Hosts News

Another round of Chinese hackers

winhelp2002 — Sun, 11 May 2008 19:01:00 GMT

Seems like every day now there is another report of sites being hacked by various methods ... many are Chinese related.
Much to my surprise when I ran a scan at LinkScanner" ... it produced the following prompt ...

As I've mentioned many times before any time you see that prompt it always relates to Exploits ...

As you can see there are several sites involved and several exploits including "ri.exe" from another related site. All these sites are on the same IP ... VirusTotal results here ...

There are several other notable sites that were injected with these sites ... which Google has flagged as harmful ... ouch!

Appears no site is really safe from these culprits ... be careful out there folks ...

Texas Charges Nexusmedia Deceived Web Users

winhelp2002 — Sat, 10 May 2008 11:36:00 GMT

Nexusmedia charged with failing to inform consumers about spyware downloads
"Texas Attorney General Greg Abbott charged a Colorado software business with selling screensavers that were bundled with adware or spyware. Further, although the defendants promised child-safe screensavers, their products commonly included images of unclothed women" ... [full story here]

"However, Friday’s enforcement action charges McLaughlin with bundling his screensavers with independent, unrelated software called the My Search Toolbar. Customers who purchased the screensavers were not given the opportunity to opt out of the toolbar."

Imagine that! ... "not available to Texas residents" ... I wonder why? Were only Texas residents were decieved?
Also interesting it appears Nexusmedia has revised their website to include the following:

"We have made an effort to allow you to opt out of installing the NexusBar however there may be some screensavers that will silently install this so with that said, by installing this software you also agree to install the toolbar."

They have also removed any mention to "No Adware/Spyware" ... seems like some sites are already aware of the issue ...

It's bad enough when adware is bundled with free downloads ... but now to purchase a screensaver and still get whacked with no consent adware is really underhanded ... although sleezy underhanded tactics are nothing new for MySearch.

I bet it won't be long before "IAC Search Media" (formally AskJeeves) starts to spin this issue ...

Get your Trojan.Codec in FullHD 1080

winhelp2002 — Fri, 02 May 2008 14:58:00 GMT

Well I must say they sure are creative ... now you can get your Trojan.Codec in FullHD 1080 ... imagine that!

Or maybe you would prefer a Trojan (Trojan-Downloader.Win32.Peregar.cf) in Dolby 5.1 surround sound? ... yeah right! ...

The download for this is pretty well detected (Result: 23/31 (74.2%) VirusTotal results here ...

Yet another LocusSoftware connection with ipsCA

winhelp2002 — Wed, 30 Apr 2008 09:32:00 GMT

Here is yet another example of LocusSoftware foisting their bogus products upon the public with the help of "ipsCA" ...

If you click the "Try free" button ... my AV (NOD32 v3) jumps up with the following: (and kills the connection)

However I am still able via Microsoft Fiddler to capture the traffic connections, including when you attempt to purchase via the "Buy now" button above ... you can see the redirection to their "payment" site and the certificate issued by "ipsCA"

Just so there is no confusion of the connection between LocusSoftware and the payment site ... all you have to do is Google and there it is ...

Another interesting connection is "antimalwareguard" is registered to "Serg Moon" who Sandi Hardmeier has identified several times as being behind the rash of malicious advertisements on legit websites ... it really makes you wonder if these "Certificate Issuers" even bother to investigate who they are dealing with ... apparently ipsCA doesn't!

I also found the same payment site being used by "IEAntiVirus" and several others ...

Another bogus Windows Media Player prompt

winhelp2002 — Thu, 24 Apr 2008 04:19:00 GMT

Landing on the following site the visitor is prompted with a bogus Media Player prompt ...

The image is designed to look like a real Windows Media Player ... and as you can see IE7 blocked the automatic download of the file ... then you see the fake prompt "You need to download new version Video ActiveX object" ... now as I've mentioned many times before there is no such thing ...

The download (XXXmediaCodec.exe) was scanned at VirusTotal (Result: 18/32 (56.25%) full results here
"getadultaccess" is hosted at Ukrtelegroup Ltd (85.255.112.0 - 85.255.127.255)

MVPS HOSTS File Update April-22-2008

winhelp2002 — Wed, 23 Apr 2008 03:25:00 GMT

The MVPS HOSTS file was recently updated [April-22-2008]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (154 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource for determining possible culprits ... (668 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/updates.htm

Another Rogue Antispyware product from the Pandora Software group

winhelp2002 — Thu, 17 Apr 2008 01:02:00 GMT

Following up on a article from our friends at BleepingComputer "How to remove Malware Bell" we find:

"Malware Bell is a rogue anti-spyware from the same developers as IE Defender and Files Secure. Malware Bell is installed and advertised through the use of Trojans that are installed as Internet Explorer Browser Helper Objects."

These people are so lame they can't even write their own detections ... (highlighted in red) it's actually from McAfee ...

As you can see there are several redirects when you [choke] attempt to purchase their bogus product ... the sad part is here is another example of "ipsCA" issuing certificates to known bogus products ...

I found the exact same thing with "VirusIsolator" which Symantec detects and describes as:
"The program reports false or exaggerated system security threats on the computer."

So I have to ask ... ipsCA what are you thinking!

"installed and advertised through the use of Trojans" ... "reports false or exaggerated system security threats"

Yes I did contact ipsCA previously and all I got back was an automated reply with a "Support:276800" ...

