Hosts News

MVPS HOSTS File Update Nov-13-2009

2009-11-13T11:04:00Z

The MVPS HOSTS file was recently updated [Nov-13-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (147 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible unwanted connections ...
http://www.mvps.org/winhelp2002/hosts.txt (601 kb)

MVPS HOSTS File Update Oct-08-2009

2009-10-08T19:33:00Z

The MVPS HOSTS file was recently updated [Oct-08-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible unwanted connections ...
http://www.mvps.org/winhelp2002/hosts.txt (602 kb)

Got Inked today

2009-10-07T04:49:00Z

Just got back from the Tattoo shop ... 5 hours in the chair ... not a very good photo ...

I'll post a better one when the surrounding skin is not so red ...

Microsoft® MVP Award

2009-10-03T04:28:00Z

Yesterday I received notification of my being presented the Microsoft® MVP Award.
This is my 11th award ... Thanks Microsoft ...

Phishing for Facebook

2009-09-28T20:49:00Z

While researching several suspect domains at Google Diagnostic ... Landing on "uxfl.co. cc"
which redirects to a IP address that tries to mimic a Facebook page complete with a bogus Flash player upgrade. As you can see my AV NOD32 jumped up and killed the connection, as the page automatically downloads a malicious file ...

Google Diagnostic report for uxfl.co.cc - "Malicious software includes 13 worm(s). Successful infection resulted in an average of 25 new process(es) on the target machine."

Also involved (see URL in the address bar) is "kiano-180809. com" and the Google Diagnostic report revels "Malicious software includes 516 trojan(s), 352 worm(s), 71 exploit(s). Successful infection resulted in an average of 41 new process(es) on the target machine."

Be careful out there folks ... the bad guys spend all day thinking of new ways to get into your machine. Since it is no longer profitable trying to break into Windows Vista ... they devote all their efforts into "social-engineering" = tricking users into falling for these scams ...

Omniture partners with ComScore

2009-09-21T15:02:00Z

It sure didn't take long for Adobe to start looking to get a return on it's investment ... as mentioned in my previous post
(Adobe to buy Omniture for $1.8 billion) Adobe has reached an agreement to partner with ComScore ...

ComScore Press Release - there are also several other noteworthy media quotes ...

"Through the relationship, Omniture will provide the clickstream data it tracks for its publisher clients, including page views, clicks, video views, mobile interactions, and Facebook application interactions, to comScore. In return, Omniture will provide its clients with demographic and psychographic data on their respective sites from comScore". [source]

"So, for example, a large company such as Disney might have multiple divisions -- such as ESPN or Disney theme parks and cruise lines -- and they can pick and choose the information they want to share". [source]

If you want to see what ComScore does (actually tracks) ... you can view their Privacy Policy (caution it will give you a headache! ...) ComScore certainly has a dubious past, including most antivirus/antispyware programs detecting their program as spyware ... however Comscore describes itself as "researchware" ... yeah right! ... I for one don't want anyone viewing my data when purchasing products on the Internet, or from other sources ...

"Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions"

"We may also combine the information that you provide us with information obtained from other sources (such as consumer preference reporting companies, credit reporting agencies and companies that collect TV viewing information) using confidential matching procedures".

Last year the Register had an article worth reading ... then there was the Sears spyware allegations ... The Sears "Community" Installation of ComScore (January 1, 2008) finally settled by the FTC ...

It will be interesting to see if the sites that use Omniture and/or ComScore ammend their Privacy Policies to reflect the changes and inform their visitors that their information will now be shared ... (aka: sold to the highest bidder)

Adobe to buy Omniture for $1.8 billion

2009-09-17T04:15:00Z

This news surprised most ... but the impact will be far greater than most people are reporting. Omniture (2o7.net) is the largest paid-analytics company (data miners) ... Adobe is the largest (besides it's other products) application (aka Flash) which allows websites to track users via "flash cookies" ...

