"There's no place like 127.0.0.1" ... Blocking Ads, Parasites, and Undesirables with a Hosts File
Is it advertising? My understanding is that Google Analytics is purely an analytical service - no advertising by Google and no income stream for the person embedding the analytics. Basically, a hit counter on steroids.
Perhaps "advertising" was the wrong choice of words ... however they are still providing a service to a site marked as harmful content.
WinHelp2002
@Mike - you say of Circle Distribution that "their work-around was to rip-off the entries from my HOSTS file and insert them into their own version of a HOSTS file". Can you explain further? How can you tell that the URLs were from you HOSTS file?
Your comment about RightMedia is a good point, and I'm wondering what RightMedia would have to say about the situation if they knew.
I'm interested in any info you can provide about RightMedia - maybe we should start focusing on them as well, if they're the primary source of the winfixer malware advertisements, with Circle Distribution being a conduit. You have my email address ;o)
It looks like another Game site got hacked and one line of HTML code was added to their site, which will
PingBack from http://www.articlefeed.net/updating-the-hosts-file-in-windows-vista/
Previously I had reported the problems updating the HOSTS file in Windows Vista ... well I've come up
PingBack from http://www.articlefeed.net/updating-the-hosts-file-in-windows-vista-using-sendto/
Boost Windows Vista system performance with ReadyBoost Is your flash drive fast enough for Vista’s ReadyBoost?
So, what do we do about an advertising network like ValueClick that will not clean up its act? A network
My regular readers will remember my various articles about the Winfixer infiltration of the AOL and MSN
Terry's decision-making on this matter explains a wealth of other user satisfaction problems across the board at yahoo. Reda the suggestion forums for Y! Ansers and Y! Groups sometime. You can see them trying but you can't see them getting it right very often.
Usually, when things start to get problematic for the end users, it the people at the top that are the real problem.
Mike Burgess reports that ValueClick is not cleaning up their act: msmvps.com/.../hostsnews
Pingback from MalwareTeks Blog : It’s a Cookie, Just Delete It!
They've been hacked again? I'm sure that has happened before.
Yep, back in February, and in March (twice).
www.google.com/search
I've given up on TabletPCBuzz. That site has been hacked more times than I can count. I believe the owner is an MVP blogging on this site? At least, that's where I've seen the posts about the site being hacked -- is on this site. So, it goes to reason that you are seeing the affects of someone here pulling in additional Spam content.
Pingback from FTC Note: ValueClick turns to the Dark Side | READER: Security
I would imagine that there is a line some ISP do not want to cross when dealing with paying customers and the content they serve. No matter how morally/ethically reprehensible the content may be.
Yes, you are right that there is a line that some ISP do not want to cross, when it comes to paying customers. It's all about business and money after all, which is a bit sad.
There has been no official notice yet but it looks like ValueClick has severed it's ties with the
Interesting. It's time to start monitoring the site's traffic rankings, and watch for changes (and any reappearance of mediaplex)
Pingback from ValueClick Reform or Afraid of the FTC? | Security News
Mike Burgess was hopeful that Valueclick had cut ties with Winfixer. msmvps.com/.../hostsnews
In light of several reports lately about the amount of Malware sites that now exist, I thought I'd
Any idea why some XP systems choke on big hosts files?
I use your hosts file on my XP Pro laptop and I love it. When I installed it on my XP Pro desktop at home I found that the processor usage spiked to 100%. The system was so busy I coudln't even get into a prompt or notepad to edit the hosts file to trim it down. After a reboot I was able to change the hosts file so it only has a few hundred entries and the system has been fine since.
Is there a known cause for this? I've seen it happen on a few other systems over the years but I've always just switched to a smaller hosts file to solve the problem.
The only known cause is from not disabling the DNS Client service. This is explained on the website.
Hola ¿qué tal? Pues… no lo puedo creer, y es que no acostumbro referenciar mucho sobre noticias en otros
Pingback from Spamhuntress » Blog Archive » Beware of hacked sites
Over at Exploit Prevention Labs they have been detailing the dangers of certain search terms. So I thought
Pingback from Computer Software » Computer Software July 9, 2007 9:11 am
A complete scam and one that the Trading Standards should prosecute for, if the laws dont allow for it, then the laws should be changed asap.
To slow down your PC until is tantemount to sabotage and blackmail.
Prevex 2.0 Will remove Micro Bill Systems Pop Up and Spyware. Norton Anti Spy Ware appears to remove the trojan but not the pop up.
Hide my I.D will stop attempts by Micto Bill Systems To track your computor.
This is somewhat interesting. EMI realizes that digitial rights protection only works till it is hacked and has begun shipping without any protection simply because the cost of creating new schemes outways the potential benefit of additional revenue. I personally am moving to Linux more and more and only boot into Windows when absolutely required.
Sony got bashed for its rootkit tactics. I think this needs to be turned over the the DOJ and let the government prosecute. Maybe the DOHS since this is a form of terrorism.
Just a thought.
want access to my media music
After loading this update, "Live Update" for Norton flashed a alert window stating that:
127.0.0.1 om.symantec.com was a malicious addition to my hosts file and prompted me to remove it prior to live update running.
Is it a malicious addition or is my Norton A/V infected with something.
Also, what is the difference in using 0 vs 127.0.0.1 in the hosts file?
Please respond to first question at least at:
bobbobbinsworth@hotmail.com
Thank you,
BB
This is not a malicious entry, please see:
www.mvps.org/.../hostsfaq.htm
re: 127.0.0.1
This is the accepted industry standard. There is no published proof that "0" is faster or better to use.
Hallo,
Is om.symantec.com a FP?
Because I get a popup window from Symantec that tells me it's a Symantec Liveupdate server.
No it is not a false-positive ... please see:
Why does Symantec (Norton 2007) detect a possible malicious entry in the HOSTS file?
Hi Mike,
I got this alert and was giving 3 options from Symantec.
1. was to delete.
2. was to ignore and remind later.
3. was to ignore.
I'm using NIS 2007. You can also disable host file scanning by going to NIS/Run Security Inspector/Configure/Categories/Setting/and uncheck IP Addresses.
I also reported the issue to Symantec.
Regards,
Tim
So do you know how to get rid of whatever keeps trying to download the VideoAccessCodecInstall.exe? I cannot find any info on it.
Thanks in advance.
Landing on "militarymoms.eu" a " Parked Domain ", where the clicks are controled
Just a thought, PCMag has always given payware better reviews than freeware and is a for profit organization with a yearn for sponsors. Nough said?
No, you do not need to install the Toolbar to use ST. You can deselect that option on install.
ST is generally getting good reviews in terms of its detection ability, although I don't recommend using it in isolation, just as I don't recommend using any malware tool in isolation. None of them are adequate to detect everything.
I agree with "Where is CounterSpy?".
Im also wondering where are the results for PC Tools and BitDefender?
Doug,
PCTools = Spyware Doctor
As for BitDefender they are considered an Antivirus program not Antispyware ...
We were also disappointed not to see CounterSpy included. Apparently, there was a miscommunication from somewhere (perhaps from our marketing people), that the current release of CounterSpy (version 2.5) was in beta. Since PC World prefers not to test beta, it wasn't included in this roundup.
The folks at PC World are being very cooperative and understanding with us and we hope to see a test/review in the future.
Alex Eckelberry
Sunbelt Software
I wonder why Ad-Aware and A-Squared were not included. Also, it's worth noting that in the last two days Spybot S&D is now up to version 1.5.1, which includes immunization for Firefox and Opera and has a hosts-file tweaker.
My Wife has used Ad-Aware for years. I think lately though she has not been too happy with it. Spybot remains in her good graces though.
Its funny about Bitdefender being AV and not AntiSpyware. It works good for me in preventing spyware. Weird.
Angus,
As for Ad-Aware, it was explained in the article that they did not have a "Vista" version at the time ...
As for SpyBot S&D I'm afraid that a few additional features will not improve their detection rate as shown in the chart I posted.
An issue with these tests is that their quality is questionable. So I wouldn't give too much credence to a PCWorld type of test (although from a marketing standpoint this is the one read by most of the people) because they proved many times that they can't create a good test from a technical point of view.
Cd-MaN,
re: An issue with these tests is that their quality is questionable"
If you read the PcWorld article you'll see that they no longer do the tests.
"formal tests independently conducted by research company AV-Test.org"
So it does add a lot of credence ... IMHO
Note also discussion at
groups.google.com/.../3496801093022759
the same people?
Chris,
Yes it appears to be the same culprit ...
Your e-mail to another MSMVP found it's way to me. Thank you for reporting this to us. I have forwarded this to the appropriate people in our company to investigate.
Thanks again! We appreciate this.
Best regards,
-Lee
CNET Community
To add to this Flash Cookies ARE TROJANS.
The WWW was NOT designed with these in mind & it
is a very sly way of passing Personal Details from Site to Site.
I must also add that Microsoft have taken out a Patent for this exact technology in order to store such data & then supply such data on a "Commercial" supply Basis to other Companies!
Rabid,
I wouldn't say that Flash Cookies are trojans. You can certainly control your preferences for those here:
www.macromedia.com/.../settings_manager06.html
re: Microsoft have taken out a Patent"
I blogged about that a while back ...
msmvps.com/.../is-microsoft-getting-into-the-adware-business.aspx
And what do you need enabled to change those settings... "FLASH!"
You can steal others host file inclusions but no one can use parts of your host file, OPPS :)
This comment belongs here,
I have Vista and it pops up on Comcast everytime I enter the page. Is there a way to turn it off? My Vista is running in Protected Mode:On.
mdc,
I'm not quite sure what you are asking?
What pops up on Comcast?
Sorry to hear this!
Good no one was hurt.
Take care!
When I was about 11 years old, I was bereaved of all my favorite video games (and everything else, but they were the most important) in a similar manner. That said, I wish I had something amazingly insightful and comforting to offer, but I don't; I hope everything goes as smoothly and happily for your family as it possibly can.
Thanks for the update. Thought you may be on vacation. :) Sorry to hear otherwise. :( Glad no one was hurt. Property can be replaced, people cannot.
Anyway, thank you for what you do here. I'm sure I speak for many when I say your efforts are extrememly valuable to the computing community! Best wishes!
I can suggest something - start making an inventory now, and keep updating it as you remember stuff. I burned my bedroom as a teenager (a magnifying glass on a stand caught the sun), and even though most stuff was merely smoke-damaged, I didn't really have a good idea of what stuff I had lost. I would keep remembering things.
Your heart must have been in your throat when you heard about it. Thank goodness no one was injured.
Lives are more important than belongings, for sure.
Thats a real eye opener, never expected to see that photo scenerio here.
I hope your family can put it behind soon and find comfort for a new beginning.
I had just sent an email to you for the mail list updates and saw this afterwards.
eWeek has an article " DoubleClick Serves Up Vast Malware Blitz " which describes problems
Well here we go again ... another security program with a poorly written detection ... seems Symantec
Pingback from Is it Safe or Not ? » Disney has some explaining to do
Pingback from Do me a favour - dump Symantec | Spyware News and Information
Check this out: msmvps.com/.../1309806.aspx I ask you, can you
I do not personally use anything Symantec/Norton ... the post was in response to several emails I've had from users of my HOSTS file about this issue.
