Hosts News

Oh Comodo here we go again!

Visiting the following Fraudware Antispyware site ... I always check the "Buy now" (purchase) section to see where this will lead. Sadly it leads to yet another Comodo issued certificate ...

You can see from the Microsoft Fiddler output where the site leads ... I pasted the certificate info into the output ...

Comodo states: "To get a DV cert all you need is a domain name and $15..and no background check about your identity is required." As I stated in a previous post ... perhaps you should at least check the domain name ... duh! that would be a good first clue ... but I guess the $15 is more important?

These culprits were first reported on Thursday, April 16, 2009 - A Diverse Portfolio of Fake Security Software - Part Nineteen and later by the SunBelt blog where both these domains reside on the same IP (iSystem Inc.)

Seems iSystem Inc also controls several other (malicious) domains ... including "malwarecatcher. net" which is associated with "updvms. net" and this is where it get interesting ...

 
(Image edited for display purposes)

Well look at that! directories for (left column) several malicious domains ... and the typical files found in each (right column)
Extraantivirus, Fastantivirus09, Malwarecatcher, Prestotuneup, and on and on ... so you can see there is no doubt all these domains are malicious as well as the files ... when I attempted to download "EXAVR/BankSetupRelease.exe" my AV (NOD32) detected this as a variant of Win32/Kryptik.JQ trojan

I mentioned in my last post a malicious domain (secure.xsoftstore.com) which Comodo stated they revoked the certificate ... what gets me is I suggested that they at least should check the domain names ... well it seems they didn't look into this either ...

== Server Certificate ==========
[Subject]
  CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00C2ECCD1FEFB7508CA5D7ADB6E405E192
[Not Before]
  4/29/2009 8:00:00 PM
[Not After]
  7/29/2009 7:59:59 PM

If Comodo had bothered to check ... they would have found all these domains are related ... [Whois link here]

All this for $15 ... my things must be really bad? ...

Follow-up to the Comodo Controversy

It seems that after my last post concerning Comodo it has caused quite a stir ... so I'd like to clear up a few points made on several other Forums.
[DSL Reports] [Security Garden] [Wilders Security] [Calendar of Updates]

Over at Comodo's Forum "Melih" who describes himself as: Comodo's Hero Administrator

"You say we responded to MVP Mike before and he gave us kudos. So why would we not respond to him this time if he sent us an email? Your logic doesn't make sense. If we responded before then we would respond again. And we did respond as soon as we were alerted but did NOT receive any emails from MVP Mike as far as I know."

Well as I stated in my previous post I sent an email on 04-21-09 alerting Comodo and never received a reply ... so why would I bother sending another when I find more of the same (Malware sites using Comodo certificates) ... however after "going public" it sure didn't take long for these certificates to be revoked. Imagine that ... I got a reply today ... "your email got buried" = buried? ... if you notice I sent it to both the address I was given and "CC'd" to the person I dealt with previously ...

I just feel sorry for the amount of people that were duped into thinking they were at a legit site and actually purchased this malicious software, after I notified Comodo ... only to be "buried" ... then why did you bother to set up a specific address to report these sites?

And this comment ... "Its a weak certificate, but its something that many many Certification Authorities are selling so I don't really see why Donna and similar should make a thread bashing solely comodo for it..Verisign and Godaddy is the major pushers and sellers for this junk, yet they get no critic whatsoever for that.."

First I very rarely see a certificate issued by GoDaddy to these type malware pushers ... now here is a tip ... perhaps the first clue would be to Google the domain name that wants to purchase a certificate ...

In some cases the domain name itself should be a red flag! = secure.spywareprotector-2009.com

== Server Certificate ==========
[Subject]
  CN=secure.spywareprotector-2009.com, OU=Free SSL, OU=Hosted by
 LiderTelecom LTD, OU=Domain Control Validated

 [Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater
 Manchester, C=GB

 [Serial Number]
  2AEB99837575BE971E4EEB2329CD3507

Yet "Iam Monkey_boy=) from the comodo forums" states:
"Comodo can't really be blamed if a site that has a certificate hosts malware"

Let me put a little perspective on this ... "Conficker systems being updated with SpywareProtect2009"
Conficker is now believed to be the largest computer worm infection since the 2003 ... and Comodo issued the certificate to "SpywareProtector-2009" ... now you can't tell me that this domain name isn't a cause for concern? It gives me chills to think how many people were duped into purchasing this product.

