Hosts News

PC SuperCharger's bogus online scan/scam

Here is yet another bogus online scanner from the WinFixer clone family ...

Notice that the Cancel button is grayed out ... also notice Windows Vista/IE7 has blocked the install of the ".cab" file, and prompts the user if they trust the website ... no I don't think so!

It's sad to see yet another Rogue program using "UserTrust with Site Seal from Comodo™" ... I have been in contact with Comodo about several other WinFixer clones, hoping that they would refuse to do business with all these culprits ... guess I'll have to contact them again ...

Both "pcsupercharger" and "bizadverts" are both hosted at "Secure Hosting" (190.15.73.254) which is home to a huge amout of the WinFixer clones ... sadly not much you can do about servers running in Honduras ... and worse yet is the fact that none of the AV scanners at VirusTotal detect "FreeInstallPCSuperCharger.exe"

Beware of bogus Flash Player prompts

Landing on the following site the visitor is prompted with the following bogus prompt ...

Folks there is no such "Flash Player" prompt ... this is just another ploy to get the viewer to believe they need some kind of additional files to view the movie. However in this case you don't even need to click any of the usual buttons, this site attempts to automatically download the infection.

As you can see NOD32 detects this culprit blocks the connection and prevents the download. Win32/Statik is the description NOD32 has chosen for Trojan.Codec/Zlob

"mynudenetwork" is hosted at Intercage via ESTDOMAINS/PrivacyProtect

Be careful out there ... I'm seeing a huge increase in Codec/Zlob related sites lately ... now you may wonder why I harp on these Codec infections so much? ... well as you can see below the Microsoft Top 10 MSRT Detections list the first 6 as Zlob related ... that's scary!

MSRT - Malicious Software Removal Tool - this is the brief scan that occurs during the Windows Updates. So this utility does give a pretty good indication of the state of the machines it scans - 6 out of 10 = Zlob!

Another bogus Online Scanner

Landing on the following site the visitor is presented with what looks like an online scan ...

"Online Security Scanner requires ActiveX controls to repair your computer."  yeah right!

My AV (NOD32) detects the download (webinst.cab) as: Win32/TrojanDownloader.Agent.NUS

Other related entries ...

scanner.malwarealarm(dot)com
scanner.malwarealarms(dot)com
scanner.malware-scan(dot)com
scanner2.malware-scan(dot)com
scanner.shredder-scanner(dot)com
scanner.shredder-scanner(dot)com
scanner.spyshredderscanner(dot)com
scanner.spyshredder-scanner(dot)com
scanner.xmalwarealarm(dot)com
scanner.xmalware-scan(dot)com

xscanner.malwarealarm(dot)com
xscanner.shredder-scanner(dot)com
xscanner.spyshredderscanner(dot)com
xscanner.spyshredder-scanner(dot)com
xscanner.xmalwarealarm(dot)com

They all use basically the same scam to try and trick the user into thinking they are infected ... well you will be if you allow them to install anything on your machine ... also notice the WinFixer clone (advancedcleaner) - blocked entry in red ...

Benedelman exposes CNetmedia shady practices

Benjamin Edelman just released an interesting article "Critiquing C-NetMedia's Anti-Spyware Offerings and Advertising Practices" in which he exposes CNetmedia's shady practices. These Rogue Products are popping up everywhere, and with little detection by the major vendors.

AdwarePro2 is detected by both eTrust and Symantec, while Kaspersky detects antispywarebot.com as: FraudTool.Win32.Antispyware.c ... RegClean2Sqr is detected by both SecurityLab and EmsiSoft

These are just a few download locations examples from the CNetmedia / 2Squared Group
209.85.65.52  download.spywareremover.com
209.85.65.52  download.spywarebot.com
209.85.65.52  download.regsweep.com
209.85.65.52  download.regrecall.com
209.85.65.52  download.registrysmart.com
209.85.65.52  download.registryclear.com
209.85.65.52  download.registrybot.com
209.85.65.52  download.regclean.com
209.85.65.52  download.malwarebot.com
209.85.65.52  download.macrovirus.com
209.85.65.52  download.evidenceeraser.com
209.85.65.52  download.errorsweeper.com
209.85.65.52  download.errorsmart.com
209.85.65.52  download.errorkiller.com
209.85.65.52  download.antispywarebot.com
209.85.65.52  download.antispyware.com
209.85.65.52  download.adwarealert.com

There were quite a few entries already listed in the HOSTS file, however in light of this latest review and several others I have elected to add all the other known entries. This is covered in the "Criteria for Detection" which states:

"A software program or website including any other Web sites or domains owned, maintained or affiliated with, that are detected by an but not limited to any Antivirus or Anti-Spyware type program or mentioned in their Database"

Oh what a malicious site

Landing on the following site ... it will try to load several exploits, then a Rogue Antispyware program, and if that's not enough it then tries to infect you with a "Codec" ... shew!

NOD32 blocks the connection to the codec site and displays the following:

The list of sites involved are below ... the entries in red are already blocked by the HOSTS file ...

MVPS HOSTS File Update [FEB-09-2008]

The MVPS HOSTS file was recently updated [FEB-09-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (148 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (647 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

FYI: HostsXpert was recently updated and works great in XP and now Windows VISTA. This is a great little program for maintaining and updating the HOSTS file. Remember ... when updating the HOSTS file make sure to use the Replace option, rather than Merge [screenshot]

Top 11 Malware Threats To Watch Out For

I found several quotes from the article "Top 11 Malware Threats To Watch Out For" worth repeating ...

 "In 2008, we'll need the word because online advertising will become a major security problem. Indeed it is already: about 80% of malicious code online comes from online ads, according to the Q1 2007 Web Trends Security Report"

For the naysayers that state it isn't right to block advertising ... let's repeat that quote:
... 80% of malicious code online comes from online ads ...

It seems like almost every day you read another item reporting malicious ads here and malicious ads there ... but yet no one seems to take responsibility. I have yet to see one of these legit sites that have served up malicious content, offer any kind of help to the infected end-user.

These sites need to step up and accept the fact that content on their site that infects a visitor is ultimately their responsibility and they must offer the infected user some relief ... hell they don't even post a link to an online AV scanner.

Analogy time ... when your Identity gets stolen in most cases now the affected user is at least offered a credit monitoring program. So where is the same type offer for visitors to a infected web site?

Case in point ... a short while back BestBuy sold some Insignia Digital Picture Frames that were infected ... but there was no offer to clean the machines affected, even though most BestBuy stores have their own inhouse PC repair shops.

"sneaky cookies, or subdomain cookies if you prefer something less pejorative, look like they're coming the Web domain of the site visited, but the subdomain they come from -- subdomain.domain.com, for example -- is set to point to a third-party server. The reason this is done is to avoid being blocked by users who have their Web browsers set to reject cookies from third-party sites."

Just to show you a few examples ... these are all aliases for Omniture (2o7.net)

127.0.0.1  om.businessweek.com
127.0.0.1  om.dowjoneson.com
127.0.0.1  om.expedia.com
127.0.0.1  om.philly.com
127.0.0.1  om.pokerlistings.com
127.0.0.1  om.sfgate.com
127.0.0.1  om.symantec.com
127.0.0.1  tc.symantec.com
127.0.0.1  om.usnews.com

And yes I took a lot of heat for the Symantec entries, but I used them to prove a point ... that even legit companies use these sneaky tactics to extract information from their visitors ...