Hosts News

MVPS HOSTS File Update Feb-09-2010

The MVPS HOSTS file was recently updated [Feb-09-2010]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (148 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible unwanted connections ...
http://www.mvps.org/winhelp2002/hosts.txt (599 kb)

Fake PornTube revisited

On my weekly rounds of researching certain terms that usually result in new malware sites ... this week was no different. The page looks pretty realistic doesn't it for a ".de" looking language domain? Well except for the actual URL listed ... that is NOT an Adobe domain.

Clicking on the download button = "install_flash_player.exe" running the file thru VirusTotal gives disappointing results = 2/40 (5%)

Back in June 09 I wrote how these malware distributors were using the same page title ("PornTube: best movies collection.")  to draw unsuspecting people into thinking they needed some kind of Adobe Flash player update to view the offered adult movie on the site. Of course this is bogus and all the viewer gets is a nasty infection ...

The really sad part is back in June the three major search engines returned the following:

Google: 6,080 for "PornTube: best movies collection.".

Yahoo: 10,100 for "PornTube: best movies collection."

Microsoft Live/Bing: 325 results - With "SafeSearch" turned off: 1-30 of 565 results

Today's results shows the explosion in the amount of sites using that page title:

Google: 886,000 results for "PornTube: best movies collection."

Yahoo.com:  6,220 results for "PornTube: best movies collection."

Bing: 2,740 results for "PornTube: best movies collection."

That's quite an increase huh? most of these are now ".cn" registered domains ...

Be careful out there folks ... this is big business and the bad guys are out to get you ... your ID and your $$$ ...

MVPS HOSTS File Update JAN-12-2010

The MVPS HOSTS file was recently updated [JAN-12-2010]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (149 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible unwanted connections ...
http://www.mvps.org/winhelp2002/hosts.txt (606 kb)

My first issue with Windows 7

Well that didn't take long ... after getting my spiffy new OS system setup the way I wanted ... I set about the task of installing the programs and utilities that I need to maintain my site and the tools needed for the MVPS HOSTS file ...

So first thing I need is to setup a connection to the server that hosts my website. Ok ... where is the "My Network Places"? Seems it doesn't exist in Win7 ... huh? after Googling the issue for a while it seems "Web Folders" are no longer supported. Ouch! ... Ok since the "Server administrator" does not allow FTP connections ... now what?

In Windows Explorer, right-click Computer and select: Add Network location

This option fails when entering a website address (only accepts FTP)

Tried the "Map Network drive" option ... Entered the required information ... and it works I thought. The connection will allow me to see the various folders (left column in Windows Explorer) on my site, but the right (main) column is totally blank [ugh!] As a last resort I tried the "Open Site" option in my webpage editor - Office/FrontPage 2003 ... and that works ... a little querky, but it works.

It seems a known issue on Windows 7. There is no known (Microsoft supported) workaround for this issue. However ...
Web Folders workaround (do not apply to Home Premium - which is what I have)
http://www.techgremlin.com/2009/08/13/simple-workaround-windows-7-web-folders-bug/ 

Now that I can update my site I created a new page : Updating the HOSTS file in Windows 7
It's still a work in progress ...

Finally installed Windows 7

I finally found the time to wipe out my dual-boot Vista/XP drive ... delete the partitions and install Windows 7. Everything went better than expected, considering the "deleting the partitions" part ... buy kudos to Microsoft on simplifying that process. Two simple clicks once I booted from the install disk and followed the instructions (clean install).

Once installed I don't find Win7 much different than Vista ... just takes a little time getting things set the way you want them. However the real test is installing/using the programs I previously used ... including some rather old ones = 1998 ... and to my surprise all but one program worked just fine.

Sadly some of these other vendors leave a lot to be desired ... my ATI (raedon x1300) video card does not have a vendor version driver update for Win7 ... so I'm stuck using the version supplied during the Win7 install. It works just fine but you'd think a card purchased a little more than a year ago would still be supported.

The internal motherboard soundcard (Realtek) didn't work = "issue in Action Center" but once I visited Windows Update ... there it was under optional updates. Installed rebooted and no more issues in the Action Center ... without any interaction on my part.

I found the "Windows® Experience Index" didn't change much from Vista to Win7 ... Vista = 3.5, Win7 = 3.4, nothing to brag about but it's an old but reliable machine.

