Hosts News

Google exposes ClickBank as malicious

ClickBank is a 3rd Party Affiliate Program that is home to many, many Rogue/Suspect Anti-Spyware Products, so it come as no surprise that the Google Safebrowser Diagnostic produces the following report ...

Yikes ... I've mentioned before about their "lack of policing their affiliates" and this report sure bears this out ...

How is Google going to explain this?

I've been running a few sites thru Google's Safebrowsing Diagnostic ... oh look what I found ...

Seems their advertising branch DoubleClick may have been a little shady lately?

Then I ran "msn.com" also and found similar results ... ouch!

" What happened when Google visited this site?

Of the 2922 pages we tested on the site over the past 90 days, 62 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2008-10-26, and the last time suspicious content was found on this site was on 2008-10-25. " (emphasis added)

Another bogus Adobe Flash codec

Landing on the following adult site ... once a visitor clicks any of the links they are presented with the following bogus pop-up "Error #37" ... I'll say one thing they sure are inventive ...

Clicking on the embedded link above redirects to the below site ... VirusTotal results here

Both of these sites are hosted at Sia Nano It - IP block - [91.203.68.0 - 91.203.71.255] which is another haven for many nasties related to this type Zlob/Codec infection ...

Another Exploit opens Windows Contacts

The other day I mentioned I found an exploit that tries to infect Windows and also attempts to open Windows Contacts (Address Book) ... well it looks like I found another one ... yikes!

Same attempt but from a different source this time ... I previously contacted Microsoft about this, however when they went to check it out the site used to host the exploit no longer existed ... hopefully this one will stay up long enough for them to diagnose the problem ...

As you can see I highlighted the two suspect sites ... the first encoded javascript calls the second site ... and thus the exploit attempts to infect Windows Vista. Fortunately IE7/Vista blocked both attempts ... I'll be contacting Microsoft again, as I saved the exploit files this time ... if anyone happens across this type exploit simply click the "Don't allow" button and exit from the site ...

FYI: the site "vulgator(dot)com" is not a malicious site ... but rather has been hacked and a malicious script has been injected.

Is Security overwhelmed by Malware?

Lately it sure seems so ... almost weekly we see reports of the amount of sites infected, or the amount of malware samples submitted that just boggles the mind. I know in my own little part of the world ... the amount of malicious sites that come and go is stagering to say the least.

Even the big players seem to be overwhelmed ... take Google for instance. They have been on the front lines of identifying malicious sites, and I applaud them for that ... but as with most large companies, it seems the left hand doesn't know what the right hand is doing ...

While looking for culprits I've found it easier to enter certain search terms into Google and then follow the results ... but when Google's own "Sponsored Links" lead to malicious sites and infections ... it makes you want to screem!

 Image edited for display purposes.

Following the above highlighted link ... which redirects to "main-porn-hub(dot)com" which is yet another "Fake.PornTube.Codec"

Clicking any of the above buttons leads to a malicious download from "codecdownload.main-downloadportal(dot)com"
Both of these sites are hosted at Noc4hosts Inc - IP Location - Tampa Florida [66.232.96.0 - 66.232.127.255]
... hey maybe the SunBelt guys should go pay them a visit ... just kidding ...

Anyway ... in checking Google's new "Safe Browsing Diagnostic page" I find that:
"Yes, this site has hosted malicious software over the past 90 days" however in searching Google itself "main-porn-hub(dot)com" is not listed as a Harmful site ... huh? Now if I follow one of the links from that page I find another Fake.PornTube.Codec site ... that redirects back to "main-porn-hub(dot)com"

 Image edited for display purposes.

If you want to check a site for yourself simply append it to the end of the following link:
http://www.google.com/safebrowsing/diagnostic?site=
For whatever reason Google never added a portal to check these sites ...

Now it could be that Google never tied it's Safe Browsing Diagnostic to the Google/Stopbadware effort ... but if not why not? If you are going to do "Security" then be a leader ... don't put forth a half-a*sed effort ... we already have too many of these already.

MVPS HOSTS File Update October-23-2008

The MVPS HOSTS file was recently updated [October-23-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (142 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (603 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

Another bogus Streaming Video Playback Error

Landing on the following site the visitor is presented with the following bogus error ...

