Hosts News

Spamdexing and another YouTube look-alike

A little background ... I have this blog set to "Approve" most content that is added via the "Comments" link. Now I usually get a few Spam entries that I simply ignore ... but this one caught my eye and I thought I'd follow the link posted to see where it went ...

Notice the content posted at the bottom of the above page? ... it's a quote from one of my posts the other day "Beware of YouTube look-alikes" ... however clicking on any of the images just above that leads to "reportblogsite(dot)com" ... even the page layout and design is the same ... strange ...

 Image edited for display purposes.

Which looks like a typical blog type site ... except if you click any of the images on the page which leads to ...

Imagine that! ... another YouTube look-alike with the same old bogus (Trojan.Codec/Zlob) prompt ... the download "setup_axplugin.exe" from "axvideoplay(dot)com" is not very well detected [VirusTotal results]

Then just this morning I get another Spamdexing comment ... waiting for Approval ... same page layout and design as the others ... well isn't that special! ... and you guessed it ... clicking any of the innocent looking images leads to "youutubee(dot)com". Matter of fact the images are actually being drawn from Metacafe a safe YouTube type site ...

Needless to say all these culprits will be added to the next HOSTS file update ...
reportblogsite(dot)com and reachnewsworld(dot)com are both hosted at Intercage [69.50.160.0 - 69.50.191.255]
axvideoplay(dot)com and axvideoplugin(dot)com are both hosts at Layered Technologies which is fast becoming a new haven for the Trojan.Codec gang ... as evidenced in my last post ...

Watch out for the coordinated attack

 Landing on the following site not only get you a Codec/Zlob prompt, but my AV (NOD32 v3) jumps up and announces there is also an IFrame attack (JS/TrojanDownloader.Psyme.AAW) from several sites ...

Although unusual for several exploits to be on the same (Codec) site ... it's nothing new ... as you can see below you get redirected several times and are attacked from several sources ... thankfully several are already blocked (entries in red) by the HOSTS file, and NOD32 killed the connection (zero bytes) to the site displayed above ...

As you can see below there is quite a cast of characters involved ... although these sites are hosted on several different IP blocks ... they are all related ... the download is actually from "thehotcodeczz(dot)com" which was only registered 18-Mar-2008

So what happened to my machine? ... absolutely nothing! Just goes to show you that the majority of these type attacks can not get past the defenses of Windows Vista SP1 ...

Follow-up on Comodo and XpAntivirus2008

The other day I reported that Comodo had revoked all certificates issued to WinFixer/SetupAHost ... as you can see below this is the report IE displays when the error occurs ... kudos to Comodo! ... Sandi has another example here

Now to follow-up on XpAntivirus2008 that I wrote about ... looks like they have been busy registering more sites, but using the exact same fake scanner results ...

Bharath's Security Blog has more details on the additional sites involved ...
Creation Date: 20-Mar-2008
xpantivirussite(dot)com

Creation Date: 18-Mar-2008
xponlinescanner(dot)com

Comodo kicks SetupAHost to the curb

Good news gang ... I was informed by Comodo that they have revoked all certificates issues to the WinFixer/SetUpAHost ... I know it's only a small victory but it causes them to look elsewhere, and I'm sure it won't take them long to establish another bogus setup ...

In other related news ... remember how long it took to get ValueClick to drop it's association with WinFixer/SetupAHost?
Well it seems yesterday was a really bad day for ValueClick!

The FTC on Monday fined online advertiser ValueClick $2.9 million for sponsoring deceptive online advertisements, and not adequately securing customers' personal information ... [report here]

And then on the same day ... "eBay dumps ValueClick" in favor of it's own in house advertising ... ouch!

While the $2.9 million fine may not mean much to the company, combined with the above and another report that states ...

"The ValueClick stock hit its 52 week high of 36.70 in May and set its 52 week low of 16.31 today" ... wow!!! think about that if you were a stockholder ...

Beware of YouTube look-alikes

Following up on an email tip from John who states "while reading comments on digg.com i came across this site"
Well sure enough it looks like Digg is the latest recipient of malicious Spamdexing ...

Although the text states "Real video on YouTube" ... look closely at the link ... which is not YouTube but clearly geared towards users who click too quickly and then end up infecting themselves ...

How many times have we seen this bogus prompt? ... however it seems that still too many people fall for these tactics and end up with a Codec/Zlob infection ... think about it, if so many people wouldn't fall for this, all these type sites would give up and try another method ...

Notice the last entry is "0" bytes ... my AV (NOD32 v3) sniffed this out and blocked the download = "Win32/Statik"

Another new Codec site

Following up on a email tip from Kathi H ... we land on the following ...

"Your Player is inactive" ??? what in the world kind of message is that? ... surely you can think up a better one than that ...

As you can see there are several culprits involved ... the download is not very well detected ... VirusTotal results here ...
"Widget-porn" was already included in the HOSTS file and the others will be included in the next update ...

Another WinFixer clone using Comodo

Landing on the below site the visitor is presented with yet another fake scan from a known Rogue product ...
Symantec describes this as "The program reports false or exaggerated system security threats on the computer"

When I clicked the link to [sic] purchase the product ... as you can see this is another "WinFixer/SetupAHost" clone using a Comodo certificate.

I have contacted Comodo several times in the past and they have been very prompt in shutting down these accounts ... although I wish they would just search their records and cancel everything issued in the name of SetupAHost. It's pretty obvious by now that everything issued to SetupAHost is a Rogue program designed to do nothing more than ripoff the public ... and who knows what they will do with your personal information once submitted via their website ...

Update Mar 16: After contacting Comodo ... "this account is now closed" ... kudos!

MVPS HOSTS File Update [MAR-09-2008]

The MVPS HOSTS file was recently updated [MAR-09-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (151 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (661 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

ZDNet Asia and TorrentReactor Compromised

Looks like both sites have been compromised by a malicious IFrame ... [details here] what happens is you get redirected to yet another Rogue Antispyware (xpantivirus2008)

Naturally these are bogus results since no scan really occured ... however this is a new avenue of attack and hopefully these compromised sites will get things cleaned up shortly ...

What I found interesting is that visiting the "xpantivirus2008" home page offers a link to [sic] purchase their product, however this redirects to "secure.xp-antivirus(dot)com". Which is yet another Rogue.Antispyware ...

In related news ... we find this ...

"We’ve gotten some reports that visitors to our homepage are being prompted to download an executable file called XPantiVirus. We’ve also observed this ourselves.

We have disabled banner ads on blip until we get to the bottom of this. We use a third-party banner advertising network that has an excellent reputation and has been good to us, but it looks like something may have slipped through their filters. We will keep banner ads disabled on blip until we are certain that this situation is resolved.

UPDATE: We believe we’ve located the offending advertiser and resolved the situation."

Notice that there is no responsibility here? ... not even a mention of a link where (blip.tv) visitors should go to get their machines scanned for a possible malicious infection.

I predict it won't take long before someone files a lawsuit against these sites for failure to keep their software updated, and not offering visitors some kind of proper advise on what they should do in the event they get infected ...