Mike,
What about the red x close button? Aren't there security features for the chrome that prevent the close button being spoofed nowadays in pop-up windows? Of course, HTML pages with fake dialogue boxes that are no more than graphics on a web page are a different story.
Sandi
Sandi,
The same applies for the Red X button ... due to the way the page is coded.
wait a second ...somethin dont make sense here. you say NOT to delete all those ominture. clarity, etc etc entries from the hosts file! #1 how do i keep em off my machine (they obviously broke in already, in order to post themselves in the hosts file. #2 why wouldnt i want to delete ALL tracking cookies, help educate me here..i got about 6 of those that you say cant be removed, what do i have to switch to linux, to fix the prob??? :-(
sambo,
No they did not break in ... those entries already existed in the HOSTS file.
re: Tracking Cookies
I never said not to delete those ...
i don't see "www.stvfirm.com" in the 11/19 winhelp2002 HOSTS file..
redwolfe_98,
You're right ... that entry was added after the last update, and I have ammended the blog post to reflect that.
Pingback from kertvista » Is Spamdexing on the rise?
Often times you have to look hard to connect the dots ... however it now seems LimeLight has been affiliated
contact me at
GvyxQN931zlcGDoV@spambox.us
please
LimeLight is a legitimate company. It is a CDN (Content Distribution Network) similar to Akamai, although not so big. I'm sure that any affiliation with malware is a mere oversight on their behalf.
I have no doubt LimeLight is a legitimate company, however it worries me how they could become affiliated with Innovative Marketing and SetUpAHost ... hopefully they will sever their ties with them ASAP.
First of all let me say that I appreciate what you are doing and have used your host file on many computers of home users to keep them relatively safe. The paper published by the honeynet project where they found that your host file blocked 100% of the malicious URLs they collected is a testament to the quality of your work.
However, one thing that I observed is that from time to time you get a little overzealous (for example I found that the host file was blocking some connections needed to install Yahoo messenger or that it was blocking the Google web tracking system, which in turn was needed to download Google Earth). As I said in an other comment, Limelight networks is a legitimate CDN much like Akamai, and they should be notified of the problems.
re: they should be notified of the problems
They were notified ... no reply yet ...
Ticket ID: llnw #456387
Seems the harder I look the more malicious content is found running from Limelight Networks ... at least
I think we should find them, and rub pig fat all over them,,,then behead the fuckers,
Looks like Limelight is involved in distributing hundreds of Rogue Antispyware products ... the majority
Ping me offline Mike....
"Although it's doubtful that (US) officals can do anything about the foreign locations, they can certainly question the unsavory practices of LimeLight since it is a US company"
True, but I wouldn't hold my breath. Look at Cernel and Intercage, also domestic companies. Cernel is behind all the "DVD Access" rogue codec web sites along with many others.
Dean,
That's true but those hosting companies do not boast about their "partners" like this:
www.limelightnetworks.com/partners.html
Bob,
I don't think we need to go that far ... but close.
It's silly to go after LimeLight, they're just a CDN -- you give them a piece of content, they will deliver it for you around the world. They're a dumb interface used to decrease latency and increase bandwidth when serving static content.
While you may think it is silly ... I certainly do not. The purpose is to cut off any and all routes possible that apply to the WinFixer gang.
So what is the bsa.safetydownload? Is it something I need to remove? My PC pops up error messages asking me to install something from them. I have no idea who or what they are.
Sam,
Yes it is something you should remove!
"Dealing with Unwanted Spyware and Parasites"
www.mvps.org/.../unwanted.htm
Perhaps you should contact LimeLight and ask them how to proceed ...
Pingback from Christmas comes early · HDTV Information, Reviews, and Deals
Enjoy Mike - and a Merry Christmas to you and the family.
I also have been receiving pop ups that say critical error click balloon to fix and a website by the name of bsa.safetydownload.com address. The way it comes up it looks like a windows alert message and the page comes up replicating windows help. what should I do and how do I go about contacting this company. I stumbled upon this page when I searched 'bsa.safetydownload.com and this was the first that popped up.
Leslie,
Follow the instructions here:
Landing on the following site the viewer is presented with not only a "IFrame.Exploit" and
Pingback from AntiSpywareControl yet another Rogue/Suspect Anti-Spyware Product | Spyware News and Information
Pingback from kre8ive » AntiSpywareControl yet another Rogue/Suspect Anti-Spyware Product
Thank you! Alot of good information here.
Pingback from adware » Blog Archive » eMusic Toolbar
Ah, it is the toolbar that is the problem, not necessarily the music download service itself. Good detective work! I'm disappointed in e-music. I guess I can't complain about their entry in your list. Thanks for doing the recheck.
"what I would like to see is all the 'Mag' sites run several reviews on these bogus products and get the main-stream media involved in exposing all the parties involved."
An excellent suggestion... Unfortunately, like most magazines, PC-related magazines seem to avoid reviews of stuff that they already know is bad. It would be nice to see someone like Neil Rubenking pick up the ball on this issue.
"While the detection rates have become better for the commercial Antivirus/Antispyware products, the "freeware" versions have failed to keep pace and are no longer recommended as a first-line of defense ..."
That is certainly true for most of the freeware anti-spyware products. Having run thousands of samples of malware through VirusTotal, I've been impressed with the results from Avira (AntiVir). They're often among the earliest to provide a defense against new stuff, even earlier than NOD32, which both of us use. Kaspersky seems to be consistently the fastest (along with F-Secure, which licenses Kaspersky's definitions).
Among the "paid" software, Microsoft's offering gets the most-improved award for the year. Of course, it had nowhere to go but up. Happy New Year!
Just wanted to say thanks for all the great posts youve published this year. I found your site thru a Google Alert for "Spyware" earlier this year and Ive enjoying reading the posts here since.
All the best for you and yours.
A minor nit is in order, but only after I say thank you for your work. ;-)
www.honeynet.org/.../KYE-Malicious_Web_Servers.htm
"Does this mean that blacklisting is an ineffective method? In order to answer this question, we repeated our analysis of the 306 malicious URLs on a client honeypot that uses a DNS blackhole list, including the servers in the hosts file from www.mvps.org and the servers in the clearinghouse of stopbadware.org, and repeated our analysis. Considering that only 12% of the servers we identified as malicious were included in our blacklist, one would expect a remaining high number of malicious classifications by our client honeypot. Surprisingly, only one URL remained malicious. We conclude that blacklisting is indeed a very effective method to thwart these attacks."
So that would be a combination of the hosts file and a list of malicious sites from stopbadware.org that was used and it left 1 malicious link.
Thanks again and Happy New Year.
Pingback from Antivirus at Center Section is the page which provides information
01-03-08 MVPS HOSTS file has a line for www.interactivebrands.com that's missing the localhost IP
I'd like to point out to you the following
ad servers that seem to be missing from your
otherwise EXCELLENT Hosts File:
as.nu.nl (ad server for nu.nl, most popular Dutch news site)
ebayrtm.com (ads on ebay)
rcm.amazon.com (ads by amazon on blogs, eg economicsbriefing.com)
www-google-analytics.l.google.com
(included in pgl.yoyo ad server list, not mentioned under Google Inc on MVPS Hosts list)
Last but not least, I have noticed a lot of
ads or links to 'buysub.com' that have popped up everywhere. Example:
www.epicurious.com/.../241101
has top ad where the link location is:
m1.buysub.com/.../PackageAddCmd
A regular query of www.buysub.com does not yield a website. I have come across several
other references on the web. I have been unable
to find background information on this particular domain.
May I also add that 207.net popped up a survey
on msnbc.msn.com, indicating that not all 207.net activities are covered by the current
host file. I have no details on this unfortunately. Hopefully you will include the
abovementioned in a future update of your Hosts
File. Thank you.
ß
204.16.204.56 is dangerous spy-ware.
It appears under tabs as "your computer has a malware - click here to download.
If you make it. It downloads MediaCodec Zlob.
Could be removed by SpyHunter. This Zlob is Trojan
and will send your private data, may update
your computer registry, even block your task manager.
Check by nslookup 204.16.204.56
It appeared as protect.trustedantivirus.com ..."zheltaya.hernya". It comes from Russia.
Block it by adblocker, block by its IP
Thanks for your submissions ...
They will be reviewed and added as needed to the next update.
Thanks ... that has been corrected and a fresh copy of the HOSTS file was uploaded.
links.industrybrains.com
autocontext.begun.ru
begun.ru
referal.begun.ru
promo.begun.ru
go.jetswap.com
jetswap.com
ad.agava.tbn.ru
ad.rich1.adbn.ru
ad.top1.adbn.ru
e0.extreme-dm.com
e2.extreme-dm.com
PrivacyProtect? You just need to learn how to have it opened. For example, there is privacy protection on boomgirltv.com's registration right at the moment. And I will have it opened within several hours.
Tom Bluewater
MHVT.NET
new ads server
yahoo search via overture.com
rc10.overture.com
Help!
What should I do?
I downloaded the 'codec' and ran it.
silly me...
It took a while ... but it looks like Limelight finally sent the WinFixer Group packing ... Back in December
I would like to know what we can do to protect more people like me,i'd never heard of this untill to day.
vet mitchell,
The easiest way is to install the HOSTS file, as all the mentioned sites are included ...
www.mvps.org/.../hosts.htm
Sadly, this is not really something that could be called a failure on Comodo's part.
The certificate identifies the code as being signed by PC SuperCharger, and indeed, the code is theirs to sign.
A certificate authority's job is to verify identity - not to approve business practices.
Today, my wife visited a site she thought would help her map out the trip between Myrtle Beach, SC and Charleston, SC. When I sat down at the laptop, I saw the apparent results of an Anti Virus or Spyware Scan that seemed legitimate, as my son's laptop runs XP Home and it was label XP Antivirus 2008. It alleged three specific problems, and when I cautiously attempted to abort the program, it apparently installed it. It appeared as a shortcut on the desktop and an icon in the task tray. I've used 4 different legitimate programs to try and remove it and not one has actually identified this as a risk, period. How do I get rid of something that isn't detected and doesn't appear as a program Windows could uninstall?
A good place to start is here:
How to remove XPAntiVirus
www.bleepingcomputer.com/.../topic111715.html
i am glad to hear that "comodo" is "shutting down the accounts".. thanks for the work that you are doing..
The other day I reported that Comodo had revoked all certificates issued to WinFixer/SetupAHost ... as
A little background ... I have this blog set to "Approve" most content that is added via the
You probably know about these clones of reportblogsite, but if not...
dotinfonews.com
mediafornews.com
newspaceinfo.com
reachnewschannel.com
reachnewsonline.com
saveyournews.com
skyviewinfo.com
supernewsblog.com
surfnewsmag.com
topviewreport.com
tvnewsmag.com
viewforinfo.com
That's a new one on me. I've sen a pattern to the way the owners of these sites generate traffic, using a complex network of redirectors that I've documented on my own blog at
tacit.livejournal.com/238112.html
but I haven't seen the attackers generate traffic to these sites using lookalikes of blogging sites before. Very interesting.