Now you combine these two giants and ... say good-bye to your privacy. The biggest reason is the way "flash cookies" (local shared objects) are stored and the dubious actions that are allowed on your machine without your knowledge ... did you know that if you delete a cookie via your browser, that it can be recreated from the info stored in a flash cookie? ... Imagine that! You can prevent this action, but it's well hidden ... more on than below.

"Omniture helps clients understand how visitors traffic their Web sites and assists online businesses to target advertisements ...

Adobe, said the deal will help it "transform" e-commerce by combining its content creation tools with Omniture's online measurement and optimization technologies to help "increase the value Adobe delivers to customers."

"This is a game changer for Adobe and its customers," said Shantanu Narayen, chief executive of Adobe, in a statement. "We will enable advertisers, media companies and e-tailers to realize the full value of their digital assets."

The above statement is polite spin for "now we can really tract your movements" and allows websites to sell this info to anyone that wants to purchase it. So how do you protect yourself ... you have to go online ... yes online, Adobe does not allow you to control your flash privacy setting from your machine.

Start here and go thru the various tabs and select the privacy settings that suit your needs. I would suggest unchecking the option for “Allow third-party Flash content to store data on your computer”. Please note these setting only remain until the next Adobe flash update and there has been several just this year. Flash player has been targeted by malicious culprits for it's many vulnerabilities ... you can however retain your preferences by setting the "settings.sol" file to Read Only on your hard drive.

The settings.sol file is located in the following location: (Vista)
\Users\<user name>\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
(where "<user name>" is the profile name you are using)

Once located, right-click and select Properties and place a check in the Read only option, click Apply/Ok

There are a few drawbacks to the above ... but I've learned to live with them ... some sites will complain when they are not allowed to store their tracking data on your machine.

Or you may see the following prompt ...

If you find that you really want to view a flash video or the like ... you will need to reset the "settings.sol" then allow the above changes, again via the Adobe online settings manager. Then reset the file back to Read only ... yeah I know it's a pain ... but I only allow a very few sites this access, much like a whiltelist ...

Omniture already has a dubious reputation for it's sneeky actions in the way it sets cookies on your browser, by using aliases to set a 3rd party cookie. Let's say you visit "creditreport.com" you will end up with a cookie from "metrics.creditreport.com" ... but is it really from creditreport.com? No way! it's an alias for "creditreport.com.122.2o7.net" and "metrics.creditreport" is not hosted and their server rather it returns to the IP location for Omniture.

Do you really want these 3rd parties harvesting your information while you are disclosing your credit information ... I certainly do not, especially when they use these sneeky tactics to do it.

MVPS HOSTS File Update Sept-02-2009

2009-09-02T08:31:00Z

The MVPS HOSTS file was recently updated [Sept-02-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ...
http://www.mvps.org/winhelp2002/hosts.txt (600 kb)

Still more fake PornTube sites

2009-08-21T06:22:00Z

On my weekly stroll thru various search engines for the term: ""PornTube: best movies collection." I usually find 15-20 new malicious sites, all using the same page layout. However I found this one a little different in the bogus message that's produced ...

Notice the fake blurring in the background ... and the fake Error message ... "download a patch to fix a problem" ...

"blue-xxx-tube. com" redirects to "4-open-davinci. com" for the actual download. Both sites are hosted at Netplace ... a well-known malware haven. A Google Diagnostic report confirms this ... "354 site(s) served content that resulted in malicious software being downloaded and installed without user consent"
"We found 45 site(s) that infected 1672 other site(s)"

Internet pharmacies identified as acting illegally

2009-08-08T05:26:00Z

The other day there was a disturbing report that found that nearly 90 percent of all pharmacy ads appearing on Bing's sponsored search engine results were illegal pharmacies ... Yikes! ... well most of us already know that "Sponsored Results" are not to be trusted ...

