Hosts News

Another bogus Flash Media Player

I see so many of these bogus sites that I rarely mention them anymore ... but this one is a little different. As you can see below the images in the video is blurred, in order to trick the viewer into thinking they need this bogus update to your Flash Player ...

Now if you do fall for this all you get is a nasty infection ... VirusTotal results here
"FlashUpdate_3176.exe" from "extrabrake. com" is not very well detected ... (6/38 (15.79%)

"extrabrake. com" is hosted at Eu-zz [AS12553][94.247.2.0 - 94.247.3.255]
Eu-zz is a know haven for Trojan.Codec and fake AntiSpyware sites. Google Diagnostic report here ...

MVPS HOSTS File Update January-08-2009

The MVPS HOSTS file was recently updated [January-08-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (145 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (610 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

When Affiliates get hacked

While tooling around on Google Diagnostic I happened across the following:

Now the site itself appears to be a legit affiliate site for Webroot's SpySweeper ... where all the links point to Webroot:

hxxp://www.webroot.com/consumer/products/spysweeper/freescan.html?rc=5757 (URL disabled)
I'm guessing the "rc5757" is the affiliate number?

However the server itself has been hacked and several malicious scripts have been injected. As you can see below there are several other sites that show up (highlighted in blue) where "obfuscated .name" redirects to "inject .in" a rather nasty place ...

Google Diagnostic (inject .in) reports: "Malicious software includes 758 scripting exploit(s)"
(I had already added this site to the HOSTS file prior to landing on "webroot-spysweeper .com")

Google Diagnostic (obfuscated .name) reports: Malicious software includes 373 scripting exploit(s), 30 trojan(s)

Both of these sites are hosted at (not surprisingly) Netdirekt - [78.159.112.0 - 78.159.115.255] that is a haven for nasties of all kinds ... the Google Diagnostic report for Netdirekt bears this out ...

674 site(s), served content that resulted in malicious software being downloaded and installed without user consent

Over the past 90 days, we found 140 site(s) on this network, that appeared to function as intermediaries for the infection of 1695 other site(s)

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 146 site(s), that infected 10169 other site(s)

The other two sites ("ge92 .net" and "tr92 .cn" are hosted at Netplace [92.241.176.0 - 92.241.177.255]
Google Diagnostic reports: Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 25 site(s), that infected 2962 other site(s)

Anybody with contacts to Webroot might want to mention the above ... as it's a shame that someone trying to purchase a legit product gets whacked in the process ... "webroot-spysweeper" is hosted at "Schlund + Partner Ag (1&1 Internet)" but the owner is hidden behind a private registration service.

Sex , Lies , and Toolbars

This is a good one to start off the New Year ... landing on the below site I was prompted with the following message ... now being the skeptic I am ... I figured this was a new tactic to get the visitor to install a Trojan.Codec type of file ... much to my surprise I was fooled ...

Once you "click here to download one" you are redirected quite a few times ... this is hard to follow ... but here goes:

hxxp://affiliates.millnicmedia.com/sw/14604/CD8129/ (affiliates.millnicmedia.com = Digital River)

hxxp://nbjmp.com/click/?s=5015&c=45863&subid=CD8129 (nbjump.com = NeverBlue Media)
(nbjmp.com = Rated Red site via McAfee SiteAdvisor)

hxxp://lwken.com/click/?s=5015&c=45863&subid=CD8129 (lwken.com = NeverBlue Media) also set a 3rd party Cookie

hxxp://1.globalonlineweb.com/ct/1-14-0/?psid=9273 (also set a 3rd party Cookie)

hxxp://www.vivo7.com/pop/?pid=CD7&cid=866&bid=8320&deploy_id=0&landing_id=0&pool=0&sid=&psid=9273

hxxp://partners.dmoglobal.com/sw/8320/CD7/&dp=0&l=0&p=0&psid=9273 (sets 3rd party Cookie for directtrack.com)
(directtrack.com = Digital River) ... ever though you never visited directtrack ... imagine that = cookie stuffing)

hxxp://1.ofsnetwork.com/sw/32931/CD7246/&dp=0&l=0&subid1=CD7&subid2=&subid3=&subid4=&subid5=&&psid=9273&

hxxp://ourfreestuff.net/sw/32931/CD7246/&dp=0&l=0&subid1=CD7&subid2=&subid3=&subid4=&subid5=&&psid=9273&
(ourfreestuff.net = running on the Digital River server) owned by "Canadawebhosting"

Where you eventually end up here ... (translated via Google)

So where is my Toolbar? ... this looks like another scam to get your email address ... but I filled it out (bogus info) and all this does is send you to yet another survey type site that wants even more personal info ... "So where is my Toolbar?" ... I never saw any mention of that ... or why I had to divulge my personal info ...

Remember Canadawebhosting ... imagine that ... looks like Digital River is up to something shady? The Internet is full of complaints about Digital River and their many questionable Affiliates ...

# [Canadawebhosting][64.34.132.0 - 64.34.132.255]
127.0.0.1  echtegratisproben.de
127.0.0.1  1.ofsnetwork.com
127.0.0.1  temp.ourfreestuff.net

Now just to show you that this was not a one-time occurrence ... this is a hard-core adult site, that clicking any image results in routing you thru the same mess as I described above ...

Be careful out there Folks ... looks like even the 3rd party affiliates want to get in one the amount of traffic generated thru adult sites ... although in this case there actually is no "adult" ... just Sex , Lies , and Toolbars ...