LOL! ... nice catch dude
Something tells me we're up for a whole heap o' fun over the next few weeks ...
Though you'd have thought they'd have learnt at the very least, the basics of hiding a completely BS "acquisition" .... rule number one of which, is not publishing the fact that the companies involved are all at the same address, lol.
please ad this
top.proext.com
t.proext.com
adpro.ua
ads.expekt.com
a.faireagle.com
b.faireagle.com
adwork.net.ua
br.gcl.ru
gcl.ru
adv.wisdom.bg
www.quantcast.com
quantcast.com
adserver.mediarun.net
ads.consultcommerce.bg
api.clickability.com
marketing.futurenet.com
qle.ru
s.agava.ru
js.ua.redtram.com
ad.bpt.tbn.ru
ad.auto.tbn.ru
Great stuff, Mike - keep it up!
zango is so stupid the dont know what is badware
There just stalling the court by saying Kaspersky is badware lolo how retarded
"go back to school zango"
this might be off-the-wall, but i noticed that another company, "encore", is marketing a "spyware doctor 2008".. "encore" looks like it is a similar type "business" where they are marketing rebranded products..
someone said that they were having problems with "spyware doctor 2008", which does not come from the "pctools" website, so i looked into it..
Tom,
I wouldn't doubt there are many companies that rebrand other popular products ...
Following up on a post from Sandi who is reporting yet another malicious advertisement (.swf) that redirects
Following up on a article from our friends at BleepingComputer " How to remove Malware Bell "
check and ad
click.begun.ru
click01.begun.ru
click02.begun.ru
click03.begun.ru
ypn-120.overture.com
eu-pn1.adserver.yahoo.com
ad.aimedia.com
re.adroll.com
static.robotreplay.com
nebuad.adjuggler.com
secure.webstat.com
s1.adwatcher.com
s2.adwatcher.com
s3.adwatcher.com
s4.adwatcher.com
s5.adwatcher.com
s6.adwatcher.com
ubergizmo.us.intellitxt.com
ask-leo.us.intellitxt.com
we7.adbureau.net
ac.all.bg
freemu.info.powered-by.zango.com
bannerbg.com
www.newplay.bg
I stumbled across one of those rogue sites that try's to trick you into installing a new video active-x codec. How and where should I report it? thanks.
ubal@comcast.net
It's amazing the lengths these culprits will go to ... landing on the following site not only do
The image isn't being displayed, perhaps because of the asterisks in the file name (west-video-***.gif).
Thanks Dean ... it showed up in the preview? It should be displaying now ...
Pingback from Little Big Tomatoes » Blog Archive » The one with the evil jscript on my blog…
i was surfing the web one day and got this avxp spyware infected in my computer. The avxp prompts were all over my computer, and the backgroung changed.the prompt wanted me to do a "fake" virus search and buy the software. It wouldnt let me exit the prompts at anytime.
I've blogged about this several times ...[ here ] [ here ] however as I am frequently asked about
How do you get rid of this program if you have fallen for the scam?
Hi. I would be very interested to hear from you what the difference was in the current hosts file you have and what was observed as suspended from that list?
I can be reached at brian.krebs@washingtonpost dot com. If you send me an email there, I will reply from that address.
Thanks.
Bk
> when running a program I use to validate the DNS of each entry in the HOSTS file
Just curious... which program do you use for this?
To validate I use CIP
www.snapfiles.com/.../cipfree.html
Knujon News reports " Directi is now severing ties with Estdomains amid complaints that the Eastern
WVFiber just said it plans to drop connectivity to Atrivo/Intercage this week. Also, nLayer is demanding some 7,400 IP addresses back from Atrivo.
See the updates at:
voices.washingtonpost.com/.../scam-heavy_us_isp_grows_more_i.html
As I reported the other day about the thousands of suspended domains ... it appears that even more domains
I have been keeping a close watch on the amount of suspended sites in the MVPS HOSTS file ... rescanning
Please see this forum thread:
www.malwarebytes.org/.../index.php
You guys are doing a great job there ...
Just days after Security Fix exposed " Klikdomains" and the connection to "VIVIDS MEDIA
I am reminded of an old story about a man
who set up a company as a glazier
in order to make his business do well
he had half the employies go out at night
breaking windows to provide work for the
other half working during the day.
needless to say his company grew in wealth
with lots of work for all. lol
Pingback from Pages tagged "blogs"
Smart way to get ya"
I reported on Sep 8, 2008 that the sites " innovativemarketing.com " and " setupahost
how to remove this?
Congrats on the MVP award. It is most deserved. I've been using your hosts file on my home systems for a while as one layer of protection in a defense in depth strategy. And it has no doubt saved me from potential problems various times while browsing the net. Keep up the great and valuable work! :) Thank you!
Congratulations on being re-awarded!
Thanx you perfect Docs
Congratulations on your 10th consecutive MVP award. Always nice to be recognized. I've been using your HOSTS file for about three years and have no doubt it's saved me more than once. Your efforts are greatly appreciated. Thanks!
Ten years already? Wow. What you've done literally defines service to the community Mike. May you get many more.
You are doing some brilliant work and millions of users appreciate it, the award is more than deserved, well done!
The other day I mentioned I found an exploit that tries to infect Windows and also attempts to open Windows
In the third paragraph, 'scream' is spelled wrong.
i used a dev pc to test the site and after installing the malware the movies worked!!!!!
maybe this is the beginning of a new tactic ( ie providing sound clips when the file isnt installed but after installation playing the movie) i will have to keep an eye on this one
I love your picture for this entry, It does say it all for how bad moving is.
Best wishes in your new home (as you rightly say, moving sucks)
Happy Holidays to you and your family from Florida!
all the best jim from Scotland
Ok that just sucks, a spyware killer gets hit with spyware/malware etc what ver the case maybe, ironic really. It is funny but it isnt yannow.
Sad what the world is comming to these days when a legit business gets hit like that, that just has to really suck.
I dont use them, but still I have seen some people do, just really bites. *sigh*
Thank you. Over the last few years this list has saved me no end of headaches.
Pingback from IE 7 Glitches | keyongtech
Thank you very much for your work!
I started using your host file earlier on after seeing jimmyr's introduction to it and it's really working great (especially after disabling DNS as per your advice).
Recently I was advised of a new site (ms-mvp.org) that is redirecting to pcbutts1 .com ... which I have
That guy needs professional help with his head.
What a lifetime lamer.
It would be nice if you could post the HOSTS file additions that we need to add in plain text format instead of an image ? :)
Hello
I'm the owner of the site siri.urz.free.fr (SmitfraudFix). pcbutts have stolen codes from many security researchers and claims that we are liars end thieves. Now he pretends being MVP (but he also block the real MS MVP site in his modified hosts file !)
He may certainly think that there is a conspiracy against him ;)
Toppy,
I make hundreds of changes in the HOSTS file between updates ... so it would be a bit much to post additions all the time. As for the "image" ... people just can't help themselves and would end up copying the entries and visiting these malware sites ... thus infecting themselves.
If really needed you could copy the sites listed by hand, but these are just a few of the hundreds of changes made between updates ...
S!Ri,
It's more like "he's a legend in his own mind" ... there is no conspiracy ... I'm just pointing out the evil in pcbutts' ways ...
maybe a subscription to www.changedetection.com might help with catching up with the updates?
Ovidiu,
re: changedetection.com
That option requires the user to give their email address to a 3rd party ... not many people are really willing to do that.
You can always use the option on this blog to get notified when there is a new post.
Quite understandable, especially given its popularity. I've found HostsMan to be a great way to keep the Hosts file automatically updated. Set it and forget it. www.abelhadigital.com/.../hostsman-3157-released.html
Maik,
The auto-update feature only exists in the beta version ... generally I do not recommend users running beta versions, but thanks for the suggestion.
I'm using v3.1.57 and it auto-updates the Hosts file. So far as I can see, this is not a beta release.
Hello. I wanted to thank you so much for providing such a great tool/resource to help keep our computers protected from the bad guys. I'll definitely add a reminder to my calendar to visit your site at least monthly to get the latest HOSTS updates. Great work!
If you follow the download link from their page you end up here:
HostsMan 3.2.70 Beta 6 / 3.1.57
www.softpedia.com/.../HostsMan.shtml
Why not use something simple like an RSS feed for announcing updates to the hosts file list? This requires minimal effort, does not require end-users giving any information to any parties either.. just a thought.
Christer,
Thanks for the suggestion ... however not everyone uses "RSS" ... but if needed they can be notified via this blog when there is a new post.
True to a certain extent - Blinkx acquired less than 10% of assets including IP and Hardware however will not be taking on any of Zangos liabilities.
Looks like Blinkx have just bought some assets and IP off Zango - but as usual blinkx shareholders aren't being told a single thing.
I hope Blinkx's tech is better than its PR and IR, that's all I can say...
i recomend not to use this toolbar becuase zango will spy on your searches
i noticed that "titmix.net", which was mentioned in one of your recent posts, is no longer included in the winhelp2002 HOSTS file.. when i checked "titmix.net", i saw that it now has a ip address that is different from the one that it used to have, before, but, none the less, it is still resolving..
>>>Yes it's a shameless plug ... but I got a nice writeup today on their blog ...
That's a great write-up about your great work! WTG, Mike!
Thanks Donna ...
Just so you know they are using the Flesch-Kincaid readability score.
According to my research here is the breakdown of the scores:
90 to 100 - 5th grade
80 to 90 - 6th grade
70 to 80 - 7th grade
60 to 70 - 8th and 9th grade
50 to 60 - 10th and 12th grade (high school)
30 to 50 - college
0 to 30 - college graduate
So you have to be a college graduate to be able to read/comprehend Adobe's Privacy.
Thanks
For the bests Hosts file
I was waiting for that
Keep up the good work
Thank you very much for this good work.
It's good to know that you help us walking securely through the internet!
I noticed you added or updated *.addthis.com a social bookmark tool. Shall I edit it out to allow ?
You can see where it is blocked here >
www.cbc.ca/.../washington-dc-train-crash-death-toll384.html
*.addthis.com # edited, fixed. However invasive the item may be as I do throw the odd URL onto FaceBook (no plug)
Please check this ad and tracking servers from bg and pl
affbot1.com
ads.webmedia.co.il
edge.quantserve.com
webgroundadbg.hit.gemius.pl
vbadbg.hit.gemius.pl
vbbg.adocean.pl
gg.adocean.pl
bg.adocean.pl
delivery.usermedia.net
relay-bg.ads.httpool.com
ads.neg.bg
please ad if mach you criteria
Randy,
"addthis.com" is owned by Clearspring Technologies (Advertiser) that was mentioned as one of the worst offenders via WebBugs in the report on my last post ...
Understood, I'll remove the # out.
Thanks for the feedback.
i've added "insider.msg.yahoo.com"
to block Yahoo Messenger ads
thanks again
Any plans to make an InPrivate Filtering version of the MVPSHosts file? This would well for those of us that can not conveniently manual/disable the DNS Client.
i have convert it to "InPrivate Filtering .xml" but IE8 become very very slow.
Rob,
Sorry I have no plans to add an "InPrivate Filter" list ... the HOSTS file itself takes all my free time as it is ...
Why is it the comment I made on the previous blog post wasn't "listened to"? I gave you a list of domains you missed, I also asked you to hide the comment which you did and I also gave you my email address if there were any problems.
You didn't add the domains and you didn't email me with any sort of explanation, I'd like to know why?
Paul,
What comment? I went back thru them and yours does not show up ... so how am I to respond if there is nothing to respond to?
FYI: there is no option to "hide" ...
Here again we find another bogus Antispyware program that does nothing but take your money ... with a
That's how I know Comodo (Malware pretending to be Securityware from the very beginning).
Still most of the people are being tricked by their aggressive marketing ideas for spreading their euhm protecting software.
I've always used Comodo on my computers. No more, thanks to you! I now use Online Armor, and I couldn't be more pleased. Thanks for ferreting out these wolves in sheeps clothing.
This is the same outfit that took BOClean off the market as a stand alone malware app. What a shame.
I'm too lazy to type the entire list again so here's a screenshot of some blocked things from the network in question.
img18.imageshack.us/.../urlse.jpg
You people need to realize ANYONE can ask for a certificate which does nothing more than say the website is a valid website. It does not say the website is a secure site, it does not say the website is not malicious in intent. That is not the purpose of the certificate issued. These certificates are issued by not only Comodo. Why are you solely focused on Comodo? Is it because they scare you the retail AV vendors with their products?
Get a life and start dealing with real issues!
@ John. The only people they are scaring are their (current\former\would-be) customers. The free vers. was one of many that I carried in my tool-kit to suggest to my Clients. It has since been removed from my kit as well as their name from my vocabulary. Unless of course I am specifically asked about their product(s). I relay the current state of affairs, stating the current information and providing links, to the Comodo forum as well. The Client then has all options available. I know of none that have gone with Comodo and several that even tore up their paid for vers. lic. and went to other software.
Hahaha,
The first Melih puppet has arrived :-)
Why don't you publish posts that disagree with you?
Donna
You don't understand nothing about Domain Validation and how it works.
Feel free to join us here, and more info is here from the CEO him self:
forums.comodo.com/.../here_we_go_again-t42573.0.html
Posting missleading comments won't do any favours by the way, And your ignorance shows even more.
Cheers,
Josh
Yeah !
Comodo, we create trust !
:rofl:
For some reason, people think there must be some other motive when companies produce free products.
Why is Comodo selling these certs to malicious sites? These certs ARE NOT saying that the site's products are safe. It is just securing the transactions to and from the site.
I have found all of Comodo's products and services trustworthy. People just see something fishy when someone gives good programs out.
BTW, Comodo revoked the cert within minutes of hearing about it.
A security company needs to have higher standards for certs, and as Donnas says, the other companies have better plans in place.
I would like to personally thank Donna and the others at this site for continually providing us with the best examples of misinformation and propaganda since Nazi Germany and the Cold War after that.
Matt.
The issue is simple: There is NO standard for Certificates, (Domain Validation) - The yellow padlock you see on a site, Certification Authorities are all doing, Comodo tried to address this but GoDaddy/Versign didn't want to get rid of DV. As long as you got $$ for DV, No validation, Come and get it! This is why Comodo reccomends EV (Extended Validation) so you see a GREEN bar and YOU CAN validate who your encrypting for!
Comodo also set up this - Where again, Trying to create standards: http://www.ccssforum.org/
Pls use that, and the contact site, of ANY malicious site using DV, So the relevant companies can act on it.
@3xist and the other Comodo supporters,
Two issues here, firstly, this is NOT DONNA'S BLOG!!!!!!
Secondly, Comodo have a CHOICE as to whether or not they offer DV certs, if you don't like them/don't recommend them, STOP OFFERING THEM! - and no "everyone else is doing it" is NOT a defense.
Third and final, you CAN verify the websites associated with the certs you offer, DV or otherwise. The person signing up for a cert evidently has to tell you the site they are using it for - this instantly allows you to verify it's validity.
After reading your last blog regarding comodo I did some checking on their Chief Exec's claims. It seems he/she was right. To date, comodo are the only issuer that wants to either kill off DV certs, amongst other (interesting) things.
Are you sure this is not blue-on-blue? Seriously.
John,
re: they scare you the retail AV vendors"
Huh? I don't sell anything nor am I connected to anyone that does.
LaserWraith,
re: Comodo revoked the cert within minutes of hearing about it."
That's fine ... but the whole point was that they revoked their certificate from the same people previously ... so why does this happen again?
First of all I want to make it quite plain that the thoughts and opinions made by me on the Comodo forum, are my own and they in no way reflect those of Comodo.
I am not associated with Comodo or their affiliates, I am simply a volunteer Moderator.
It seems a recent comment made by me, in jest, has been taken, by some, to reflect the views of Comodo, this it does not.
I have taken it upon myself to post here, to disassociate my views from those of Comodos and also to apologise for any harm, perceived or otherwise my comment may have caused.
Toggie, your joke or not joke to hack my site: calendarofupdates.com is unacceptable. A moderator of security forum should not threatened or write that way in "public" in any manner. We can voice our concern in many manner but to say hack my site in any way not acceptable. Glad to see it is gone (your post) and that you apologized. Apology accepted. Here's hoping that you will understand our concern. It's nothing personal but it's the push they are doing and the work they are doing in attending whatever reported and voiced to them. Instead of working on it... they blaming other service that is similar to them. They forgot that they are offering desktop security product that other cert vendors do not. If they flag bad file from bad domain that has Comodo cert... that should ring a bell to them. If they don't then it's so obvious that they are not serious in protecting and providing what they call "creating trust online".
calendarofupdates.com
msmvps.com/donna
www.theregister.co.uk/.../ca_mozzilla_cert_snaf
blog.startcom.org
bugzilla.mozilla.org/show_bug.cgi
Yet again we find the same group "ISystem Inc" scamming the public with their bogus products
with all the money Comodo gets from this and their toolbar they start now paying people for creating positive video reviews of their products... see forums.comodo.com/.../1000_from_comodo_for_your_video-t43021.0.html
Yeah, that is their primary tactic from the very first start, now that they have the cash at hand, and the power to overpower they start to "buy" positivers. It's like the digital Mob.
From MVPS Hosts News blog by MS MVP Mike Burgess: Yet again we find the same group "ISystem Inc"
The above cert has now been revoked. Thank you for bringing it to our attention.
This was a free ssl certificate for 90 days.
Melih
That is trial version of your SSL cert Melih which gone thru many steps to register including Domain Validation 1 and Domain Validation 2. Not all applicants of your cert You revoked the cert, that's good but please answer this question:
Why does the same group, ISystem Inc is able to get cert whenever they want?
Why the same people behind different malware domains continues to get cert from you.
Don't you have blacklist on which IP and location so your cert will not be use by them again?
Many in the security community don't trust Comodo certificates anymore. Trust online is not in Comodo if you don't do something better
Revoking is another move but show us something better.
Creating a group or association to help stop rogue is not the answer to this. There's so many group or association already that claim and joined by vendors already but it's not what it is. It's about the issuer of certs. Other vendors that joined your group is not issuing cert. You are issuing the cert to malware domains. Revoke when highlighted? Prevent it Melih.
BTW, you know a fake antivir website is also using your cert right?
despite all the claims that Comodo do not support DV certs, dubbing them 'Dangerous Validation' it's still quite clear that Comodo are happy to make a profit from DV and then shrug their shoulders when things go wrong. For a company that (claims) not to support the use of DV and uses a poor excuse to justify this two faced action (along the lines, we sell DV to upsell to EV - hello, thats like saying I sell drugs to kids so that I can tell them how bad it is). Yet Comodo this week run a promotion (via twitter) offering a 'roll up roll up' on Essential SSL (DV) which is free to users of Comodo competitors. If DV is really a bad product, the only way you can stand on your soap box is to stop promoting it and make a stand on OV & EV.
"we sell DV to upsell to EV - hello, thats like saying I sell drugs to kids"
Selling DV certs is like selling drugs to kids??!
Do you people have any shame?
@Melih
one more from the same gang extra-antivir.com
Avoiding the issue of DV and pretending that it doesn't exist and as long as Comodo doesn't issue it everything will be fine is not going to solve the DV problem.
The problem with these fraudsters is that DV process is too easy for them to take advantage of. DV only checks if the site owner owns the domain or not. There is no other check. Verisign and Godaddy own around 90% of this market. I have been very vocal in www.cabforum.org to bring higher standards so that end users can be protected. It has met with resistance with people from Verisign and Godaddy. But I am continuing to push for better standards as DV gives a trust indicator to fraudsters hands.
As to some basic checks like, IP etc etc.. been there and done it..doesn't work! These people are professional criminals! They know how to change their IP when applying for a cert, how to create a new identity etc etc. We are coming up with different defense mechanisms but we'll see how it will work.
To people who claim we profit from these:
Fact 1) These are all FREE SSL certs.. we don't get money from them (notice the duration of the cert is 90 days, these are trial certs we issue)
Fact 2) we issue over 300,000 certs a year getting some fraudsters getting a free cert or two costs us money in reality!
So what can we do to fight this?
1)We need to get a standard (yep.. there is NO STANDARD for issuing DV certs today) that mitigates fraudsters having access to this yellow padlock (nothing ever is 100%)
2)We all need to work together and report these sites so that they can be revoked quickly again limiting the damage. Common Computing Security Standard Website has a reporting form where this is fed to all CAs quickly. www.ccssforum.org/report.php . Please use this to report any maliciously used certificate so that it can be acted upon quicker.
Pls feel free to engage in a discussion (here or in Comodo forums) as to how we can make it safer for the end user. Again, Comodo stopping issuance doesn't make it safer, it might even end up with other CAs who might take much longer to revoke maliciously used certs. And a DV is a DV, yellow padlock indicator does not differentiate between vendors.. Users just see the yellow padlock and trust it.
solution = stop providing free/trial DV certs! Comodo tries to promote EV certs (because they are more expensive), so they make DV be/look useless (and that Comodo creates forums and websites where other sellers are needed to join is a bogus marketing strategy).
We did a manual check to see how many of the malware related sites (sites that are pushing rogue AV products or other malicious activities, not including fake investment scams etc offered by fraudsters) use SSL certs to create legitimacy in an attempt to dupe end users.