I certainly don't think Bing is the only one at fault here ... since the FBI states - "More than 80,000 “portal” websites currently sell ad space for these medications and link to one of more than 1,400 “anchor” websites that allow customers to place orders through illegal pharmacies".

The full report is here ... (.pdf) and in that report "klikadvertising" is mentioned ... these culprits are also involved in many of the Fraudware Antispyware scams currently on the Internet. Anyway LegitScript also released their Top 10 so I thought I'd check them out and possibly add those to the HOSTS file. Now I have no intension of adding all these illegal pharmacy sites as there are just too many, and nothing malicious happens when you visit these sites.

The best way I feel to protect users is to add their payment sites to the HOSTS file ... at least that way it would protect users from making ill-advised purchases ... or worse ... just imagine what's in those counterfeit drugs! I started visiting these sites and found my own disturbing trend which was not mentioned in any of the articles ... (see below)

Image edited for display purposes

The above site is listed as one of the Top 10 (above) ... when you click the "Next step" ...

Image edited for display purposes

As you can see you are redirected to "rx-secure.com" via a certain certificate ... I'm not even going to comment.

Visiting another of the above mentioned Top 10 which is described as "The website claims to sell drugs from Canada, but the authors submitted an order, and received counterfeit Cialis, without a prescription from India." If you read the full report LegitScript put a lot of time and effort into their finding. Going so far as to actually purchase products and have them tested ...

Image edited for display purposes

Another certificate from the same source as above and a Truste icon ... ouch!

Again we see a redirect from "expressdelivery.biz" to "secure.mymedcenter.net"

== Server Certificate ==========
[Subject]
CN=secure.mymedcenter.net, OU=Comodo EV SGC SSL, O=RX Corp, STREET=3155 Hickory Hill Rd, L=Memphis, S=TN, PostalCode=38115, C=US, OID.2.5.4.15="V1.0, Clause 5.(b)", OID.1.3.6.1.4.1.311.60.2.1.2=Tennessee, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=0582044

[Issuer]
CN=COMODO EV SGC CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Serial Number]
00FD665970D8D5E8D59EE06A23F621AAF5

Now to be fair I also found a Verisign certificate for "seal.buysafe.com" ... so please don't nag me about I'm picking on one vendor ...

== Server Certificate ==========
[Subject]
CN=seal.buysafe.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=buySAFE IT, O=buySAFE Inc, L=Arlington, S=Virginia, C=US

[Issuer]
OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network

[Serial Number]
2AAA3F4A7F8054FA9DD70D7AAA5650BF

You can view a very short video LegitScript posted on YouTube for expressdelivery.biz ... there are several others as well ... I also found another site that contains "illegal pharmacies identified by the FDA, HealthPricer and other official bodies"

First on their list was "allpills.net" which redirects to "canadian-drugshop.com" which redirects to ... "rx-secure.com"

== Server Certificate ==========
[Subject]
CN=rx-secure.com, OU=Comodo InstantSSL, O=Pharmos Limited, STREET=Leningradsky prospekt 143-26, L=MOSCOW, S=MSK, PostalCode=149501, C=RU

[Issuer]
CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US

[Serial Number]
00A84B9E3913DFC8BE5D7355B8EEFD59CE

Seems canadian-drugshop.com is hosted on the same IP block as several other scam sites ... most using "rx-secure.com" as their "check out" payment service.

# [Moskvacom][AS2118][195.95.155.0 - 195.95.155.255] (Google Diagnostic report for AS2118)
127.0.0.1 canadian-drugs-shop.com
127.0.0.1 www.canadian-drugshop.com
127.0.0.1 canadian-healthcare-shop.com #[ScamFraudAlert.Pharmacy]
127.0.0.1 canadian-pharmacy-store.com
127.0.0.1 edmedsnow.com
127.0.0.1 hqedpills.com
127.0.0.1 mens-medication.com #[Spamdexing]
127.0.0.1 official-canadian.com
127.0.0.1 professional-meds-online.com #[ScamFraudAlert.Pharmacy]
127.0.0.1 rx-top.com
127.0.0.1 shopedmedsonline.com

Many of the other sites HealthPricer listed no longer exist ...