Now if it was my company and I found out we were involved (even remotely) in the largest infection since 2003 ... I'd certainly want to make some changes in our policy as to how these certificates are issued ... but that's just me ...

And I'll finish up with this little gem ... "So the question should be the ethics of publishing these kind of material without informing the security vendors in the first place."

You question my ethics? ... it wasn't my intent to get into a pi**ing contest with these people but who's ethics are in question here? ... mine for publicly reporting this or Comodo's for a continuing practice of issuing/selling certificates to questionable characters ...

Comodo continues to issue certificates to known Malware

I was following up on a list of malware sites posted on Dancho Danchev's Blog and yet again I find Comodo issuing certificates to these Malware writers. The reason I say again is I was given a "secret" email address at Comodo a while back to report these culprits ... however I was asked to keep it quiet.

As you can see my Antivirus detects the download as malicious and breaks the connection ... however when I click the "Buy" button what do I find? You guessed it ... a certificate issued by Comodo ... don't these people check out anyone?

Several other sites mentioned in the list are using (76.76.103.163)  secure.a5bill. com
[Issuer]
  CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB

[Serial Number]
  00B33E45471F5FDF745564B85336A50AA3
------------------------------------------------

"secure.a5bill.com" is hosted on the same IP as the following and all the downloads are detected as Win32/Adware.CoreguardAntivirus
coreguard-antivirus. com
guardlab2009. biz
guardlab2009. net
guardlab2009. com (Google Diagnostic report)

Some of the others on the above list are using:
fullguardlab. com
== Server Certificate ==========
[Subject]
  CN=fullguardlab. com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00912B6C954BB5BEA83000C4599B9A5C13

bitcoreguard. com
== Server Certificate ==========
[Subject]
  CN=fullguardlab. com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00912B6C954BB5BEA83000C4599B9A5C13
-------------------------------------------------

So this got me to thinking ... a while back (04-21-09) I reported to Comodo via their secret address a list of sites distributing malicious software ... although I never received a reply as I did when I reported "Conficker systems being updated with SpywareProtect2009" which Comodo had issued a certificate to.

Anyway ... I went back and checked the sites I last reported and it seems Comodo has decided to ignore my report ...

rapid-antivir-2009. com
rapid-antivir2009. com
rapid-antivirus2009. com = all redirect to:

secure.xsoftstore. com

== Server Certificate ==========
[Subject]
  CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00C6AC84946462C7F3EADC5565AE3156A4
[Not Before]
  1/27/2009 7:00:00 PM
[Not After]
  4/28/2009 7:59:59 PM <-- notice the expiration Date

I just revisited rapid-antivirus2009. com and Comodo issued them a new certificate ...

== Server Certificate ==========
[Subject]
  CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00C2ECCD1FEFB7508CA5D7ADB6E405E192
[Not Before]
  4/29/2009 8:00:00 PM
[Not After]
  7/29/2009 7:59:59 PM

Comodo is supposed to be one of the good-guys ... and they even describe themselves as "Internet security software products including SSL certificates and Free Firewall Antivirus software among others from Comodo, a leading global trust provider" ... however I have been reporting on them since the WinFixer days and it seems it just falls on deaf ears ... and now that they bundle the Ask Toolbar it really makes you wonder ...

MVPS HOSTS File Update May-11-2009

The MVPS HOSTS file was recently updated [May-11-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (145 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ...
http://www.mvps.org/winhelp2002/hosts.txt (597 kb)

Microsoft MVP Award Program Blog

Yes it's a shameless plug ... but I got a nice writeup today on their blog ...

A little update on Zango ... I looked thru the sites I had listed that were using/linking to Zango and the vast majority are still using their code on these sites ... duh! Do these sites using Zango's code still think they will get paid for directing visitors to Zango/Hotbar? They owe the bank over $44 million ... so I think they will be waiting a long time ...

Zango's site itself is still up and running with no mention of their bank foreclosure ... typical for these scum-bags!
Untrustworthy to the end ...

I'm working on a new HOSTS update that should be ready shortly ... as I was hoping to remove the hundreds of Zango/Hotbar entries ... but I guess we'll have to wait until their servers get shut down or sold ...