Hosts News

Bogus Streaming Video Prompt

Landing on the following site the visitor is presented with yet another bogus prompt ...

Naturally they have rigged all the links on the page to only play sound files ... this way some users are tricked into installing this bogus "streaming video player" ... which is not what you actually get ... be careful out there folks ...

MVPS HOSTS File Update November-25-2008

The MVPS HOSTS file was recently updated [November-25-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (604 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

How many Trojans does it take?

How many Trojans or malicious files does it take before someone takes action to shut down some of these sites ... that's something I was asking myself while checking some of the entries in my HOSTS file thru Google's SafeBrowser Diagnostic ...

# [Netplace][AS41947][77.91.229.32 - 77.91.229.47]
77.91.229.38  try-count .net #[Javascript.Exploit]

# [Netplace][AS41947][77.91.229.48 - 77.91.229.63]
77.91.229.55  v2statscount .net #[Javascript.Exploit]
77.91.229.55  v2count .net #[Javascript.Exploit]
77.91.229.55  pluscount .net #[Google.Warning]
77.91.229.55  newv2count .net

newv2count .net = Malicious software includes 331 trojan(s). [Google Diagnostic]
pluscount .net = Malicious software includes 64905 trojan(s), 1285 scripting exploit(s), 4 exploit(s).  [Google Diagnostic]
try-count .net = Malicious software includes 3553 trojan(s), 79 exploit(s).  [Google Diagnostic]
v2count .net = Malicious software includes 5628 trojan(s), 704 scripting exploit(s).  [Google Diagnostic]
v2statscount .net = Malicious software includes 11727 trojan(s).  [Google Diagnostic]

Now if you add up the numbers from these seemingly related sites you get 85,944 Trojans Wow!!! ... well we all know it's useless to complain to the abuse department at these Russian servers ... so how about complaining to their "Upstream Provider" much like the tactics used to take down Intercage/Atrivo.

In this case the Upstream Provider is "AS41947 WEBALTA AS Wahome networks" ... [source] sadly it doesn't look like that will do much good ... as it seems "Wahome" is hosting their own crop of nasties ...

# [Wahome Colocation][AS41947][92.241.163.0 - 92.241.163.255]
92.241.163.27  adv-a-v .com
92.241.163.27  a-a-v-2008 .com
92.241.163.27  aav2008 .com
92.241.163.30  wi-a-v .com
92.241.163.30  wav2008 .com
92.241.163.30  windows-av .com
92.241.163.31  uav2008 .com
92.241.163.32  spypreventers .com
92.241.163.32  sp-preventer .com
92.241.163.33  download.wi-a-v .com
92.241.163.33  download.wav2008 .com
92.241.163.33  download.uav2008 .com
92.241.163.33  download.adv-a-v .com
92.241.163.33  download.a-a-v-2008 .com
92.241.163.33  download.aav2008.com
92.241.163.33  download.windows-av .com
92.241.163.33  download.spypreventers .com
92.241.163.33  download.sp-preventer .com #[Win32/Adware.Antivirus2008]
92.241.163.34  secure2.softpaydirect .com
92.241.163.34  secure.softpaydirect .com
92.241.163.90  piterserv .com

Notice the "AS41947" is the same ... oh well so much for that idea ... matter of fact in checking a few other entries (Still Trade - AS47486) you can see from the "Graph" tab that "Still Trade" routes thru ... you guessed it "AS41947 WEBALTA AS Wahome networks"

# [Still Trade][AS47486][91.208.0.0 - 91.208.0.255]
91.208.0.220  rapidantivirus .com
91.208.0.223  microantivirus-2009 .com#[Win32/Adware.Antivirus2008]
91.208.0.223  microantivirus2009 .com
91.208.0.223  microantivir2009 .com
91.208.0.223  microantivir-2009 .com
91.208.0.223  micro-antivir-2009 .com
91.208.0.224  soft-traff6 .com
91.208.0.224  soft-traff5 .com
91.208.0.224  soft-traff4 .com #[Google.Diagnostic]
91.208.0.224  soft-traff3 .com #[Google.Diagnostic]
91.208.0.224  soft-traff2 .com
91.208.0.224  soft-traff .com
91.208.0.228  scanner.ms-scanner .com
91.208.0.228  scanner.msscanner .com
91.208.0.228  scanner.ms-scan .com
91.208.0.229  msantivirus-xp.com
91.208.0.239  winxsecuritycenter .com
91.208.0.240  download.vav2008 .com
91.208.0.240  vav2008 .com
91.208.0.241  winsafer .com
91.208.0.244  software-traffic .com
91.208.0.244  software-traff .com
91.208.0.246  scanner.vav-x-scanner .com #[Win32/FakeAlert.CU]
91.208.0.246  scanner.vav-scanner .com #[Win32/Adware.Antivirus2008]
91.208.0.246  scanner.vav-scan .com
91.208.0.246  scanner.vavscan .com
91.208.0.246  scanner-pwrantivirus .com #[Win32/Adware.Antivirus2008]
91.208.0.249  watcher-scan .com
91.208.0.249  scanner2.defender-scan .com
91.208.0.251  scanner.win-x-defenders .com
91.208.0.251  win-x-defenders .com #[Google.Warning]
91.208.0.251  win-x-defender .com

Starting to see a pattern here? ... the culprits use the first five sites to inject legitimate sites with exploits that lead to these bogus Antispyware sites. Where some people still are conned into giving these criminals their credit card info ... and we all know where that leads to ...

Someone needs to come up with a better idea on getting these culprits shut down ... as it took years to finally close the operations at Intercage/Atrivo ... "ICANN" (Internet Corporation for Assigned Names and Numbers) seems to do little to curb these illegal practices. Just look at the fiasco involving EstDomains and ICANN ... looks like we are left to fend for ourselves ...

Why Fraudware is so rampant

I've mentioned several times about the explosion of malicious sites that hosts Fraudware ... mainly bogus Antispyware programs ... one of the main reasons is that the various "ICANN Registrars" continue to register domains that are from known criminal enterprises ...

They just seem to turn a blind-eye toward the "Registrant" (domain owner) even though they (ICANN Registrars) have previously shutdown sites that are malicious from the same known bad "Registrant" ...

In the above "for777daily.com" has been shutdown (Domain status: on-hold generic) ... now notice the "owns 589 other domains"

And here "Shestakov Yuriy" owns 4,332 other domains ... but check the email address = same as the example above ...

Imagine that ... another 2,128 domains and the same email address ... so if you add those up = 7,049 domains ... and as far as I can tell they are all malicious! ... so you have to ask yourself ... why after the first few times these culprits get shut down ... why are they allowed to register more domains?

Now if you check the above site via Google's SafeBrowser Diagnostic (moviesportal2008pc.com) it shows the following:

Malicious software includes 1227 trojan(s).

Yes, this site has hosted malicious software over the past 90 days. It infected 276 domain(s)

Until ICANN steps up and puts a stop to these practices, we will no doubt be inundated with malicious sites ... many of us in the security field have complained to both ICANN and the hosting service where the malicious domains reside (IP location) ... but it does little good ... even if they do act, it's only to shut down a few sites while allowing the same culprits to continue their fraudulent practices ...