Hosts News

Yet another LocusSoftware connection with ipsCA

Here is yet another example of LocusSoftware foisting their bogus products upon the public with the help of "ipsCA" ...

If you click the "Try free" button ... my AV (NOD32 v3) jumps up with the following: (and kills the connection)

However I am still able via Microsoft Fiddler to capture the traffic connections, including when you attempt to purchase via the "Buy now" button above ... you can see the redirection to their "payment" site and the certificate issued by "ipsCA"

Just so there is no confusion of the connection between LocusSoftware and the payment site ... all you have to do is Google and there it is ...

Another interesting connection is "antimalwareguard" is registered to "Serg Moon" who Sandi Hardmeier has identified several times as being behind the rash of malicious advertisements on legit websites ... it really makes you wonder if these "Certificate Issuers" even bother to investigate who they are dealing with ... apparently ipsCA doesn't!

I also found the same payment site being used by "IEAntiVirus" and several others ...

Another bogus Windows Media Player prompt

Landing on the following site the visitor is prompted with a bogus Media Player prompt ...

The image is designed to look like a real Windows Media Player ... and as you can see IE7 blocked the automatic download of the file ... then you see the fake prompt "You need to download new version Video ActiveX object" ... now as I've mentioned many times before there is no such thing ...

The download (XXXmediaCodec.exe) was scanned at VirusTotal (Result: 18/32 (56.25%) full results here
"getadultaccess" is hosted at Ukrtelegroup Ltd (85.255.112.0 - 85.255.127.255)

MVPS HOSTS File Update April-22-2008

The MVPS HOSTS file was recently updated [April-22-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (154 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (668 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

Another Rogue Antispyware product from the Pandora Software group

Following up on a article from our friends at BleepingComputer "How to remove Malware Bell" we find:

"Malware Bell is a rogue anti-spyware from the same developers as IE Defender and Files Secure. Malware Bell is installed and advertised through the use of Trojans that are installed as Internet Explorer Browser Helper Objects."

These people are so lame they can't even write their own detections ... (highlighted in red) it's actually from McAfee ...

As you can see there are several redirects when you [choke] attempt to purchase their bogus product ... the sad part is here is another example of "ipsCA" issuing certificates to known bogus products ...

I found the exact same thing with "VirusIsolator" which Symantec detects and describes as:
"The program reports false or exaggerated system security threats on the computer."

So I have to ask ... ipsCA what are you thinking!

"installed and advertised through the use of Trojans" ... "reports false or exaggerated system security threats"

Yes I did contact ipsCA previously and all I got back was an automated reply with a "Support:276800" ...

Another malicious Movie site

Landing on the following site ... the typical layout of clickable images is displayed with the following message

"Video is protected by unique technology PriveContent" ... well that's something new ...

 Image edited for display purposes

If you click the "Enable video now" you are redirected to a download that is detected as "Trojan.Fake.GoogleBar"
or directly accessing the site of the download you see a similar message ...

If you read the text in the above prompt it's laughable ... "you will receive 98 dollars" ... yeah right! all you get is an infected computer. VirusTotal results here ... SunBelt technical results here ...

From their EULA: "You grant PC permission to add/remove features and/or functions to the existing software and/or service, or to install new applications from PC, third parties or any other application, at any time, in our sole discretion, with or without your knowledge and/or interaction."

Now if the above statement doesn't alert you that you will be infected I don't know what does ...

Another Rogue product from LocusSoftware

Following up on a post from Sandi who is reporting yet another malicious advertisement (.swf) that redirects several times until you land on one of many rogue Antispyware products from LocusSoftware ...

When you click the Download button you are routed to a "secure" page where you are prompted to purchase their (bogus) product ... as I predicted before once Comodo revoked their certificated from the WinFixer/SetUpAHost (LocusSoftware) group ...

"Good news gang ... I was informed by Comodo that they have revoked all certificates issues to the WinFixer/SetUpAHost ... I know it's only a small victory but it causes them to look elsewhere, and I'm sure it won't take them long to establish another bogus setup ..."

Looks like they switched to "ipsCA" for their certificates ... (highlighted in blue)

What's scary about this connection is ipsCA is a certificate issuer via Microsoft ... from the info on their site ...

 Image edited for display purposes.

I'll be contacting the involved parties to see if they will revoke these certificates as well ...

Is PCSecurityShield still a Rogue Antispyware company?

Donna's SecurityFlash pointed out that there is quite a storm over the discovery that Comodo has licensed their firewall engine to PCSecurityShield ... once considered promoting Rogue/Suspect Antispyware products ...

Seems PCSecurityShield has turned around their business model and are now rebranding several Security related products. This excerpt from Download.com (Company Profile) ...

"PCSecurityShield is a 3 year old internet security company that licenses various technologies and provides consumers will products to insure safe web activities. PCSecurityShield partners with many top worldwide technology companies to bring internet protection to the average consumer while providing superior, free customer service."

Some of the products they now rebrand:

The Shield Firewall - engine licensed from Comodo
Spyware 24x7 - engine licensed from Lavasoft
The Shield Deluxe 2008 6.0.2.621 - engine licensed from Kaspersky
Security Shield 2008 - engine licensed from  F-Secure

While I would not recommend any of these products, they certainly can no longer be considered Rogue products ... with that in mind I have decided to remove the related entries from the HOSTS file and this will reflect in the next update.

Zango Alleges Kaspersky Is Badware Itself

Well ... here we go again ... MediaPost is reporting that Zango is again going after Kaspersky. Zango lost round 1 in court and they are not happy with the decision. In their latest filing (link to .pdf here) they state the Court was wrong and that Kaspersky is actually Badware (as defined in StopBadware.org) ... now that's a real stretch!

Then Zango goes on to describe Kaspersky as "Scareware" ... imagine that! this should get real interesting when Kaspersky responds ... "Microsoft Malware Protection Center" reports Zango/Hotbar ranks 3 of of the Top 10 ...

I guess we can tell who is the real "Badware" here ... sounds like it's time for another Benjamin Edelman report ... which found that Zango was in violation of the FTC agreement ...

Vomba Acquires Adware Company WhenU

MediaPost is reporting that Vomba has acquired Whenu ... Who is Vomba? they are a division of "Gamma Entertainment"

Just so there is no confusion of "who-is-who" ... and where they are located:

 Vomba Network
 3300 Cote-Vertu, Suite 406
 Montreal, QC H4R 2B7

 WHENU.COM
 3300 Cote-Vertu, Suite 406
 Montreal, QC H4R 2B7

 Surfing accuracy
 3300 Cote-Vertu Suite 406
 Montreal, Quebec H4R 2B7

 Media Traffic Agency Inc
 3300 Cote-Vertu Suite 406
 Montreal, Quebec H4R 2B7

 Integrated Search Technologies
 3300 Cote-Vertu Suite 410
 Montreal, Quebec H4R 2B7

 Gamma Entertainment Inc
 3300 Cote-Vertu Suite 406
 Montreal, Quebec H4R 2B7

[Gamma Entertainment][66.152.92.0 - 66.152.92.255]

[Gamma Networking via Integrated Search Technologies][66.152.93.0 - 66.152.93.127]

[Gamma Networking via Marketing Engines][66.152.85.0 - 66.152.85.255]

[Gamma Networking via Surfaccuracy][66.152.93.128 - 66.152.93.255]

The "adware" community has been relatively quite lately, however I suspect we are about to see a new rash of adware applications involving all of the above ...

MVPS HOSTS File Update April-01-2008

The MVPS HOSTS file was recently updated [April-01-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (154 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (670 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm