Hosts News

Bogus Adobe Flash Player extension

Landing on the following, the visitor is presented with several click-able adult images ...
that once clicked results in the bogus Adobe Flash Player prompt ...

Naturally there is no such thing as a "HD H.264 Extension" ... however still some people fall for these bogus prompts.
The download "AdobeFlashPlayerExt.exe" is detected as: Trojan.Win32.Obfuscated.gx [VirusTotal results]

porntube-vip(dot)com is hosted at Haldex Ltd [88.208.0.0 - 88.208.31.255]
Landing on one of the other sites sharing the same IP address results in:

MVPS HOSTS File Update September-23-2008

The MVPS HOSTS file was recently updated [September-23-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (142 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (604 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

A bogus MP3 Audio Codec prompt

Landing on the following site the visitor automatically sees a bogus prompt ... not only that as you can see in the "Information Bar" a file was automatically downloaded. So users with older browser versions may find themselves infected without any interaction ...

"download-soft-free4all(dot)net" was only registered yesterday ... and hosted at Noc4hosts Inc (Tampa Fla)
which is yet another haven for Zlob/Codec malware domains ...

Klikdomains suspended

Just days after Security Fix exposed "Klikdomains" and the connection to "VIVIDS MEDIA GMBH" ... the following sites were suspended:

klikdomains.com - Status:SUSPENDED [whois info]
Note: This Domain Name is Suspended.
In this status the domain name is InActive and will not function.

klikvipsearch.com - Status:SUSPENDED [whois info]
kliksoftware.com - Status:SUSPENDED [whois info]

However don't be fooled into thinking that the Klikadvertising Group are dead ... as I pointed out in my last post they are still going strong ... I suspect the closing of those domains are just a ploy to avoid any more bad press ... another example I ran accross today ...

The majority of the above sites are Klikadvertising related, as noted by the "klick.php?" ... and the highlighted in red box shows
and guess where those sites were Registered? ...

wordsearch-online.com - Registration Service Provided By: VIVIDS MEDIA GMBH [whois info]
search-adult-online.com - Registration Service Provided By: VIVIDS MEDIA GMBH [whois info]

Let's not forget - "KLIK Media GmbH" (klikoffers.com) owns about 29 other domains [whois info]
Which is also related to "Nelroy Ltd." (klikvip.com) owns about 19 other domains [whois info]
And where "klikadvertising.com" and "klikvip.com" are both running on IP blocks from Axxa Commerce

Hopefully keeping the pressure on will force more action and shut down these criminals ... well we can hope can't we?

Directi and EstDomains continue to suspend thousands of malware sites

I have been keeping a close watch on the amount of suspended sites in the MVPS HOSTS file ... rescanning everyday lately and removing the sites that no longer return a valid DNS ... the number is huge yet again ...

Strangely enough not all of these domains are related to EstDomains ... but who's complaining! Sounds like some of these other hosting services are getting nervous about their reputations or being exposed as associated with these cyber-criminals ... folks I've been doing this (maintaining a hosts file) for over 10 years and this is the largest clearing of malware related sites in the history of the Internet!

Interesting enough Brian Krebs has another in his series of articles "Fake Antispyware Purveyor Doubles as Domain Registrar"

"Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing privacyprotect.org service for all Web site names registered through Klikdomains.com, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone. Directi currently is investigating most of the remaining 50,000 domains registered through Klikdomains.com, Turakhia added."

Imagine that! ... those of us in the security field have long known of the antics of KlickDomains and their related domains ... so I thought I'd show a few examples ...

Notice how this site is designed to look like one of Microsoft's pages ... now is "petitmortfilms" really a search portal? ... no there are literally thousands of these type sites with content and links provided by the KlickAdvertising Group ...

Clicking on a few of the listed links ... you can see how Klickadvertising routes their search thru several IP addresses and setting a 3rd party Cookie (so they can get paid) and then to obviously malware related sites ... now the entry for "r.looksmart.com" is listed in the hosts file due to LookSmart's dealings with Klickdomains. I'm not saying LookSmart is evil ... but if you deal with scumbags, you'll get blacklisted ...

Speaking of Blacklisted both of those IP addresses are! [here] [here] now here is another example ...

Gee ... does that page layout look familiar? ... I've highlighted (in red) the next link I clicked ... now imagine where that really takes you ... yup Klickdomains get paid to redirect you to another malware site. In case that "virusremover.dll" doesn't look familiar, I reported on it here ...

If you look at the below output from Microsoft Fiddler ... you can see the same IP addresses involved, etc. not only that the link I clicked "spywarexp2008" wasn't even real ... so you never know where you'll end up ... but you can bet it's not good!

The download from "av-xp2008" is detected by Kaspersky as "Backdoor.Win32.Frauder.ee" and the site is maintained by the "Pandora-Software Group" (innovagest2000sl) ... so not all the evil-doers are being suspended, but we'll take all we can get!

Hundreds more malware domains suspended

As I reported the other day about the thousands of suspended domains ... it appears that even more domains have been suspended. After I removed the huge list of previously suspended domains from the MVPS HOSTS file ... I waited a day or two and rescanned the file to validate the entries. Much to my surprise their were hundreds more malware domains that no longer return a valid DNS ...