The site is called www.malwareurl.com which has a list of malware related URLs (this is just one of many sources) We checked the last 2000 entries from www.malwareurl.com/rss.xml
for malware websites with certificates. The list and the corresponding certificates are attached.
secureoem.com/.../order Equifax
secure.signupsecurity.com/p05(S(4xghlr45eyy5dd45f33jqub4))/join2.aspx GoDaddy.com, Inc.
secure.yclinks.com/p05(S(r02vzt55hmnxlh45vy5dvj55))/join.aspx?siteid=freemovienow_cm&product=30&cli=7&descriptionid=new-movies&lng=en GoDaddy.com, Inc.
secure-plus-payments.com/.../buy_soft.php Thawte Consulting cc
secure.cc-process24.com Equifax
secure.mpsjoin.com/.../index.php Equifax Secure Inc.
secure.payment-cc24.com/payment Equifax secure.payment-cc24.com.p7c Session-based link. Redirected from: pcsecurity09.com/buy.html
https://1-vscodec-pro.com Thawte Consulting cc
secure.onlineinternetpayments.com/billpav Thawte Consulting cc
secure.innovagest2000.com GoDaddy.com, Inc.
secure.paysecorder.com/order Equifax Secure Inc.
You see, wouldn't it be better for the end users if all the above certs were from Comodo? They would have been revoked by now!!!! DV is a dangerous tool!
@Herbert: As you can see above, Fraudsters are already using the other providers in a bigger way (you will find more certs maliciously used that belong to other providers than Comodo). So Comodo stopping issuing DV will NOT help end users. At least now we all talk about this and it gets reported and Comodo acts on it and end users get protected! Look at the above Certs.. they are still not revoked! Believe me I wish I didn't have to deal with the hassles of DV. It represents a tiny (tiny) amount of sales for us and the hassle it causes it much bigger than its worth to us. But I can't let this stop us from protecting end users! Hence why I am here at 11:38pm plugging away at this. I initiated www.cabforum.org (didn't have to!), I initiated www.ccssforum.org (didn't have to!), I decided to give top notch Free Security product (didn't have to). I am selling DV (didn't have to) but I also know if I pretended DV didn't exist and don't take the bull by its horn, fraudsters will simply go get it from other providers and the certs they use might not get revoked in a timely manner. And end users are the losers at the end in that scenario.
The solution is not to pretend DV doesn't exist. The solution is to introduce a stringer standards for DV so its not easy for fraudster to obtain it and until that happens the solution is for everyone to report these sites to www.ccssforum.org/report.php so that it can be acted on quickly.
Melih,
Mike's question and everyone's question including mine was "Why your company continue to issue cert to the same gang?"
Let me re-phrase that: "Why Comodo continue to provide cert to malware domains that is from the same group that you've revoked?"
Comodo seems to not to apply what other cert vendors can do in protecting their own service so that end-users will not become victim. They seems to know how to implement "creating trust online" than you do. Verisign said:
"Yes, we can revoke a cert whenever we want. But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place."
"The system we have in place automatically rejects obviously fraudulent sites and kicks anything questionable to a manual approval. And if anyone flags a site as malicious, we have a team that investigates these and revokes the certificate if found to be malicious/fraudulent."
"For GeoTrust and RapidSSL we have the ability to revoke a cert issued to a malicious or rogue site instantaneously. The cert will then show up on our CRLs immediately."
www.thetechherald.com/.../Criminals-using-Comodo-to-attempt-legitimacy
You said those fraudsters are professionals which is true but as you can see Melih, other cert vendors do not care whether the cert offender is professionals or not. That is not an issue for them. If it's known fraudster they have a good system to handle it and good team to monitor and investigate it. What about Comodo? It's been 2 years that your cert is found in malware domains and until now you have high standard of checking like other cert vendors has?
You said you are coming up with different defense mechanism. Good luck! Let's hope Mike and others will not have another blog entry like this. If there will be, we'll see the date that the cert was issued.
I made a post but its not showed up yet(?), where you could see the other Vendor's certs used by malicious sites.. more than ours! So your statement and inference that other CA's got it sorted is totally misguided and wrong.
I have a similar post in our forum here forums.comodo.com/.../bad_comodo_bad-t43119.0.html;msg312958
with the details of some of the certs we found from other CAs.
Again, DV is inherently vulnerable and fraudsters will continue to abuse it! Actually Comodo has the lowest ratio of malicious use of our Certs compared to our market share as can be seen from my post in our forum.
Again, Donna, you are misguided to think other CAs are not vulnerable or don't have their certs maliciously used. And you are misguided to think DV malicious use can be stopped.
@Donna
You are asking the same question that I already answered in my post of Friday, July 24, 2009 11:47 AM by Melih.
Pls read it the answer is there.
But let me expand on it more:
Do you really think that these criminal outfits come to us and say, hey Comodo, we are the same criminal outfit that got a free cert from you and you revoked it, can you pls give us another one!!! Pls get real Donna... These people hide any traceable information that might link their new application to the previous one that got revoked. You are understimating these professional criminals Donna, a big mistake!
Your naivety in this subject is scary as someone who claims to be in the security world.
thanks
I think this was the best question ... that went unanswered ... about the discussion on your forum:
Yes, I know that usually CAs only check if the site owner owns the domain or not, but why don't you change the standard for yourself?
If you are pushing for better standards, why don't you use them instead of waiting for others to?
Is there some "rule" prohibiting you from doing so? If not, why don't you set the example?
forums.comodo.com/.../bad_comodo_bad-t43119.0.html;msg312955
Rather than trying to discredit the people reporting on this issue ...
"Why don't YOU set the example?"
The problem in fact boils down to two issues here.
First, the certs issue. The fact other cert vendors may or may not have standards or systems to investigate and revoke certs is merely part of the solution. Putting a halt on providing free and trial certs as those in question from this moment on by all cert vendors would be the way to go, in combination with fast and solid investigations from already provided sortalike certs.
The tricky part is, these free and trial certs are in fact commercial teasers. All cert vendors do provide them with one goal in mind: selling "the real stuff" in the end. Earning money is what it's all about in the end.
It may not come as a surprise cert vendors are far from willing to drop providing free and trial certs for that reason: it's the start from their main source of revenues.
Comodo is no exception to the rule here. Does this put Comodo off the hook? Certainly not. Although I applaud all sorts of actions as mentioned by its CEO to tackle this issue, it's bound not to work - it never has and never will. Far stronger rules should be applied - see above.
So the ethical versus commercial consideration arises: should Comodo stop issuing free and trial certs? Ethics say: "here and now". Commerce demands: "never. It does cost us far more then we can and wish to affort. Our competitors will laugh all the way to the bank". The conclusion: Comodo picks and will pick the commercial point of view. And Mike will keep on posting over here for years to come about this subject.
Second issue: Comodo is rapidly involving in creating various security related softwares. Fairly all of them do have at least a freeware option. This comes with a hugh price tag (vast team of employees, bandwidth costs etc.). And here the connection with the first issue is obvious: this price tag most probably is mainly coming from the certs revenues.
It's rather obvious, the combo "certs" and "security software" is a fairly impossible one, not to say a contradicto in terminis.
Personally, I do see the overall marketing concept behind this combo concept. It's a rather smart concept as well from Comodo's perspective. Unfortunately, there's one misconception implemented: the real money maker source - the certs as being discussed. This misconception may well backfire in the end.
On a personal note and well intended: I'll take it your lunch invitation in NY from a while ago still stands, Melih :). I do wish you all the wisdom needed in dealing with the situation at hand.
Paul Wilders
(yet another darned Microsoft MVP since say 2002 or so)
This "audited" comment system look indeed awkward considering that a comment suddenly appeared before the one posted by Donna or that it usually take hours (or even a day) to post a reply.
The focus is clear and the tone is too and it looks way more easy to abide to the pre-laid path with eyes closed than addressing the substance of the arguments and the premise provided.
It would be really interesting though to read an article thoroughly detailing what procedure and checks should be necessary for DV certs in order to unequivocally identify legitimate requests from malicious ones during application.
It would be crucial to not neglect how circumstantial suspicion criteria should supposedly handled to not illegitimately deny applicants using assumptions the likes of IP or ISP which are not meant to unequivocally identify people (though they could be undoubtedly used afterwards providing that impression)
Indeed a technical article in this regard could be less interesting for casual readers but would be unlikely to pass unnoticed by other security experts reviews for completeness, inaccuracies or weaknesses because the focus would be to find a reasonable, realistic and efficient solution for the benefit of everyone...
@winhelp2002
Actually that question has been answered many times, including in my posts above.
Hey Donna you remmeber the site that you complaied had a Comodo DV http://windowspcsuite.com , its now using a Equifax DV.
Stop complaining about Comodo and go complain about the other CA who dont even give a curd for there end users security!
This is too funny!
The very website you (the site shown above in the main blog) complain about is now using Geotrust Certificate (A Verisign Company)..
The very company that Donna thinks is immune to fraudsters! Lets see how long it will take them to revoke this cert! Count down starts now :)
No one said that other cert vendors has not issued cert to other malware domains. Don't say I'm a total fool because "no one here including myself" has said that other cert vendors has not issued cert to malware domains.
The differences?
1. Comodo "continue" to issue it even after you revoked from the same group/gang.
2. Comodo offers not only certs but desktop security software. Other certs don't offer security software. Comodo has more responsibility and should have better strategy.
3. You or Comodo admitted that you are doing this because others is doing that. That's a lame excuse. Many times people have ask you to start to show example on whatever standard that you think is better and we'll even praise you if you will show to the world that you are doing better than other cert vendors.
4. Comodo is offering free 90days of DV certs! You are promoting DV which you said "not good". Promoting something that you know bad is adding problem instead of preventing.
5. Last but not the least, Comodo questions the ethics of people who report instead of working on it. To tell us that we are targetting Comodo alone is simply untrue. We are not misguided. We look at the history and report... we look at track records.
I'm glad to see your answer about why Comodo continue to issue cert to the same fraudster. That's lame answer you got. You have desktop security software that has detection to particular malware. Ever heard of heuristic? The same behaviour will be flag. That is the same method that you can apply in your cert business. Same gang, a bell should ring. If not, monitor it then revoke before anyone become victim. What is happening is you failed to monitor. You wait for report from people whom you questioned the ethics. Oh well...
This going in circles. No wonder why MVP Steven Burn stopped talking in your forums because it's useless. You keep pointing fingers and going in circles.
'Nuff from me. I hope to not to see another blog or report that Comodo has issued cert to the same gang or other malware domains.
1George,
Who said I reported to Comodo that domain? Are you like Melih who is confused on who is Donna, Mike and Corrine?
Read my reply earlier. I said 'no one here has said that other certs don't issue certs to other fraudsters'. The problem is Comodo continues to issue to the same fraudster. In my post there are differences between Comodo and other cert vendors. Wait til my post appear.
But Donna dont you know that no CA has a system to check if the DV is being given to a repeat offender.
What happen to Comodo here happens to all other CA way more offten, just because you dont/wont notice it or find one, doesnt mean it's not happening to other CA's also.
You just answer your question. It happens more often with Comodo cert which means? more malware domains has cert and the worst part is.. the same offender get the cert again, again and again. The action of Comodo to prevent this from happening is what? There must be action to prevent this or else, Comodo cert should not be use by non-malware domains because many people will block and not trust Comodo certs anymore.
>>>But Donna dont you know that no CA has a system to check if the DV is being given to a repeat offender.