Another malicious Movie site

winhelp2002 — Mon, 14 Apr 2008 15:36:00 GMT

Landing on the following site ... the typical layout of clickable images is displayed with the following message

"Video is protected by unique technology PriveContent" ... well that's something new ...

Image edited for display purposes

If you click the "Enable video now" you are redirected to a download that is detected as "Trojan.Fake.GoogleBar"
or directly accessing the site of the download you see a similar message ...

If you read the text in the above prompt it's laughable ... "you will receive 98 dollars" ... yeah right! all you get is an infected computer. VirusTotal results here ... SunBelt technical results here ...

From their EULA: "You grant PC permission to add/remove features and/or functions to the existing software and/or service, or to install new applications from PC, third parties or any other application, at any time, in our sole discretion, with or without your knowledge and/or interaction."

Now if the above statement doesn't alert you that you will be infected I don't know what does ...

Another Rogue product from LocusSoftware

winhelp2002 — Fri, 11 Apr 2008 09:58:00 GMT

Following up on a post from Sandi who is reporting yet another malicious advertisement (.swf) that redirects several times until you land on one of many rogue Antispyware products from LocusSoftware ...

When you click the Download button you are routed to a "secure" page where you are prompted to purchase their (bogus) product ... as I predicted before once Comodo revoked their certificated from the WinFixer/SetUpAHost (LocusSoftware) group ...

"Good news gang ... I was informed by Comodo that they have revoked all certificates issues to the WinFixer/SetUpAHost ... I know it's only a small victory but it causes them to look elsewhere, and I'm sure it won't take them long to establish another bogus setup ..."

Looks like they switched to "ipsCA" for their certificates ... (highlighted in blue)

What's scary about this connection is ipsCA is a certificate issuer via Microsoft ... from the info on their site ...

Image edited for display purposes.

I'll be contacting the involved parties to see if they will revoke these certificates as well ...

Is PCSecurityShield still a Rogue Antispyware company?

winhelp2002 — Tue, 08 Apr 2008 06:57:00 GMT

Donna's SecurityFlash pointed out that there is quite a storm over the discovery that Comodo has licensed their firewall engine to PCSecurityShield ... once considered promoting Rogue/Suspect Antispyware products ...

Seems PCSecurityShield has turned around their business model and are now rebranding several Security related products. This excerpt from Download.com (Company Profile) ...

"PCSecurityShield is a 3 year old internet security company that licenses various technologies and provides consumers will products to insure safe web activities. PCSecurityShield partners with many top worldwide technology companies to bring internet protection to the average consumer while providing superior, free customer service."

Some of the products they now rebrand:

The Shield Firewall - engine licensed from Comodo
Spyware 24x7 - engine licensed from Lavasoft
The Shield Deluxe 2008 6.0.2.621 - engine licensed from Kaspersky
Security Shield 2008 - engine licensed from F-Secure

While I would not recommend any of these products, they certainly can no longer be considered Rogue products ... with that in mind I have decided to remove the related entries from the HOSTS file and this will reflect in the next update.

Zango Alleges Kaspersky Is Badware Itself

winhelp2002 — Sun, 06 Apr 2008 04:37:00 GMT

Well ... here we go again ... MediaPost is reporting that Zango is again going after Kaspersky. Zango lost round 1 in court and they are not happy with the decision. In their latest filing (link to .pdf here) they state the Court was wrong and that Kaspersky is actually Badware (as defined in StopBadware.org) ... now that's a real stretch!

Then Zango goes on to describe Kaspersky as "Scareware" ... imagine that! this should get real interesting when Kaspersky responds ... "Microsoft Malware Protection Center" reports Zango/Hotbar ranks 3 of of the Top 10 ...

I guess we can tell who is the real "Badware" here ... sounds like it's time for another Benjamin Edelman report ... which found that Zango was in violation of the FTC agreement ...

Vomba Acquires Adware Company WhenU

winhelp2002 — Fri, 04 Apr 2008 16:25:00 GMT

MediaPost is reporting that Vomba has acquired Whenu ... Who is Vomba? they are a division of "Gamma Entertainment"

Just so there is no confusion of "who-is-who" ... and where they are located:

Vomba Network
3300 Cote-Vertu, Suite 406
Montreal, QC H4R 2B7

WHENU.COM
3300 Cote-Vertu, Suite 406
Montreal, QC H4R 2B7

Surfing accuracy
3300 Cote-Vertu Suite 406
Montreal, Quebec H4R 2B7

Media Traffic Agency Inc
3300 Cote-Vertu Suite 406
Montreal, Quebec H4R 2B7

Integrated Search Technologies
3300 Cote-Vertu Suite 410
Montreal, Quebec H4R 2B7

Gamma Entertainment Inc
3300 Cote-Vertu Suite 406
Montreal, Quebec H4R 2B7

[Gamma Entertainment][66.152.92.0 - 66.152.92.255]

[Gamma Networking via Integrated Search Technologies][66.152.93.0 - 66.152.93.127]

[Gamma Networking via Marketing Engines][66.152.85.0 - 66.152.85.255]

[Gamma Networking via Surfaccuracy][66.152.93.128 - 66.152.93.255]

The "adware" community has been relatively quite lately, however I suspect we are about to see a new rash of adware applications involving all of the above ...