This seems to coincide with several other reports "Joint statement from Directi, HostExploit and KnujOn" stating: "HostExploit and Knujon did share with Directi a separate list of additional web sites known for badware that belong to Atrivo, enabling Directi's abuse team to swiftly suspend them."

In a previous post I showed ... "Directi False Whois Suspended Account" owns about 11,853 other domains"
Now I find the following: "Directi False Whois Suspended Account" owns about 12,176 other domains" [source]

On Friday, August 22 I mentioned about the amount of malware related sites running at "mynick.name" ... however today that number sure has changed!These fake Antispyware related sites were running from various hosting services and IP blocks all over the world ... looks like someone finally caught up to their antics ...

 [source]

SecurityFix has also posted more related news "Scammer-Heavy U.S. ISP Grows More Isolated" ... I imagine the Cyber-criminals are really scrambling trying to register new domains, etc ... as the amount of suspended domains account for a rather large source of revenue ...

While I'm on the subject of suspended domains ... the bogus Antispyware programs I showed were being hosted at Yahoo were suspended over the weekend ... thanks to Kimberly for alerting Yahoo ...

And let's not forget ... "innovativemarketing.com" and "setupahost.net" which were the original WinFixer Gang ... good riddance! ...

More fallout on the suspended malware sites

Knujon News reports "Directi is now severing ties with Estdomains amid complaints that the Eastern European company makes it too easy to register sites that are used by spammers and scammers. "Just the reputation loss and the confusion because of these linkups has been more detrimental to us than the commercial gain from that one-off sale," said Directi CEO Bhavin Turakhia. "We felt it was the right move morally." [more here]

Many of these suspended domains that I previously mentioned involved InterCage and their ties with ESTDomains ... now where "Directi" was involved I find the following when checking the Whois of some of these suspended domains ...

"Directi False Whois Suspended Account" owns about 11,853 other domains" ... Wow! ... imagine that!

As McAfee's blog points out many of these malware related sites are now registering with ProtectDetails as the heat is now on ESTDomains. When checking the locations I find they are both hosted at InterCage ... how convenient ...

Protect Details, Inc
Saint Petersburg, RU
69.50.180.157  protectdetails.com
[InterCage, Inc] Assigned IP block > [69.50.160.0 - 69.50.191.255]

ESTDomains Inc
Wilmington, Delaware
216.255.176.238  estdomains.com
[InterCage, Inc] Assigned IP block > [216.255.176.0 - 216.255.191.255]

Hopefully Brian Krebs proposed article on ESTDomains will turn up the heat even more ... resulting in even more suspended domains ...

Another fake Security prompt

Now this is one (bogus prompt) that you don't see every day ... check the page title ...

Naturally if you click the (made to look like a Microsoft Security prompt) "click here to get full real-time protection" ... yeah right!
The only thing you'll get is a real-time infection ...

As you can see the entry in red (infectionscanner) was blocked by an entry that already existed in the HOSTS file ...
All the below are managed by "TORS BUISINESS LIMITED - Andreas Ellinas"

Yahoo hosting Fraudware on their servers

While tracking down several new fake Antispyware sites ... I happened to notice the below are all hosted by Yahoo.

# [Yahoo via various][68.180.128.0 - 68.180.255.255]
68.180.151.16  antivirus-2008.org
68.180.151.17  antivirus-2008-noadware.com #[Win32/Adware.PowerAntivirus]
68.180.151.16  bestantivirus2009.com #[Win32/Adware.PowerAntivirus]
68.180.151.18  officialantiviruslab.com #[Win32/Kryptik.E]
68.180.151.18  onlineantivirus2009.com #[Win32/Kryptik.E]

VirusTotal result for the download from "antivirus-2008.org" [here]
MY AV (NOD32 v3) detects the downloads from the other sites as either "Win32/Adware.PowerAntivirus" or "Win32/Kryptik.E"

As you can see the above is a typical fraudulent fake Antispyware that attempts to infect your machine ... nothing new there ... but hosted at Yahoo? Makes you wonder who's asleep at the wheel over there? ...

These all fall within the IP block assigned to Yahoo (68.180.128.0 - 68.180.255.255)
The above sites all have the same "page title" (International Virus Research Lab) and contents, etc ...

InterCage suspends thousands of malware related sites

Only a few days after an article in the Washington Post and a detailed report by HostExploit [PDF] [Video] they (InterCage) have suspended thousands of malware related sites. Which is good news ... but it makes you wonder if these sites will simply be transfered elsewhere, or the criminals will just register thousands of new sites and continue with their activities ... since these culprits depend on the revenue generated by their illegal activities, I predict they will pop-up elsewhere very soon.

I happened to notice this myself (amount of suspended domains) when running a program I use to validate the DNS of each entry in the HOSTS file. Usually it returns a hundred or so sites that have either expired or suspended, Parked, etc. ... (since the last update) however this time the amount was huge!

Although the "comments" (must read) to the article by "Emil Kacperski" appear to be nothing more than the usual spin ... mainly complaining why other hosting domains are not mentioned ... it seems that exposing the activities by InterCage has produced some results ... for now. It will be interesting to see the outcome of Brian Krebs other scheduled related articles ...