You better ask that with Comodo because Verisign claim that they have a system to automatically reject known fraudelent (repeat offenders) and their manual system handles questionable domains that try to get a cert. So if Verisign can do that... your belief that no CA has system to check if DV is given to repeat offender is incorrect.
You're right "pay1.windowspcsuite.com" now redirects to "stonewave.net" which is hosted at the same location as the others ...
# [Netdirekt][95.168.163.0 - 95.168.164.255]
127.0.0.1 aquabilling.com
127.0.0.1 secure.aquabilling.com
127.0.0.1 secure.bestbillingpro.com
127.0.0.1 secure.payment-cc24.com
127.0.0.1 pay-secure.net #[ISystem]
127.0.0.1 safe-pay-vault.com #[server down?]
127.0.0.1 stonewave.net
127.0.0.1 webexpressbill.com
127.0.0.1 secure.webexpressbill.com
www.robtex.com/.../stonewave.net.html
As for the actual culprits they all use the same upstream provider = AS304407
# [Velcom / Teleglobe][AS30407][64.86.16.0 - 64.86.17.255]
# [Global Crossing][AS30407][64.212.0.0 - 64.215.255.255]
# [Rcp.net][AS30407][206.53.48.0 - 206.53.63.255]
If you view the Google Diagnostic report you'll see they are bad characters ...
www.google.com/.../diagnostic
In my opinion Comodo needs to step up and take a different approach, as the method now in place clearly doesn't work ... thus my comment:
"Why don't YOU (Comodo)set the example?"
--quote--"Why don't YOU (Comodo)set the example?"--end quote--
Easy one. Setting an example > big revenue loss plus a grinding halt from all security software(s) developed.
Business wise that boils down to a disaster. This is a roller coaster with virtually no way out. Anyone who fails to understand this never ever has been involved in high staff level business situations and decisions.
In all fairness it should be a good thing to imply GoDaddy, Verisign(!) and all others into this issue as well. The only reason to focus only on Comodo is - in my view - the impossible connection as for developing security software(s).
I not asking Comodo to stop issuing certificates, but rather come up with a better method of verification ...
"Trust, but Verify"
I do understand your point of view. Perhaps we agree to disagree about your proposal :).
In my view these certs in question should not be issued at all, and that includes all cert vendors. As far as I see it, Verisign, GoDaddy and others belong in one and the same category as Comodo. Nice looking statements are not more then words.
Let them sell only the real and trustworthy stuff to carefully examined buyers - and keep them examining very frequently. Weed out the certs already issued and keep doing so.
That's my interpretation from "Trust but Verify". And that goes for all cert vendors, Comodo included.
Will that happen? For reasons as already posted earlier on, I probably won't live to see that day.
@Paul...Lunch.. you know my email address, just drop me a line anytime ;)
As to whether the issue is free trial or not. Well imo its not. As you can see from the above example even though windowssecuritysuite site had a free trial cert from us (where we made no money from), they now got a cert from Verisign and they paid for it and its still not revoked! Comodo revoked their certs within minutes of finding out about them.
Its the DV SSL process that is the problem. With this process there is no check about the legitimacy of the applicant. CA doesn't even check if its a real person or real entity or not! That is the problem! Whether you provide this paid for or free, its still susceptible as a protocol.
Hope this clarifies the issue.
cheers
This is why look like a fool
You Quoted this statement From Verisign in your above post
***************
Verisign said:
Then soon after the windowssecuritysuite went and got a cert from a Verisign company!
You look very foolish indeed!
Moreover,
You look foolish, because you are ignorant and do not understand the problem is not per Company but the Protocol of DV cert
You look foolish, because you are involved in a witch hunt against a company without getting your facts straight
You look foolish because in your flawed argument in your witch hunt you quoted a company saying " we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place." and only shortly after the above malicious site went and got a cert from them!
Donna, you look very foolish indeed.
Ever since this issue with Comodo cert started, most of us highlighted that Comodo is not only a cert vendor but a security software vendor (kindly see www.calendarofupdates.com/.../index.php) which is not the same with other cert vendors so it is not unfair to imply Comodo on this issue. How can people trust their security software to detect malware if the malware domains that will serve the malware is carrying Comodo cert? That alone should make Comodo to do something better than other cert vendors. They have all the possible method to prevent it. They have malware team who should know the "source" of the malware. That malware team should be talking to their Cert department and flag a malware domain if they only checked the source and found out that there is Comodo logo on the source of malware that their security software will be detecting.
If they cannot set-up a better strategy and step up then they are mistaken to render two products: Cert Issuer and Security Software Vendor.
They issues cert to malware domains. Their scanner detects the fake antivirus. What the malware research team there has done? Did they pass the malware domain information to their cert team and say "Hey, we are detecting this as rogue, it has our Comodo cert".
Their cert department should revoke it soon before any researcher like Mike will find it or before anyone is victimized by the fraudster.
Donna,
You're behavior is down right not acceptable! Your spreading lies all around about Comodo! Seriously Donna, Cut the crap right now. Instead of blogging "OMG! Comodo has a Certfiicate issued to this malware domain!" And blogging misleading crap about it, You can help COMODO and other CA's ALOT by submitting malicious websites using Certificates here: www.ccssforum.org/contact.php
ALL the malware sites used by COMODO certificates are either (Free, 90 Day Trial) or Domain Validation Certificates. Heck as long as you got a domain, And you got money, COME AND GET A DV! No Validation WHAT so ever.
THIS is the problem The Industry is posting relating to ALL CERTIFICATION AUTHORITIES, PERIOD! There is no Standard. Comodo, Versign, etc are all in the same boat.
winhelp2002: There is no Validation for DV's. It's an industry wide problem. Comodo educates people about Extended Validation, which does have validation and all the proper steps.
Btw, Melih has a video about Domain Validation here: www.comodovision.com (Cause of all this misleading information).
Josh,
You are way off base here ... I posted the "Comodo has a Certfiicate issued to this malware domain" not Donna ...
As for the "industry wide problem" ... yeah yeah, yeah ... we've heard it all before, and that's why I continue to ask for a better method of validation. Comodo wants to be a leader ... well let's see some leadership.
"Comodo educates people" ... the criminals won't be educated, that's just a poor excuse for doing nothing. If there is no "standard" then create one ...
Hah! You find that foolish? Then you're the one making yourself like a one. Why? Because you believe that we do not know that other certs has issued cert to fraudster. You believe that we are singling you out. Since May 2009 discussions in Calendarofupdates.com forum, people was highlighting your difference from other cert vendors. No one is saying that only Comodo has issued cert to malware domains.
From day 1 that this issue about your cert was blogged or discussed in forums, you keep pointing fingers. You keep comparing yourself with other cert vendors but you failed to realize that people expect MORE from Comodo because you are offering NOT only certs but Comodo security software also. People are not comparing you to other cert vendors because they know that it is not Comodo alone has done it but they expect more from you. You are the one who keep mentioning your rivals.
You are using other cert vendors as EXCUSE or ALIBI that as if people do not know about certs at all. What we cannot understand and you/Comodo failed to do is to prevent it and provide better prevention especially you are expected by people to do better. You have security software! Your teams (malware research and cert teams) should be coordinating and reporting to one another then prevent it before people become victim.
Even Paul can see the problem with your services. Even Paul has said it. Ethics vs Commercial. You opted for losing your ethics. You opted to not to provide professional standards. You opted to provide a not fair job and you opted to not to show your duty as security software vendor.
Even Mike has said before "who's ethics is being question here?", not his but yours.
And since you opted to the above, then you got to face this problem. Solve it Melih. That what people want to see, your solution.
It would be pointless to argue in the span of this page whereas the manifest intention to restrict the focus to a single CA is unambiguously clear.
Each reader ought to confirm if some arguments could actually warrant the comments insofar provided whenever there might not be enough of a context nor the information to have them properly address some claims, even in case some will _not miss_ the comment section.
It should be clear by now the effort some put to point out arbitrary reasons to maintain such narrow focus is directly related to the extent of targeted criticism provided.
It's is baffling to notice the unavailability of a technically reasonable, realistic and efficient solution which should have been provided months ago and reviewed for
completeness, inaccuracies or weaknesses by other experts and unambiguously proposed "to all CAs" for the benefit of everybody.
How log opinions have to come in form of "judgments" and not as a "proposal of solution"?
Because only a solution-oriented industry wide "proposal" could possibly cast away the undeniable considerations arising from such narrowed perspective some individual vocally advocate.
The "vast majority of CAs" will not fail to answer to such officially provided "solution" whenever released outside the cabforum.
Especially if provided by reputable individuals who apparently have the issue at heart instead of posing as judges on the sidewalk while delegating the rest or focusing on a single CA whenever it is a marginal issuer of DV certs.
Whenever some may be still willing to argue about these aspects and only passing their righteous judgment all along, their approach and their focus will be self-evident regardless of their confidence on their reasons and premises...
Whenever comments the likes "this should never happen" vocally leverage on popular sentiment arguing about viewpoints and sentiments is much different from arguing from a technical perspective to "thoroughly" describe a reasonable proposal...
...because per-reviews could be assumed to be as thorough and pertinent as well oriented on on realistic constraints and efficiency aspects in order to determine the span and applicability of such DV proposal.
Whenever it does indeed look that OV certs inherent identity validation can already address many DV certs related pitfalls in a reasonable and efficient way with less resources, any experts willing to address a detailed DV proposal for all CAs could write about that outside the restricted space of this "comment section"
Donna:
Hah! You find that foolish? Then you're the one making yourself like a one. Why? Because you believe that we do not know that other certs has issued cert to fraudster.
Melih:
If you do pls tell us the percentages. How many percent of the malware sites used Comodo certs vs other vendor`s certs. You do NOT know this, if you did, you wouldn`t be doing what you are doing! Can you pls provide percentages to say that Comodo is not doing its part or even more that its fair share!
You believe that we are singling you out. Since May 2009 discussions in Calendarofupdates.com forum, people was highlighting your difference from other cert vendors. No one is saying that only Comodo has issued cert to malware domains.
Then the only foolish one is you Donna. You even quoted a line from Verisign: "Yes, we can revoke a cert whenever we want. But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place." If you didn`t believe that line why did you quote it? Can you pls explain?
you failed to realize that people expect MORE from Comodo because you are offering NOT only certs but Comodo security software also. People are not comparing you to other cert vendors because they know that it is not Comodo alone has done it but they expect more from you. You are the one who keep mentioning your rivals.
Expect more from Comodo because we have security software implies comparison to other cert vendors. You are clearly saying Comodo as a CA who also has security software should do more than other CAs who doesn't have security software. btw more compared to whom or what? Obviously our competitors! Or perhaps you can explain what you mean by expect more from Comodo compared to what/who based on What percentage? What data do you have in terms of percentage to say that Comodo is not doing enough compared to our competitors? Perhaps again you can share that data showing the percentage of maliciously used certs issued by comodo vs competitors as well as the average revocation time for respective companies. Surely you must have this for you to come to the conclusions you have. If you haven`t how can you possibly say all the stuff you have been saying?
