotector(dot)com" page, however the actual download is from "bsa.safetydownload(dot)com" (69.28.159.249) now here's were it get interesting ...

69.28.159.249  download.cdn.winsoftware.com
69.28.159.249  bsa.safetydownload.com
69.28.159.249  software.protectdownloads.com
69.28.159.249  content.onerateld.com
69.28.159.249  cdn.drivecleaner.com

The above are all aliases for "setuphost.vo.llnwd.net" and that IP block is assigned to Limelight Networks ... so why is LimeLight hosting malware files for the WinFixer Group and it's clones? And this is nothing new ... if you Google any of the above you'll find thousands and thousands of references to the WinFixer Group and their shady tactics.

Now back to "storageprotector" ... CA Antispyware just last week released the following:

"Installs without informed consent of the user. Runs immediately on installation and shows large number of errors and asks user to register to clean the purported errors. Violates PestPatrol ScoreCard V3.0 item 21 by giving false information to user with the objective of making the user to register by paying money."

McAfee SiteAdvisor states much the same ... now back to the download (setup_en.exe) which is detected as: Downloader.Win32.WinFixer.ba, you can view the VirusTotal results here

Limelight Networks boasts of their (high profile) partners here ... but I fail to see any mention of the WinFixer Group. Perhaps contacting these "partners" and informing them of the above, I'm sure they would take a dim view of being associated with this type activity ...

Bogus Streaming Video Playback Error

I'll say one thing for these culprits ... they sure are inventive with their (bogus) error prompts ...

There are several different culprits involved in this one ...

The download from "somcompany" is detected as: Trojan-Downloader.Win32.Zlob.ext
Which is hosted at Ukrtelegroup Ltd via ESTDOMAINS/PrivacyProtect ... it appears that "Inhoster Hosting" has renamed this IP block recently [85.255.112.0 - 85.255.127.255] to Ukrtelegroup Ltd.

Notice how you are then redirected to "AdvancedCleaner" (another WinFixer clone) seems like the WinFixer gang has their hands into everything lately ... Symantec.AdvancedCleaner

Is Spamdexing on the rise?

There has been a lot of media coverage lately on this subject ... while it's (finally) nice to see this problem is getting the attention it deserves ... this is nothing new. Spamdexing has been going on for years ...

"Spamdexing or search engine spamming is the practice of deliberately and dishonestly modifying HTML pages to increase the chance of them being placed close to the beginning of search engine results, or to influence the category to which the page is assigned in a dishonest manner. Many designers of web pages try to get a good ranking in search engines and design their pages accordingly. Spamdexing refers exclusively to practices that are dishonest and mislead search and indexing programs to give a page a ranking it does not deserve." [source]

In a recent article "Google Cleans Up Returns; Yahoo Not So Much" it states: "For instance, on Nov. 29 Benedini searched for the word "giubbotto" (Italian for "jacket") in .info domains and found that nearly all of the sites returned by Yahoo redirect to malware."

So I went to Yahoo and used the search terms defined and sure enough those results are truly infected with malware. What's not mentioned is that the malware (99.9%) were being hosts from the same IP Address ...

While the big search engines may have cleaned up the "search terms" they can do nothing about the Spamdexing itself. These culprit have posted malicious links in Forums, Guest Books, etc ... and as usual these posts are mainly to sites that have not updated their software making it easy for these culprits to continue with their evil activities ...

There are 437 sites listed on that one IP address and in checking each site shows up in a Google search with about 3500 results ... 437 sites x 3500 results = 1.5 million pages ... ouch!

As you can see they have posted malicious links in many different country's making this a world-wide problem ...and sadly in most cases these culprits use automated software to make these postings.

Thankfully my Antivirus (NOD32 from eSet) detected all the malicious links and blocked access to them ...

If you look closely you'll see a pattern in the ".js" files ... virtualy all the same. Since these sites are hosted in Russia it's doubful anyone will have much sucess in getting these sites shut down ...