The changes to "ReadyBoost" were a nice surprise ... Microsoft ReadyBoost "now works with most flash storage devices in Win7 and supports up to 8 devices and up to a maximum 256gb of additional memory". Imagine that! ... I stuck 2 compatible flash drives in the back of the machine, set both (4gb, 2gb) to dedicated ReadyBoost, and forget about them, as you can reboot, etc. without disconnecting them ...

Without tweaking any settings (yet ;) my broadband (Comcast) connection speed was measured at 19.08 mbps download and 9.08 upload ... not bad for an old clunker!

Everything else seemed to install without any quirks ... Office/FrontPage 2003 is what I still use for editing/creating pages on my site ... just don't ever forget where you put product keys that you haven't used in about 5 yrs! ...

Overall it was it was a rather uneventful experience ... compared to the old days (Win95/ME/XP, etc) oh I'm sure there will be a few things that bug me about Win7, but it's worth the upgrade from previous versions, just for the improved security aspects ...

I'll be putting up a new page on my site about installing the HOSTS file in Win7 ... which by-the-way works just fine. Simply right-click the included installer (mvps.bat) and select: "Run as Administrator" from the menu, and it will backup your existing version and copy the updated version ...

Note: I haven't tried this in Win7x64 yet, so I'm not sure if I'll need to do something different there?

MVPS HOSTS File Update DEC-22-2009

The MVPS HOSTS file was recently updated [DEC-22-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (150 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible unwanted connections ...
http://www.mvps.org/winhelp2002/hosts.txt (612 kb)

While prepairing the above update I stumbled upon yet another Malware group scamming Google ... (nothing new there)
Seems these culprits were able to exploit legitimate sites and post bogus links, pretending to be a .pdf file ...

Notice the "[PDF]" in the titles below ... well if you click the malicious link it leads to a malware install and not the expected PDF file.

As you can see the above links redirect the user to a bogus scan - "Windows Security Center" ... yeah right!

The culprits of this latest scam are included in the latest MVPS update ...

Speaking of PDF files ... seems there is yet another serious exploit discovered in the Adobe Reader.
Folks I haven't used the Adobe PDF Reader in years ... just too many (security) holes in their program ...

It's much safer to uninstall Adobe in favor of the Foxit Software PDF reader (freeware)

MVPS HOSTS File Update Nov-13-2009

The MVPS HOSTS file was recently updated [Nov-13-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (147 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible unwanted connections ...
http://www.mvps.org/winhelp2002/hosts.txt (601 kb)

MVPS HOSTS File Update Oct-08-2009

The MVPS HOSTS file was recently updated [Oct-08-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible unwanted connections ...
http://www.mvps.org/winhelp2002/hosts.txt (602 kb)

Got Inked today

Just got back from the Tattoo shop ... 5 hours in the chair ... not a very good photo ...

I'll post a better one when the surrounding skin is not so red ...

Microsoft® MVP Award

 Yesterday I received notification of my being presented the Microsoft® MVP Award.
This is my 11th award ... Thanks Microsoft ...

Phishing for Facebook

While researching several suspect domains at Google Diagnostic ... Landing on "uxfl.co. cc"
which redirects to a IP address that tries to mimic a Facebook page complete with a bogus Flash player upgrade. As you can see my AV NOD32 jumped up and killed the connection, as the page automatically downloads a malicious file ...

Google Diagnostic report for uxfl.co.cc - "Malicious software includes 13 worm(s). Successful infection resulted in an average of 25 new process(es) on the target machine."

Also involved (see URL in the address bar) is "kiano-180809. com" and the Google Diagnostic report revels "Malicious software includes 516 trojan(s), 352 worm(s), 71 exploit(s). Successful infection resulted in an average of 41 new process(es) on the target machine."

 Be careful out there folks ... the bad guys spend all day thinking of new ways to get into your machine. Since it is no longer profitable trying to break into Windows Vista ... they devote all their efforts into "social-engineering" = tricking users into falling for these scams ...

Omniture partners with ComScore

It sure didn't take long for Adobe to start looking to get a return on it's investment ... as mentioned in my previous post
(Adobe to buy Omniture for $1.8 billion) Adobe has reached an agreement to partner with ComScore ...

ComScore Press Release - there are also several other noteworthy media quotes ...