Hopefully these certificate issuers and Truste will take a better look into the activities of the sites that were mentioned ... after all illegal activities are illegal!

Oh how embarrassing

2009-08-01T03:55:00Z

Imagine that! ... from Google Diagnostic ... I wonder what malicious software was being distributed on the 15th?

So let's click on over to trustlogo.com from the Google Diagnostic report ...

The really embarrassing part is that the site mentioned sagunnyu.com appears to use a Comodo certificate ... ouch!

== Server Certificate ==========
[Subject]
CN=sslsecurity.kr, OU=Comodo InstantSSL, OU=Hosted by Jungbonet inc., OU=SSLSECURITY_TEAM, O=JUNGBONET, STREET=Nonhyeon-dong, L=Nonhyun-Dong, S=SEOUL, PostalCode=135-010, C=KR

[Issuer]
CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US

[Serial Number]
2677FD02915826F36B72BDC69DBA9BC9

Maybe a certain CEO should spend a little more time making sure things like the above don't happen rather than spewing out one-sided spin in an effort to deflect the real problem = failure to address an ongoing (since 2007) problem:

Criminals using Comodo to attempt legitimacy

Bombarded with Comment Spam

2009-07-28T20:24:00Z

Update 07/29/09: I've heard from the powers-to-be and it seems the Spam Filters were set wrong after the latest blog update? Go figure ... I'll reset (allow) the Comments and see if I can restore them ...

I guess I've been lucky that the Bot spammers have not been a serious issue ... well until now ... seems like the last few days I have been bombarded with "comment spam" ... hundreds and hundreds a day [ugh!] So I've disabled the comments until things calm down ...

MVPS HOSTS File Update July-27-2009

2009-07-27T14:32:00Z

The MVPS HOSTS file was recently updated [July-27-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ...
http://www.mvps.org/winhelp2002/hosts.txt (597 kb)

Comodo continues to ignore Malware warnings

2009-07-22T15:40:00Z

Yet again we find the same group "ISystem Inc" scamming the public with their bogus products ... with a little more help from Comodo. Now I ask you ... how many times do I have to report the same group being issued a certificate from Comodo, before they take the necessary steps to prevent the general public from being ripped-off by these bad actors?

If the page looks familiar ... it is ... the same template as I previously reported ... from the same people "ISystem Inc"

As you can see I pasted the certificate details into the Fiddler report ... below you can see there is no doubt that "ISystem" is the owner ... same as previously reported several times! ...

It not hard to find the bad actors and the connection between "ISystem and SoftDialog" ... hey Comodo ever heard of Google? ...

"WindowsSecuritySuite" is hosted at the same location as before ... just how many red flags does it take?

"pay-secure" is also hosted on a previously reported location ...

# [Netdirekt][95.168.163.0 - 95.168.164.255]
127.0.0.1 aquabilling.com
127.0.0.1 secure.aquabilling.com
127.0.0.1 secure.bestbillingpro.com
127.0.0.1 secure.payment-cc24.com
127.0.0.1 pay-secure.net #[ISystem]
127.0.0.1 safe-pay-vault.com
127.0.0.1 webexpressbill.com
127.0.0.1 secure.webexpressbill.com

"Comodo - creating trust online" ... makes you wonder doesn't it ... I've been reporting on Comodo's lack of concern since
LimeLight Networks and connecting the dots (12-07-07) all we get is excuses and spin on how everyone else is doing it (issuing certificates) ... what ever happened to being a responsible part of the Internet community?

Comodo continues to damage it's reputation

2009-07-10T07:02:00Z

Here again we find another bogus Antispyware program that does nothing but take your money ... with a little help from Comodo

If the page looks familiar ... it is ... the same template as I previously reported ... from the same people "ISystem Inc"

I pasted the Comodo certificate into the Fiddler output ... seems Comodo still does not check out anyone prior to issuing a certificate ... even if it comes from the same people it revoked previously ... duh!