Paul`s point was about free/trial SSL, but as was clearly shown this is not the issue as the malicious site blogged about in this very blog against Comodo went and purchased a cert from a Verisign Company. Once again the protocol for DV is flawed, no matter who issues it (maybe one day you will get it..)(will you?)
Again, we expect substance to your allegations, we expect no flip flopping, we expect not some foolish girl going around on a witch hunt with literally ZERO understanding of the security world!
Its amazing how the universe works in mysterious ways.... You quoted the Verisign statement and within 24 hours You were proven wrong!
How can you with any credibility claim that You didn`t quote Verisign`s statement saying: "we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place". Donna you are a fool for posting that statement and then claiming you never said others vendors don`t issue certs to malware domains.
Look forward to your explanation of why you quoted that Statement from Verisign if you didn't believe in it?
I hadn't used your Hosts file in a few years and tried it out today and found at least with IE8, my whole browsing experience was very slow. Removed your Hosts file and it was back to normal.
You are trying to use this "single" malware domain to justify your work :-O
Note: The same gang that you've revoked cert before and the same gang that you have issued the cert before it goes to other cert vendors.
Why did I quote Verisign's response? it is to answer 1George's claimed: "no CA has a system to check if the DV is being given to a repeat offender". Take note that he said "repeat offender". You see, this single malware domain that you are trying to use now as your defense was found only to have Verisign cert after you have revoked it. It does not mean that Verisign re-approved or re-issued the cert to the same gang that unlike you, Comodo... who continues to provide cert to same gang. You issued the cert to the same gang. Repeat offender.
See the difference?
Nope. MVP Paul Wilders wrote about the issues in Comodo services: certs and security software. Read his entire message again, Melih. He can see what other people have seen since May 2009: A cert and security software services is the issue here that's why Comodo is being questioned. Paul clearly wrote that there is 2 choices: Ethics vs Commercial. He understand why you picked commercial instead of ethics. It's quite obvious anyway but let us not forget that you have other source of money to develop your free software now: A toolbar in partnership with Ask/IAC. A toolbar that is bundled with EULA at all in the installer and not even link. No EULA means you are not clearly disclosing what your software has and what it will do.
You want to count how many malware domains has cert by other vendors. Why bother if Comodo cannot even monitor it and that Comodo have to wait for reports like this. Remember, MVP Mike (aka winhelp2002) is reporting to you since Winifixer days. Since 2007, he's been catching malware domains with Comodo certs. Does the numbers matter now if people knows that your system like other cert vendors system is failing? What is the point if you are not going to provide solution?
You have security software to help in having a better strategy than them. That is the point.
As a end user here, I'm tired of the name calling and finger pointing. How about all of the folks in this industry work together to stop the bad guys.
Enough with the attitude and how about we all get together to protect customers?
How about taking the time from justifying what happened to figuring out how to stop it happening again?
You said
Why did I quote Verisign's response? it is to answer 1George's claimed:
WOW...what a LIE....because you posted the verisign Statement on Saturday, July 25, 2009 5:41 PM by donna
But 1George made his first post on
Saturday, July 25, 2009 9:53 PM by 1George
You are now lying through your teeth Donna!! Shame on you! A Fool and now a blatant LIAR!!!! Have you no shame?
Robert,
Did you disable the DNS Client service as recommended? The HOSTS file itself does not slow down IE8 as I use it myself as well as many many others, with no effects ...
I guess you missed the screenshot I linked on the blog post of the previous release.
You've stated somewhere above:
--quote--
"Its the DV SSL process that is the problem. With this process there is no check about the legitimacy of the applicant. CA doesn't even check if its a real person or real entity or not! That is the problem! Whether you provide this paid for or free, its still susceptible as a protocol."
--end quote--
Although in my opinion free/trial certs should never been issued at all for reasons as discussed, you certainly have a hugh point here. So let's focus on this one for a while.
What if any reasons do exist for cert issuers not to change this darned protocol? In case it's flat out the money, by all means state so. From purely a business stand I can understand such a reason. Although (being aware of the consequences) it wouldn't be my kind of business. Then again, we all do know how reality is in this business if this is the case.
If on the other hand other reasons come into play, say lack of organization, setting standards accepted by all etc. : that's quite a different ball game. In effect the cert issue overall could be tackled. It will cost time and money no doubt - but it will pay back in the end. Provided this is the case, what can and could be done in your opinion?
I'd like to address issues one by one now as everyone may notice, starting with the root of the evil.
On a side note: I'm all for a heavy and straight forward discussion. Calling names and shouting at one another never solved anything as far as I know and isn't my cup of tea anyway. Consider this a well intended hint for those who fits the shoe :).
Paul
As if all that wasn't enough....What was that thing you said about "repeat offender"?
www.malwarecatcher.net mentioned in the original blog above points to
secure.softsales-discount.com/support and this domain had an SSL from a Verisign Company previously (was valid until 6/26/2009) and now they went and got another cert again from Verisign!
Can you pls explain that Donna (along with why you lied pretending you posted the Verisign statement after 1George's statement, and now it has been proven that your theory of "repeat offender" is total rubbish!
You look a total fool and big liar Donna! Shame on you!
PS:here is the screenshots to the previous verisign cert in my post in our forum forums.comodo.com/.../bad_comodo_bad-t43119.0.html;msg314120
First of all there was and still is no standards for issuing SSL certs (yellow padlock)(There is a standard for EV SSL - Green address bar). So any CA can do whatever they like when issuing these certs as there is no standard for it.
So in 2001, Geotrust came up with this innovation of issuing SSL certs without asking for docs etc. and "invented" DV SSL. People didn't understand the implication and thought hey, great, don't need to bother with documentation and I can get my cert in few minutes. That's how Geotrust was able to get a market share. Verisign and Comodo was against this kind of Dangerous Validation, until Verisign bought Geotrust:) All of a sudden Verisign thought DV was a great idea! Then Godaddy came into picture pushing DVs. Now between GoDaddy and Verisign they own around 90% of the DV market. DV created a tool for market share. DV certs are dirt cheap so I doubt anyone can make money from them, but they are a business tool for gaining market share, but of course monetizing that market is another issue after you obtained that market share.
Coming to now, Comodo has proposed a minimum standard to the CABForum for DV. Because today there is no standard for how to issue Yellow padlock. You see I believe a Certification Authority must Certify Identity, otherwise whats the point. So we are pushing for a standard, but we are getting resistance from the "DV Market Leaders" :). Of course "DV Market Leaders" have Legal Monies to spend if browser people force a change on them. So it has be done amicably..but they resist!
So that's the story!
I think we need to educate users and get them to demand better standards from their browsers and be aware of DV certs (asking for too much but hey)..
We as Comodo will continue to push for minimum standards thru the CABForum and everyone should write to their Browser vendors and demand that they should improve the DV SSL standards.
Hope this clarifies, if not pls feel free to ask.
re: malwarecatcher.net
Well I just checked it after your last comment and I surely don't see Verisign ... what I do see is a recently expired certificate from Comodo!
[Screenshot - 7/28/2009]
mvps.org/.../malwarecatcher.gif
Enough with all the namecalling ... you are the one making yourself look foolish ...
Can you pls post the screenshot of what you see. Thank you
The link to the screenshot was included in my last comment ...
You are showing a cert for softhotspot.
I was referring to secure.softsales-discount.com/support and the screenshot is available in the link provided in my above post.
If you choose Visa then you go to what you posted, if you choose Mastercard they you go what I posted (as far as I can see).. Can you pls confirm that is the case for you too?
here is the site pay1.malwarecatcher.net/ProcessTransaction.php
If you choose Visa you go to: secure.softhotspot.com/.../bill.cgi
and if you choose Mastercard you go to:
secure.softsales-discount.com/payment
So all along, even as you were writing your blog against Comodo, this malicious site you blogged about had a verisign cert. And now they actually got another one from Verisign. While Comodo cert is a Revoked cert, previous Verisign Cert "expired" and the current Verisign cert is still "valid".
I think its fair to say, Comodo is doing its fair share at protecting its users and shouldn't be singled out!
You're right ... each card selection goes to a different provider ... first I've ever seen that.
Equifax (expired) 6/26/2009 (Mastercard)
Comodo (expired) 7/21/2009 (Vista)
Most likely the culprits have abandoned MalwareCatcher for whatever they have cooked up this week ...
winhelp2002
Can you pls confirm that all along the very site you blogged about had a verisign cert and these crooks went and got another verisign cert again and that Verisign cert is still valid?
Thank you
Conclusion: it's the money that counts, and Comodo - supposidly having 10% or less market share is too minor a cert issuer to have real influence on the existing dangerous validation protocol. As suspected and not coming as a surprise.
Would you mind posting the minimum standards Comodo is pushing over on the CABforum, so we know the possible positive impact?
If you go back and look, I only made a passing reference to MalwareCatcher ...
[quote]
Seems iSystem Inc also controls several other (malicious) domains ... including "malwarecatcher. net" which is associated with "updvms. net" and this is where it get interesting ...
msmvps.com/.../1693034.aspx
You can spin it all you want, but it doesn't change the fact the Comodo was involved with yet another malicious domain as seen in the last screenshot ... the Verisign certificate I saw from the Mastercard link expired 6/26/09.
I never saw the Mastercard/Equifax connection when I blogged about MalwareCatcher because I clicked randomly on the Vista card selection.
I mentioned MalwareCatcher on 5/23/09 ... the Equifax certificate was issued:
[Issuer]
CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
[Serial Number]
0BB707
[Not Before]
5/26/2009 10:00:25 PM
[Not After]
Equifax 6/26/2009 7:33:42 PM
------------
So even if I clicked the Mastercard link, I wouldn't have seen Equifax since it wasn't issued until 3 days later ... no telling what was there previously (if anything)
And no I do NOT see a valid certificate ... it shows just as I posted it above ...
I quoted verisign to let readers see that other certs have strategy and provided a good response. I quoted verisign again to answer 1George. Are you happy now? If so let's go back to the fact and main issue: Repeat offenders is able to get from Comodo so the blog of Mike is very correct.
As to your message:
QUOTE
END QUOTE
Oops Melih... there is no valid cert on the domains you mentioned ;)
@Mike,
I just look at the sites that Melih mentioned and I able to repro here what you saw:
I do not see valid cert.
secure.softsales-discount.com - Equifax (issued 5/27/2009, expired last month 6/26/2009) - 1 month this malware domain is able to use Equifax cert.
secure.softhotspot.com - Comodo (issued 4/22/2009, expired few days ago - 7/21/2009) - that's the 3 months trial that this malware domain is able to use Comodo cert.
It has become more than clear during the course of this discussion that the main contributors to this blog have launched a vicious attack on Comodo with no justification whatsoever. This has no doubt damaged the business of Comodo, as the people concerned use their status of MVP to add weight to their remarks and will thus have been taken seriously by the wider security community.
It is hardly surprising that Melih has reacted furiously in this instance, as he has obviously not in any way been justly treated here.