"Through the relationship, Omniture will provide the clickstream data it tracks for its publisher clients, including page views, clicks, video views, mobile interactions, and Facebook application interactions, to comScore. In return, Omniture will provide its clients with demographic and psychographic data on their respective sites from comScore". [source]

"So, for example, a large company such as Disney might have multiple divisions -- such as ESPN or Disney theme parks and cruise lines -- and they can pick and choose the information they want to share". [source]

If you want to see what ComScore does (actually tracks) ... you can view their Privacy Policy (caution it will give you a headache! ...) ComScore certainly has a dubious past, including most antivirus/antispyware programs detecting their program as spyware ... however Comscore describes itself as "researchware" ... yeah right! ... I for one don't want anyone viewing my data when purchasing products on the Internet, or from other sources ...

"Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions"

"We may also combine the information that you provide us with information obtained from other sources (such as consumer preference reporting companies, credit reporting agencies and companies that collect TV viewing information) using confidential matching procedures".

Last year the Register had an article worth reading ... then there was the Sears spyware allegations ... The Sears "Community" Installation of ComScore (January 1, 2008) finally settled by the FTC ...

It will be interesting to see if the sites that use Omniture and/or ComScore ammend their Privacy Policies to reflect the changes and inform their visitors that their information will now be shared ... (aka: sold to the highest bidder)

Adobe to buy Omniture for $1.8 billion

This news surprised most ... but the impact will be far greater than most people are reporting. Omniture (2o7.net) is the largest paid-analytics company (data miners) ... Adobe is the largest (besides it's other products) application (aka Flash) which allows websites to track users via "flash cookies" ...

Now you combine these two giants and ... say good-bye to your privacy. The biggest reason is the way "flash cookies" (local shared objects) are stored and the dubious actions that are allowed on your machine without your knowledge ... did you know that if you delete a cookie via your browser, that it can be recreated from the info stored in a flash cookie? ... Imagine that! You can prevent this action, but it's well hidden ... more on than below.

"Omniture helps clients understand how visitors traffic their Web sites and assists online businesses to target advertisements ...

Adobe, said the deal will help it "transform" e-commerce by combining its content creation tools with Omniture's online measurement and optimization technologies to help "increase the value Adobe delivers to customers."

"This is a game changer for Adobe and its customers," said Shantanu Narayen, chief executive of Adobe, in a statement. "We will enable advertisers, media companies and e-tailers to realize the full value of their digital assets."

The above statement is polite spin for "now we can really tract your movements" and allows websites to sell this info to anyone that wants to purchase it. So how do you protect yourself ... you have to go online ... yes online, Adobe does not allow you to control your flash privacy setting from your machine.

Start here and go thru the various tabs and select the privacy settings that suit your needs. I would suggest unchecking the option for “Allow third-party Flash content to store data on your computer”. Please note these setting only remain until the next Adobe flash update and there has been several just this year. Flash player has been targeted by malicious culprits for it's many vulnerabilities ... you can however retain your preferences by setting the "settings.sol" file to Read Only on your hard drive.

The settings.sol file is located in the following location: (Vista)
\Users\<user name>\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
(where "<user name>" is the profile name you are using)

Once located, right-click and select Properties and place a check in the Read only option, click Apply/Ok

There are a few drawbacks to the above ... but I've learned to live with them ... some sites will complain when they are not allowed to store their tracking data on your machine.

Or you may see the following prompt ...

If you find that you really want to view a flash video or the like ... you will need to reset the "settings.sol" then allow the above changes, again via the Adobe online settings manager. Then reset the file back to Read only ... yeah I know it's a pain ... but I only allow a very few sites this access, much like a whiltelist ...

Omniture already has a dubious reputation for it's sneeky actions in the way it sets cookies on your browser, by using aliases to set a 3rd party cookie. Let's say you visit "creditreport.com" you will end up with a cookie from "metrics.creditreport.com" ... but is it really from creditreport.com? No way! it's an alias for "creditreport.com.122.2o7.net" and "metrics.creditreport" is not hosted and their server rather it returns to the IP location for Omniture.

Do you really want these 3rd parties harvesting your information while you are disclosing your credit information ... I certainly do not, especially when they use these sneeky tactics to do it.

MVPS HOSTS File Update Sept-02-2009

The MVPS HOSTS file was recently updated [Sept-02-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ...
http://www.mvps.org/winhelp2002/hosts.txt (600 kb)

Still more fake PornTube sites

On my weekly stroll thru various search engines for the term: ""PornTube: best movies collection." I usually find 15-20 new malicious sites, all using the same page layout. However I found this one a little different in the bogus message that's produced ...

Notice the fake blurring in the background ... and the fake Error message ... "download a patch to fix a problem" ...

"blue-xxx-tube. com" redirects to "4-open-davinci. com" for the actual download. Both sites are hosted at Netplace ... a well-known malware haven. A Google Diagnostic report confirms this ... "354 site(s) served content that resulted in malicious software being downloaded and installed without user consent"
"We found 45 site(s) that infected 1672 other site(s)"

Internet pharmacies identified as acting illegally

The other day there was a disturbing report  that found that nearly 90 percent of all pharmacy ads appearing on Bing's sponsored search engine results were illegal pharmacies ... Yikes! ... well most of us already know that "Sponsored Results" are not to be trusted ...

I certainly don't think Bing is the only one at fault here ... since the FBI states - "More than 80,000 “portal” websites currently sell ad space for these medications and link to one of more than 1,400 “anchor” websites that allow customers to place orders through illegal pharmacies".

The full report is here ... (.pdf) and in that report "klikadvertising" is mentioned ... these culprits are also involved in many of the Fraudware Antispyware scams currently on the Internet. Anyway LegitScript also released their Top 10 so I thought I'd check them out and possibly add those to the HOSTS file. Now I have no intension of adding all these illegal pharmacy sites as there are just too many, and nothing malicious happens when you visit these sites.

The best way I feel to protect users is to add their payment sites to the HOSTS file ... at least that way it would protect users from making ill-advised purchases ... or worse ... just imagine what's in those counterfeit drugs! I started visiting these sites and found my own disturbing trend which was not mentioned in any of the articles ... (see below)

Image edited for display purposes

The above site is listed as one of the Top 10 (above) ... when you click the "Next step" ...

Image edited for display purposes

 As you can see you are redirected to "rx-secure.com" via a certain certificate ... I'm not even going to comment.

 Visiting another of the above mentioned Top 10 which is described as "The website claims to sell drugs from Canada, but the authors submitted an order, and received counterfeit Cialis, without a prescription from India." If you read the full report LegitScript put a lot of time and effort into their finding. Going so far as to actually purchase products and have them tested ...

Image edited for display purposes

 Another certificate from the same source as above and a Truste icon ... ouch!

Again we see a redirect from "expressdelivery.biz" to "secure.mymedcenter.net"

== Server Certificate ==========
[Subject]
  CN=secure.mymedcenter.net, OU=Comodo EV SGC SSL, O=RX Corp, STREET=3155 Hickory Hill Rd, L=Memphis, S=TN, PostalCode=38115, C=US, OID.2.5.4.15="V1.0, Clause 5.(b)", OID.1.3.6.1.4.1.311.60.2.1.2=Tennessee, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=0582044

[Issuer]
  CN=COMODO EV SGC CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Serial Number]
  00FD665970D8D5E8D59EE06A23F621AAF5

Now to be fair I also found a Verisign certificate for "seal.buysafe.com" ... so please don't nag me about I'm picking on one vendor ...

== Server Certificate ==========
[Subject]
  CN=seal.buysafe.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=buySAFE IT, O=buySAFE Inc, L=Arlington, S=Virginia, C=US

[Issuer]
  OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network

[Serial Number]
  2AAA3F4A7F8054FA9DD70D7AAA5650BF

You can view a very short video LegitScript posted on YouTube for expressdelivery.biz ... there are several others as well ... I also found another site that contains "illegal pharmacies identified by the FDA, HealthPricer and other official bodies"

First on their list was "allpills.net" which redirects to "canadian-drugshop.com" which redirects to ... "rx-secure.com"

== Server Certificate ==========
[Subject]
  CN=rx-secure.com, OU=Comodo InstantSSL, O=Pharmos Limited, STREET=Leningradsky prospekt 143-26, L=MOSCOW, S=MSK, PostalCode=149501, C=RU

[Issuer]
  CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US

[Serial Number]
  00A84B9E3913DFC8BE5D7355B8EEFD59CE

Seems canadian-drugshop.com is hosted on the same IP block as several other scam sites ... most using "rx-secure.com" as their "check out" payment service.

# [Moskvacom][AS2118][195.95.155.0 - 195.95.155.255] (Google Diagnostic report for AS2118)
127.0.0.1  canadian-drugs-shop.com
127.0.0.1  www.canadian-drugshop.com
127.0.0.1  canadian-healthcare-shop.com #[ScamFraudAlert.Pharmacy]
127.0.0.1  canadian-pharmacy-store.com
127.0.0.1  edmedsnow.com
127.0.0.1  hqedpills.com
127.0.0.1  mens-medication.com #[Spamdexing]
127.0.0.1  official-canadian.com
127.0.0.1  professional-meds-online.com #[ScamFraudAlert.Pharmacy]
127.0.0.1  rx-top.com
127.0.0.1  shopedmedsonline.com

Many of the other sites HealthPricer listed no longer exist ...

Hopefully these certificate issuers and Truste will take a better look into the activities of the sites that were mentioned ... after all illegal activities are illegal!

Oh how embarrassing

Imagine that! ... from Google Diagnostic ... I wonder what malicious software was being distributed on the 15th?

So let's click on over to trustlogo.com from the Google Diagnostic report ...

 The really embarrassing part is that the site mentioned sagunnyu.com appears to use a Comodo certificate ... ouch!

== Server Certificate ==========
[Subject]
  CN=sslsecurity.kr, OU=Comodo InstantSSL, OU=Hosted by Jungbonet inc., OU=SSLSECURITY_TEAM, O=JUNGBONET, STREET=Nonhyeon-dong, L=Nonhyun-Dong, S=SEOUL, PostalCode=135-010, C=KR

[Issuer]
  CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US

[Serial Number]
  2677FD02915826F36B72BDC69DBA9BC9

 Maybe a certain CEO should spend a little more time making sure things like the above don't happen rather than spewing out one-sided spin in an effort to deflect the real problem = failure to address an ongoing (since 2007) problem:

Criminals using Comodo to attempt legitimacy

Bombarded with Comment Spam

Update 07/29/09: I've heard from the powers-to-be and it seems the Spam Filters were set wrong after the latest blog update? Go figure ... I'll reset (allow) the Comments and see if I can restore them ...

I guess I've been lucky that the Bot spammers have not been a serious issue ... well until now ... seems like the last few days I have been bombarded with "comment spam" ... hundreds and hundreds a day [ugh!] So I've disabled the comments until things calm down ...

MVPS HOSTS File Update July-27-2009

The MVPS HOSTS file was recently updated [July-27-2009]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ...
http://www.mvps.org/winhelp2002/hosts.txt (597 kb)

Comodo continues to ignore Malware warnings

Yet again we find the same group "ISystem Inc" scamming the public with their bogus products ... with a little more help from Comodo. Now I ask you ... how many times do I have to report the same group being issued a certificate from Comodo, before they take the necessary steps to prevent the general public from being ripped-off by these bad actors?

If the page looks familiar ... it is ... the same template as I previously reported ... from the same people "ISystem Inc"

As you can see I pasted the certificate details into the Fiddler report ... below you can see there is no doubt that "ISystem" is the owner ... same as previously reported several times! ...

It not hard to find the bad actors and the connection between "ISystem and SoftDialog" ... hey Comodo ever heard of Google? ...

"WindowsSecuritySuite" is hosted at the same location as before ... just how many red flags does it take?

"pay-secure" is also hosted on a previously reported location ...

# [Netdirekt][95.168.163.0 - 95.168.164.255]
127.0.0.1  aquabilling.com
127.0.0.1  secure.aquabilling.com
127.0.0.1  secure.bestbillingpro.com
127.0.0.1  secure.payment-cc24.com
127.0.0.1  pay-secure.net #[ISystem]
127.0.0.1  safe-pay-vault.com
127.0.0.1  webexpressbill.com
127.0.0.1  secure.webexpressbill.com

"Comodo - creating trust online" ... makes you wonder doesn't it ... I've been reporting on Comodo's lack of concern since
LimeLight Networks and connecting the dots (12-07-07) all we get is excuses and spin on how everyone else is doing it (issuing certificates) ... what ever happened to being a responsible part of the Internet community?