Comodo continues to issue certificates to known Malware
Anyway ... I went back and checked the sites I last reported and it seems Comodo has decided to ignore my report ...

rapid-antivir-2009. com
rapid-antivir2009. com
rapid-antivirus2009. com = all redirect to:
secure.xsoftstore. com

[Google link here]

Even a simple Google search as I suggested previously would have revealed the connection to ISystem ...

"malwaresdestructor. com" is hosted at Rcp.net along with quite a few other related Fraudware programs

"safe-pay-vault. com" is hosted at Netdirek - a known malware haven

# [Netdirekt][95.168.163.0 - 95.168.164.255]
127.0.0.1 aquabilling.com
127.0.0.1 secure.aquabilling.com
127.0.0.1 secure.bestbillingpro.com
127.0.0.1 safe-pay-vault.com
127.0.0.1 webexpressbill.com
127.0.0.1 secure.webexpressbill.com

Surely you would think Comodo with all it's resources can keep a lid on dealing with these malware frauds ... especially when they have already dealt with the same culprits before ... is anybody awake over there!! Trust is everything in the security business ... seems Comodo can no longer be trusted, as these type reports keep surfacing ... time after time ...

MVPS HOSTS File Update June-21-2009

2009-06-21T20:03:00Z

The MVPS HOSTS file was recently updated [June-21-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ...
http://www.mvps.org/winhelp2002/hosts.txt (599 kb)

A disturbing new report on your Internet Privacy

2009-06-03T13:32:00Z

A UC Berkeley report provides an in-depth look into the Internet Privacy issue and to what amount you are really being tracked ... several media outlets have reported on this issue. Register | NyTimes | BizJournals All with their own take on the report ... a few key excerpts from their study ...

Dominance of Google
"From our analysis, it is apparent that Google is the dominant player in the tracking market. Among the top 100 websites this project focused on, Google Analytics appeared on 81 of them. When combined with the other trackers it operates, such as DoubleClick, Google can track 92 of the top 100 websites. Furthermore, a Google-operated tracker appeared on 348,059 of 393,829 distinct domains tracked by Ghostery in March 2009 (over 88%)."

This is one of the main reasons why the majority of these "trackers" are included in the MVPS HOSTS file ...

"Among the top 100 websites" this was obtained from Quantcast ... however the "Top 100" are not really individual sites since many are owned by the same company ... so you can see how these big companies can compile quite a lot of info ...

[Example of the Big 3 - ranking]
microsoft.com (7), live.com (3), msn.com (4), windows.com (19)
Not counting their ad servers: Atlas DMT (atdmt.com) aQuantive (adbureau.net)

google.com (1), youtube.com (6), blogspot.com (14), blogger.com (40)
Not counting DoubleClick which ranks #37 at Alexa

yahoo.com (2), flickr.com (30), geocities.com (47)
Not counting their ad servers: Overture, RightMedia, BlueLithium
---------------------------------------------------------

SHARING
"Websites make distinctions between sharing with affiliates, contractors, and third parties. Of the top 50 sites, 29 stated that they do NOT share user data with unrelated third parties. However, 45 affirmatively state that they share data with affiliates, and 36 affirmatively state that they allow third-party tracking. The average consumer might assume an affiliate or tracker to be a third party, but given the actual usage of these terms in privacy policies, that assumption would be mistaken. Of the top 50 sites, 43 state affirmatively that they share data with third-party contractors, including all 29 of the sites who state that they do not share with unrelated parties."

This is why I recommend turning off Cookies and "whitelist" (allow) only those that are needed ...

NO ACCOUNTABILITY FOR THIRD-PARTY TRACKING
"In our analysis of privacy policies, 36 of the websites affirmatively acknowledged the presence of third-party tracking. However, each of these policies also stated that the data collection practices of these third parties were outside the coverage of the privacy policy. This appears to be a critical loophole in privacy protection."