Fortunately Paul Wilders has now introduced some common sense to this discussion, but the damage has been done, as the accusations have been widely repeated in many forums.
It would be good to see some humble pie being eaten here now and an apology at the very least!
Truthseeker,
I wasn't looking for an apology ... rather a solution to the ongoing problem. I've been reporting on this since 2007, yet no viable solution is offered. All I see is spin and distorting the truth, or try to discredit the research... blaming Verisign is not a solution, and the truth is in my research chasing these type culprits I see a Comodo certificate most of the time ...
With that said ... this is going nowhere and I've got better things to do ...
That is really quite amusing, you looking for an apology?
You clearly completely missed my point, that you have carried out a vendetta against Comodo with absolutely no justification. Your remarks have been repeated by your followers and those who wish Comodo harm, all over the internet.
Yet you cannot see the wrong you have done and have no intention of apologising. That is shameful in my opinion.
Despite blaming some major CA, nor blogging about it doesn't appear a solution, it comes to no surprise that *several domains* reported in this blog under the Netdirekt [as28753] range are still featuring _valid_ DV certs despite were seemingly "unseen" truth and thus not featured in any research nor article.
Obviously if it they remain _unseen_ it would even be possible to think they never existed especially if the sites will be taken down *before* the certs could be possibly revoked.
If those certs were *issued* was it due to poor standards like implied for some other CA?
If they will _not_ be revoked will it mean that the "red flags" so far hinted were not something enough to warrant that?
If those certs were not "seen" even by the most dedicated researcher could it mean that is inherently _difficult_ to spot these cases despite it was seemingly provided the opposite impression for similar cases?
If a research/article contain a selection bias < en.wikipedia.org/.../Selection_bias > and related underreporting or overreporting how much its conclusions could be considered reliable?
Whenever it doesn't look like the focus has changed much, it comes at no surprise the willingness to "wait on the sidewalk" a proposal coming from the same CA involved in ethics debates with different tones.
Obviously there are many people willing to share their expertise and gratuitously provide their consultancy though it would be rather surprising if the so far demanded and more-less focused "expectations" will be easily met.
Apparently though *no expert* has so far taken any step to provide a "DV proposal" nor even one possibly carrying their own _ethical_ perspectives, nor one that could have been previously provided as _documented criteria_ for the "evaluated" DV certs scenarios and not strictly focused on a single CA (whereas the opposite could be interpreted as a telltale sign of bias).
The fact that Comodo provides CERTS aswell as Security Software seems irrelivant. Both stand on their own. As far as trust one could fail and the other would stand.
Singling out Comodo based on the fact that they offer both compared to other CA makes no sense.
Quoting Verisign simply saying we have solutions to prevent malicious websites from getting certs does not necessarily make it so. Comodo also has solutions however effective they may be, same as Verisign, GoDaddy etc. EVERYTHING can be improved upon as with all other products, services and companies.
Based on all these comments it's been shown that Verisign, Comodo and other CA all have problems with malicious sites and i'm certain they ALL have problems with recurring CERTS.
Showing only one side in an article such as this is merely closing your eyes to the rest of the world.
Unless you show what other companies are doing to fix the issue (in detail) that Comodo is not then it seems rather unfair to attack Comodo and their 10% share. When maybe you should be attacking Verisign and other CAs.
I would love to see this same article focusing on other CA aswell since this isn't an isolated issue to Comodo.
Marc
Can you do something about this? Another Fake AV with a EQF cert.
img12.imageshack.us/.../certd.jpg
I've added the associated entries into the HOSTS file and notified Verisign/Equifax ...
And as you can see... This isn't just to do with Comodo. Every CA is in it guys.
This one by Verisign, found today: forums.comodo.com/.../bad_comodo_bad-t43119.0.html;msg314840
Rouge Registry Tool.
MAL1, Censored Thoughs, Truthseeker and Paul. Your posts are highly appreciated. And totally agree.
PLEASE.. Donna, or anyone else: If you find a malware site with a CA domain on there, Pls report it. Don't blog about it and post misleading lies. This is why Melih acted so furiously, You seriously think he enjoys this crap? He doesn't.
Anyway the evidence is here and also on the Comodo Forums, There is no Validation for DV and all CA's disagree to take it down. Melih tried to do it at the CABForum, But no go. :( So all CA's are forced to give out the DVs... So as long as you got a domain, who cares about validation of who you are, Just have one and give us the money. :-)
Comodo promotes, On their site, EXTENDED Validation much more promptly, And is MUCH more recommended and shows the green bar (EV), not the yellow padlock which lost its trust! (Again, DV).
Lol, I had similiar issues with Comodo, Thats why I no longer use it.
3xist,
re: This one by Verisign"
Someone had already reported that and I replied here:
msmvps.com/.../1710608.aspx
As for the rest of your comments, I still don't see any solution being offered ... just excuses, spin and childish actions by a bunch of Comodo groupies and a "CEO gone wild" that can't stand being called out on the carpet ...
Comodo - There is nothing to defend when you take no action ... blaming Verisign is not a solution. Blaming posters for exposing Comodo's non-action is not a solution.
What difference does having a security certificate make? Even having a revoked certificate, the website is still up right?
I understand that of course, to the layman, if he sees a website that sells a fake anti virus program, but doesn't know any better, seeing the website have a valid "Secured by Comodo" certificate would give a false sense of security, which is wrong, then he would purchase the fake program.
It'd be great if the crooked hosting companies would stop hosting this garbage in the first place, and ICANN and all the registrars need to step up their game and do full background checks on any new websites being registered, whether for business or personal use.
It's pretty sad that all the fake sites out there even get registered....but it's all about $$$$ I guess...
Mike, indeed many would agree that blaming any specific CA wouldn't appear to be a solution but it doesn't look like you have proposed a solution either.
Can you confirm you are aware that the CA which issued DV certs now featured by these sites you listed, is not the *same* you initially focused on?
127.0.0.1 safe-pay-vault.com
Should these sites be reported even if they appear legitimate at the moment?
If you think so, would you please take the necessary steps to report them to the other CA?
Besides what actually was the technical solution applicable to all CAs you ought to be apparently aware to the point it elicited the disappointment you focused on a single one?
Would you thoroughly describe a solution in a separate article for reference?
Will your solution account for the uncertainty of mismatching whois records?
Will it assume the cooperation of ISPs at least to address the cases of virtual hosting?
Will it be entirely focused to prevent and unambiguously identify malicious cert requests as soon as those are processed in a way it would be actually possible to _predict_ the abuses in order to *legitimately deny* those requests or will advocate a definite action based on what might only be confirmed at a later time, eventually by 3rd party reporting?
Would you be inclined to point out also the prospected effectiveness and inherent constraints of such solution in a way nobody could possibly abuse it to put forward unwarranted criticism?
It goes without saying that blaming a specific CA when someone knows the _outcome_ and expects the CA in question should have considered that negative outcome as *undoubtedly certain* _before_ it was confirmed, would be not much different from blaming _any other CA_ after similar issue is eventually confirmed (even the other CA whose valid certs are currently featured on the sites mentioned in this blog).
Censored Thoughs,
re: but it doesn't look like you have proposed a solution either"
Why would I? ... it's not my area ... you should focus those comments to Comodo.
In my research I find Comodo's certificates far far more than anyone else ... I've been reporting on this issue since 2007, but Comodo just continues on as usual, blaming others, attacking the researchers, and uttering nonsense, but provides no solution.
So is there some way that I can exercise precautions with Comodo certificates in Firefox?
I looked at the Certificate Manager options and am not clear what penalties there might be for editing or deleting the Comodo entries.
What I'd really like is some warning when a site has a Comodo certificate so that I can either retreat and skip the site or proceed with extra caution.
This is a False Positive by Google.
And what is embarrasing is a so called security professional doing a blog about a false positive!
This is getting a bit silly now is it not?
Are you sure that is a malicious website, doesn`t seem that way to me.
Doesn't look like a false positive to me ... it clearly reads: "malicious software being downloaded and installed without user consent"
If you have an issue with the analysis from the diagnostic report ... take it up with Google, I'm just reporting their findings ... the same as I did here:
How is Google going to explain this?
msmvps.com/.../1652042.aspx
Google exposes ClickBank as malicious
msmvps.com/.../1652455.aspx
Please add these:
While I appreciate your submissions ... I certainly will not accept them in an image form.
I've already made a comment where I typed them all out, twice, and it would never appear. So It's either that or give me an email address. I don't see what's wrong with you copying the URL's from the image.
Pingback from Can we still trust Comodo? - Raymond.CC Forum
I love MVPS HOST since 5 years ago. Never disappointed
The date under the HOSTS URL is incorrect.
Bumping my comment in your previous blog entry.
and can you please add those 2 harmful ad websites also
http://clicks.totemcash.com
http://info.clipta.com
Thank you yet again!
for what it's worth, on my XP system I found settings.sol in:
C:\Documents and Settings\<user name>\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
That folder also contained subfolders for all the sites which had been storing Flash stuff on my computer. Not any more.
So ...
A couple hours after making settings.sol read-only, there is a new file called settings.sxx and a new subfolder, presumably containing third-party flash cookie info.
[sigh]
i wonder what will happen if I make the folder containing settings.sol read-only?
I find few Omniture (2o7.net)
bwincom.122.2o7.net
disccapl.112.2O7.net
dgbgdg.112.2O7.net
Great write-up, Mike !
Randy K.
Alan,
Yes settings.sxx is (newly) created ... I'm guessing that Adobe Flash creates that file when it can not access/write to the settings.sol file. I made the settings.sxx Read only also.
It sure didn't take long for Adobe to start looking to get a return on it's investment ... as
Excellent research, Mike - as always.
Randy Knobloch
Regarding the Comodo practices, didn't any notice the same layouts and overuse of nice colorful interfaces to attract the mass with Comodo and it's shady anti-virus friends ?
Ref e-mail: [Hosts News] - Phishing for Facebook
When you mention sites in your articles should we put them in the Hosts file if they aren't there? For instance I didn't find uxfl.co.cc but did find kiano.....
glensurb@gmail.com
Glen,
Sure you can add the entries you see mentioned here ... they will also be added to the next HOSTS update (due soon)
Congratulations! A small thanks for what you do for so many.
~~Robert
Very well deserved I must add.
Congrats, Mike - well deserved, yet again.
Thanks everyone ...
Yawsa, Mike
Whatever floats your boat.
What a waste of an arm! I suppose it is a free world but I find it repulsive.
Thanks, Mike
Great work, as always.
That must have ouched a bit, Mike ?
Randy Knobloch aka siljaline
Didn't "hurt" ... more like a bad sunburn ...
Pingback from More fake PornTube sites - Hosts News | BadBoys Marketing
Pingback from Antivirus Free - Computer Games Forum
I am very satidfired. Thank You
No problem to download the zip file
Many thanks, again - Mike, from those out there that enjoy this file including me.
Using Hosts for a long time, I recently installed Win7 x64; and I'm no longer used to navigate without HostsFile
Please post the instructions regarding Windows 7
Tks