The actual download (Trojan.Zlob/Codec) comes from "vidsdevices(dot)com" which is hosted at
Internet Service Provider UATelecom][91.203.92.0 - 91.203.95.255] which is a safe-haven for a whole host of nasties.

Norton Safe Web reports Viruses   Severity: High  95 instances found. ... gee only 95!

Exploit opens Windows Contacts

Landing on "google-stats(dot)cn" (courtesy of MalwareDomainList) redirects to the following site ... which pops-up the generic Microsoft warning (Remote Data Services Data Control) ... however this time and this is a first for me is a prompt to open Vista's Windows Contacts ...

Naturally any time you see the "Remote Data Services Data Control" prompt ... as I've mentioned many times before, this is an exploit trying to invade your system. The Windows Contacts pop-up is something I'll check out ... since once I clicked "Don't allow" the site redirected to Google ... I'm not really sure what would have happened if I allow the javascript on that site to access Windows Contacts ... and I didn't want to find out ...

The "/doc.pdf" entry is an attempt to exploit Adobe Reader which always seems to be under attack lately. Symantec detection details here. This is one of the reasons I no longer use Adobe Reader and found the FoxitReader (freeware) to fit my needs nicely and is faster and much smaller (2.6 mb download)

It's no surprise that "myfrooogle(dot)cn" is hosted at HostFresh - [58.65.232.0 - 58.65.239.255]

"Norton Safe Web has analyzed myfrooogle(dot)cn for safety and security problems.
Below is a sample of the threats that were found.   Screenshot not available 
Viruses   Severity: High - 6 instances found."

In checking several other online scanners ... McAfee's SiteAdvisor hadn't scanned the site and AVG's LinkScanner reported:
"Congratulations! LinkScanner Online did not find any exploits." ... ouch!!
At least Google lists this site as harmful ... Yahoo does not as it uses McAfee's SiteAdvisor ...

Google/DoubleClick shuts down Falk eSolutions

This was Doubleclick's European (Germany) division which it purchased in early 2006. I could find no news on this ... however falkag.net no longer returns a valid DNS ... [Whois info]

Other News: I wonder how long it will be before we start seeing other 3rd party advertisers failing due to the financial crisis? It sure looks like ValueClick is about to fail ... I predicted this a while back ...

"Since ValueClick is a publicly traded company (NASDAQ: VCLK) perhaps someone should inform the stockholders of just how their money is generated. (hard-core adult sites - depicted images of underage boys) No doubt a FTC investigation would result in a drop in stock prices and the shareholders would want to know why ..."

Well they were investigated by the FTC and found guilty ... "ValueClick to Pay $2.9 Million to Settle FTC Charges" ... since then their stock value has dropped to a today's value of $7.05 ... ouch!!

Innovative Marketing dies a slow death

I reported on Sep 8, 2008 that the sites "innovativemarketing.com" and "setupahost.net" were no longer resolving ... I've been watching the other associated domains and they are now no longer reachable ... it looks like the WinFixer Gang has decided to let their older domains die a slow death.

The list of sites is too long to post here and sadly they still have a major presence in many other areas. You can see the chart I put together a while back showing the Innovativemarketing/SetUPaHost connection and the associated IP blocks ... the majority of these now no longer exist.

Other News: I was recently awarded Microsoft MVP (Consumer Security) for the 10th year in a row ...

This also marks the 10th year I have been supplying a HOSTS file ... my how time flies ...

More fake PornTube malware

I have posted many examples of these fake PornTube sites that serve up malware (Trojan.Zlob/Codec) ... "privacy-kit" has gone from a "Rogue Security Program" (March 2007) to serving up malware via a software program (YTFakeCreator) that creates fake "YouTube" style pages. There are now thousands of these type fake PornTube sites.

What's interesting in the above, is the fake Internet Explorer Information Bar (highlighted in red) sadly the download "MediaPlayerUpdate-28-i386.exe" was not detected when submitted to VirusTotal.

So why do we see so many of these type sites? ... in my opinion it's due to the malware authors being unable to successfully exploit an "updated" Windows Vista machine. I have yet to find a site that I have visited that was able to invade my system ... and believe me I visit thousands each week, which are mainly malware related.

Sure the "social-engineering" aspects do trick many unsuspecting people ... but this method only works when users are fooled into clicking on malicious downloads or allowing installs from untrusted sources ...