"This appears to be a critical loophole" ... and they sure do word their Privacy Policy pages to take advantage of this loophole.

In the Register article they state: "Omniture and Quantcast cookies appeared on 57 per cent of the top 100 and less than 6 per cent of the 400,000" ... I would offer that this figure is actually much higher, since Omniture (112.2o7.net) also makes extensive use of clones to disguise their 3rd party trackers ...
[Example]
om.symantec.com is actually symanteccom.112.2o7.net
std.o.webmd.com is actually webmdglobal.122.2o7.net
stats.adobe.com is actually adobe.com.112.2o7.net

Using the Register as an example you can see the extent of tracking from third parties that goes on ...

All the entries in red above are blocked by the HOSTS file ... but the above is just from visiting one page on that site. However I must give them kudos for the Privacy Policy ... which they explain in very plain language of what they are doing and from who. Compare that to the BizJournal's statement:

"Adobe’s privacy policy, for example, when analyzed for readability, was written at an equivalent grade level of 17.29. The average privacy policy in the study was written at a grade level of 13.83."

I'm not sure what grade level 17.29 is ... but I'm sure I didn't go to school that long! ...

More fake PornTube sites

2009-06-02T04:47:00Z

I see plenty of these fake PornTube sites everyday ... however several sites are trying to trick visitors (nothing unusual) into thinking they need to update their (Adobe) Flash Player ... by first displaying an image then it blurs out and the bogus message appears ... same type as I spotted here

The "Load Now" button redirects to "update-flash. com" and serves up "FlashPlayer.v9.014.exe" which my Antivirus (NOD32 v4) detects as "Win32/Kryptik.QY" or visiting a similar site (see below) you get just a blank area with a clickable link ...

(image edited for display)

Do you see the common denominator in all these type sites? ... Look at the page title "PornTube: best movies collection." Usually about once a week I use the page title as a search term and find about 10-20 new sites ...

Google: 1 - 20 of about 6,080 for "PornTube: best movies collection.".

Yahoo: 1 - 10 of 10,100 for "PornTube: best movies collection."

Microsoft Live/Bing: 1-10 of 325 results - With "SafeSearch" turned off: 1-30 of 565 results

Yes Microsoft's Live search in your (Internet Explorer 8) browser now redirects to their new search service Bing ... as with Google and Yahoo (with Cookies enabled) you can define/tweak the results page as well as enable/disable SafeSearch which will filter adult images, text and videos ... I would suggest users that share an account with underage children that you enable SafeSearch in all three search engines (or any others that you may use) ...

What I noticed new in Bing - Video was the ability to play the video right from the results page without actually visiting the site ... kids are not stupid ... once they figure this out (with SafeSearch disabled) they can view most anything they want and leave no trace that they were there ... (see example below)

Oh Comodo here we go again!

2009-05-24T04:00:00Z

Visiting the following Fraudware Antispyware site ... I always check the "Buy now" (purchase) section to see where this will lead. Sadly it leads to yet another Comodo issued certificate ...

You can see from the Microsoft Fiddler output where the site leads ... I pasted the certificate info into the output ...

Comodo states: "To get a DV cert all you need is a domain name and $15..and no background check about your identity is required." As I stated in a previous post ... perhaps you should at least check the domain name ... duh! that would be a good first clue ... but I guess the $15 is more important?

These culprits were first reported on Thursday, April 16, 2009 - A Diverse Portfolio of Fake Security Software - Part Nineteen and later by the SunBelt blog where both these domains reside on the same IP (iSystem Inc.)

Seems iSystem Inc also controls several other (malicious) domains ... including "malwarecatcher. net" which is associated with "updvms. net" and this is where it get interesting ...

(Image edited for display purposes)

Well look at that! directories for (left column) several malicious domains ... and the typical files found in each (right column)
Extraantivirus, Fastantivirus09, Malwarecatcher, Prestotuneup, and on and on ... so you can see there is no doubt all these domains are malicious as well as the files ... when I attempted to download "EXAVR/BankSetupRelease.exe" my AV (NOD32) detected this as a variant of Win32/Kryptik.JQ trojan

I mentioned in my last post a malicious domain (secure.xsoftstore.com) which Comodo stated they revoked the certificate ... what gets me is I suggested that they at least should check the domain names ... well it seems they didn't look into this either ...

== Server Certificate ==========
[Subject]
CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
00C2ECCD1FEFB7508CA5D7ADB6E405E192
[Not Before]
4/29/2009 8:00:00 PM
[Not After]
7/29/2009 7:59:59 PM

If Comodo had bothered to check ... they would have found all these domains are related ... [Whois link here]

All this for $15 ... my things must be really bad? ...

Follow-up to the Comodo Controversy

2009-05-18T07:23:00Z

It seems that after my last post concerning Comodo it has caused quite a stir ... so I'd like to clear up a few points made on several other Forums.
[DSL Reports] [Security Garden] [Wilders Security] [Calendar of Updates]

Over at Comodo's Forum "Melih" who describes himself as: Comodo's Hero Administrator

"You say we responded to MVP Mike before and he gave us kudos. So why would we not respond to him this time if he sent us an email? Your logic doesn't make sense. If we responded before then we would respond again. And we did respond as soon as we were alerted but did NOT receive any emails from MVP Mike as far as I know."

Well as I stated in my previous post I sent an email on 04-21-09 alerting Comodo and never received a reply ... so why would I bother sending another when I find more of the same (Malware sites using Comodo certificates) ... however after "going public" it sure didn't take long for these certificates to be revoked. Imagine that ... I got a reply today ... "your email got buried" = buried? ... if you notice I sent it to both the address I was given and "CC'd" to the person I dealt with previously ...

I just feel sorry for the amount of people that were duped into thinking they were at a legit site and actually purchased this malicious software, after I notified Comodo ... only to be "buried" ... then why did you bother to set up a specific address to report these sites?

And this comment ... "Its a weak certificate, but its something that many many Certification Authorities are selling so I don't really see why Donna and similar should make a thread bashing solely comodo for it..Verisign and Godaddy is the major pushers and sellers for this junk, yet they get no critic whatsoever for that.."

First I very rarely see a certificate issued by GoDaddy to these type malware pushers ... now here is a tip ... perhaps the first clue would be to Google the domain name that wants to purchase a certificate ...

In some cases the domain name itself should be a red flag! = secure.spywareprotector-2009.com

== Server Certificate ==========
[Subject]
CN=secure.spywareprotector-2009.com, OU=Free SSL, OU=Hosted by
LiderTelecom LTD, OU=Domain Control Validated

[Issuer]
CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater
Manchester, C=GB

[Serial Number]
2AEB99837575BE971E4EEB2329CD3507

Yet "Iam Monkey_boy=) from the comodo forums" states:
"Comodo can't really be blamed if a site that has a certificate hosts malware"

Let me put a little perspective on this ... "Conficker systems being updated with SpywareProtect2009"
Conficker is now believed to be the largest computer worm infection since the 2003 ... and Comodo issued the certificate to "SpywareProtector-2009" ... now you can't tell me that this domain name isn't a cause for concern? It gives me chills to think how many people were duped into purchasing this product.

Now if it was my company and I found out we were involved (even remotely) in the largest infection since 2003 ... I'd certainly want to make some changes in our policy as to how these certificates are issued ... but that's just me ...

And I'll finish up with this little gem ... "So the question should be the ethics of publishing these kind of material without informing the security vendors in the first place."

You question my ethics? ... it wasn't my intent to get into a pi**ing contest with these people but who's ethics are in question here? ... mine for publicly reporting this or Comodo's for a continuing practice of issuing/selling certificates to questionable characters ...