Hosts News

Symantec LiveUpdate Security Warning revisited

I've blogged about this several times ...[here] [here] however as I am frequently asked about this (false) prompt (mostly from new MVPS HOSTS users) I thought I would address this again ... especially after seeing a response from one of their (very) uninformed commenters on their Forum ...

"I did not read in detail the links you provided, so this may not directly answer your question, but it may help you understand what is happening here."

Then why bother ... if you are not going to "read in detail the links" ...

And then goes on to say:

"So in your case what has happened is that a piece of malware has modified your HOSTS file to include entries for 'tc.symantec.com' and 'om.symantec.com'." ... talk about mis-informed ... duh!

If you had bothered to read the links then you would not (hopefully) make such a truly false statement.
Here is a typical prompt Symantec users see ...

If Symantec users click the drop-down arrow there is an option for:
"Leave the entry in the hosts file (do not warn me about them later)" (then this is no longer an issue ...)

Let me be very clear ... these are NOT entries from Symantec ... although they try to disguise them as such ... they both are 3rd party entries from Omniture ... and they do NOT prevent Symantec products from updating themselves ...

As you can see "om.symantec.com" is actually an alias for "symanteccom.112.2o7.net" and the IP addresses are all controlled by Omniture.

Even when you run a traceroute you can see above where it ends ... below is just a partial list of the Omniture entries and the IP addresses ... which shows that some sites prefer the "2o7.net" while others prefer to hide their identity as in the case with Symantec ...

 Note: it appears that Symantec is no longer using "tc.symantec.com" on their site ... most likely after I exposed this issue last time ... where they were using the Privacy policy from a 3rd party (Omniture) and not their own. So this entry will be removed and will reflect in the next update ...

Folks I can not control these false-positive prompts from Antispyware/Antivirus products ... believe me I've tried ... but they refuse alter their scanning techniques, so all I can do is try to explain why these entries exist ... then you can decide for yourself if you have a malware infection ... or a poorly writen scanner detection. There is no such thing as a infection that only alters the HOSTS file ... so if that's all that shows up in a scan then check it out or ask ... I will gladly assist in determining the cause ...

Can Sponsored Results be trusted?

I've commented about this subject before ... and I have still not changed my mind ... NO No No ...

Recently the SunBelt blog touched on this, and I thought I'd provide a good example ...

"Tested by g0Ogle" ... I think not! ... if a user happens to click that "Sponsored Link" ... they end up here ...

So not only do these culprits want to whack you with a infectious ActiveX (virusremover.dll) they also want you to click the "Remove All" button to install their fake antispyware program and all the other nasties that come with it ... my AV NOD32 v3 however doesn't think that would be a good idea ...

Submitting "virusremover.dll" to VirusTotal gives the following Result: 23/36 (63.89%)

Notice that Ask routes their Sponsored Result thru Google then redirects to the (un)desired site ...
"avxp-2008(dot)net" is yet another site maintained by the "Pandora Software Group"

I could provide many more examples ... but you get the idea ... even these "Parking Services" use these type of practices in their fake Sponsored Results on "Parked" sites ... and that why I include many of their sites as entries in the HOSTS file ... everyone is glad to take the $$$ provided by these clients, but very few services are willing to investigate these clients prior to hosting their content ...

Where have I been lately?

Due to the overwhelming amount of malware sites cropping up lately ... I just haven't had the time to document and blog ... so I've just been concentrating on investigating and adding a huge amount of new entries to the HOSTS file ...

One of the biggest offenders is the group running from these servers ... hosting mainly fake Antispyware sites and products ...

As you can see right now they control 763 domains (sites) and they are adding new sites by the hundreds ... ugh!
Hopefully I can get back to my normal schedule ... if these culprits ever slow down ...

Rogue Antispyware Adware-Download

Following up on a post at Donna's SecurityFlash regarding several new Rogue Antispyware programs ...
now visiting the named site (adware-download(dot)com) you are redirected via "clickbank" to ... oops!

My AV NOD32 intercepts the request and displays the above warning ... thus killing the connection.
And this occurs prior to the browser checking the HOSTS file ... which adware-download is already listed.

The actual link via clickbank is below (URL disabled)

hxxp://freewslink.adalert.hop.clickbank.net/hop/?CBRehoppp2=hxxp%3A%2F%2Fwww.adwarealert.com%2Findex.php%3Fhop%3Dfreewslink&vend=adalert&code=00000000000000&affi=freewslink&parms=&key=F14F7E2F6AB3619C0D5FE930AAD751A6

I complained to the staff at ClickBank many many times about their lack of policing their affiliates ... but they appear to take no action ... thus they have become a haven for these Rogue Antispyware programs ... and there are many! I've even had them complain and threaten legal action because I added them to the HOSTS file ... of course they have no grounds for such an action ...

Adware.Clickbank or Adware.ClickDLoader

MVPS HOSTS File Update August-06-2008

The MVPS HOSTS file was recently updated [August-06-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (161 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (702 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm