Hosts News

How low can Zango go?

It appears there is no depth that Zango will go ... following up on a recent story about "Heath Ledger fans get a dose of malware" which leads off with "The death of actor Heath Ledger has prompted cybercriminals to trick unsuspecting fans into downloading malware"

So I thought I'd Google around and see what I could find ... while researching I ran across the following ...

Look at the Title bar "Free Heath Ledger Nude Videos" ... this is just sick! ... promoting your products on the death of actor Heath Ledger. You people have no class at all! Of course I guess after find Zango promoting themselves on several Teen Porn sites, [1] [2] no one should really expect much ...

McAfee's SiteAdvisor has the following to say about both sites involved (celebritywar.com) (dnvideos.com)

When we tested this site we found links to zangocash.com, which we found to be a distributor of downloads some people consider adware, spyware or other potentially unwanted programs.

Maybe the CNET article should have been titled "Heath Ledger fans get a dose of Zango"

Bogus Macromedia Video ActiveX Error

These people sure are inventive ... however there is no such thing as a "Macromedia Video ActiveX Error"

 (Image edited for display purposes)

Users that fall for this bogus prompt will get infected by "webmovies-b" (Win32/Statik) that I mentioned in a previous post.

More bogus Free Celebrities Movies

The following site advertises quite a few "Free Celebrities Movies" ... but that's not what you get ...

 (Image edited for display purposes)

As you can see there are several culprits involved ... porntubq(dot)com detected as: HTML/TrojanClicker.Agent.F
then "64.28.183.26" loads the ActiveX to "helpticket(dot)net - you can see the VirusTotal results here.

helpticket(dot)net is hosted at: Cernel via ESTDOMAINS/PrivacyProtect (64.28.183.26 = Cernel)

Another set of nasty Trojans

It appears that the "Rbusiness Network' (aka: IFrame Dollars Group) are back in full swing ... after a short lull while moving their site to new loocations due to heavy media coverage.

Clicking Continue (not recommended) results in the following ...

Notice the detection is not the typical "codec" Zlob/DNSChanger ... below is another example ... same result ...

The "websoft-" and "webmovie-" varients have all been registered (Abdallah Internet) in the last 30 days ... they have Spamed thousands and thousands of sites and Forums with offers of "Free Adult Movies" ...

Limelight Networks kicks WinFixer to the curb

It took a while ... but it looks like Limelight finally sent the WinFixer Group packing ...

Back in December I wrote several posts about Limelight hosting malicious content for the WinFixer Group, after which I contacted them and only received a standard reply - "we are looking into it ...".

208.111.129.28  download.cdn.winsoftware.com
208.111.129.28  sec.storageguardsoft.com
208.111.129.28  software.protectdownloads.com
208.111.129.28  setuphost.vo.llnwd.net
208.111.129.28  locator.contentsvc.com

69.28.154.237  bsa.safetydownload.com
69.28.154.237  content.onerateld.com
69.28.154.237  cdn.drivecleaner.com
69.28.154.237  cdn.downloadcontrol.com

The above have all moved locations and "setuphost.vo.llnwd.net" and "locator.contentsvc.com" are now dead ...

The above have moved to the following locations where they already have established a presence with a host of their other clones. Euroaccess Belgium [85.12.60.0 - 85.12.60.255] Leaseweb [85.17.4.0 - 85.17.4.255]

Another notable move (sellmosoft.net) which fellow blogger Sandi Hardmeier has been documenting the malicious redirect ads ... all WinFixer related!

Gfx-cust-worldstream [84.243.252.0 - 84.243.252.255] [84.243.253.0 - 84.243.253.255]
84.243.252.84  adtraff.com
84.243.252.85  burnads.com
84.243.252.88  forceup.com
84.243.252.91  netmediagroup.net
84.243.252.94  traffalo.com
84.243.252.97  uniqads.com
84.243.253.142  secure.sellmosoft.net
84.243.253.143  stats.sellmosoft.net
84.243.253.220  performanceoptimizer.com
84.243.253.220  errorinspector.com
84.243.253.220  errordigger.com

Kaspersky detects as: FraudTool.Win32.Sellmosoft.a. Symantec has the following write-up which includes:

HKEY_CURRENT_USER\Software\Sellmosoft\Performance Optimizer

Innovative Marketing, Inc.
1876 Hutson Street
Belize City, BZ

SellMoSoft
1876 Hutson Street
Belize City, BZ

WebHosts Inc
1876 Hutson Street
Belize City, BZ

SellMoSoft has now changed their address (5 Cornwall Street, Roseau) which shows up in their [choke] secure certificate.

Now if we could get Comodo to stop issuing certificates to these culprits ... seems like another company that failed to do their research before associating themselves with this type activity ...

MVPS HOSTS File Update [JAN-20-2008]

The MVPS HOSTS file was recently updated [JAN-20-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (640 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

Beware of fake PornTube sites

Seems the malware creeps are playing on the popularity of "PornTube" an adult type version of YouTube ...

Notice the title of the page ... and there are quite a few using the same title. Which is also a "Google.Warning" site ...

Yikes! ... accessing this site you not only get a typical (bogus) "you need to download ..." prompt, but you get whacked in the background from an embedded page with "VBS/TrojanDownloader.Psyme.Gen trojan".

"3xmaster" is hosted at Upl Telecom S.r.o via ESTDOMAINS/PrivacyProtect. The Trojan.Codec download is from "avsmanufacture(dot)com" which is already included in the HOSTS file.

"avsmanufacture" is hosted at Ukrtelegroup Ltd via ESTDOMAINS/PrivacyProtect
85.255.114.186 = Ukrtelegroup Ltd ... I would suggest adding that IP address to the "Restricted Zone"

Correction to the MVPS HOSTS file

I've uploaded a fresh copy of the HOSTS file due to making a correction to one of the entries ...

www.interactivebrands.com

Corrected entry:

127.0.0.1  www.interactivebrands.com

Not really that critical, but I wanted to advise anyone that happened to notice ...

MVPS HOSTS File Update 01-03-08

The MVPS HOSTS file was recently updated [01-03-08]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (640 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm