Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 30 December 2009 When is a forum not a forum? ....

... When it's an exploit of course!

This URL (vURL results, PDF);

wants us to believe it's a forum, that's going to let us view the respective topic associated with the ID in the s= variable. Alas however, it's neither a valid ID, nor a forum at all. What you'll actually get, is a whole host of badness battered down the pipes onto your poor machine.

And what badness do you get? Glad you asked! The above URL, loads two additional URL's that deliver the payload;

PDF file

SWF (flash) file

These files have one purpose - to deliver the payload. The payload itself comes from;

The payload is a 39K file called pdfupdate.exe, and VT results as of December 29th, were absolutely rubbish, with only 3 vendors detecting it;

I've just submitted it to VT again, to see if the detections have improved yet, and though they could still be better, the 3 vendors is now up to 19;

The file is UPX packed, and unpacking it shows a 79K file, that according to VT reports is a fake alert (otherwise known as "this is gonna infect yer poor machine and ask you to pay it for the privilege of doing so").

I don't have my test box up at the moment as I'm busy with work, and sorting out a server issue, but the Anubis results for the unpacked file, can be found here. Of interest, is the following, which indicates the presence of a rootkit;


I did however, notice the following bit of confusion, when looking at the file in FileInsight;

....But where would he sleep?...He could be taller the..But where would he sleep?...No one wou..Imagine a pet dinosaur that live....when we played hid..and my pet would pass up th.He could be talle...pterodactyl instead.and the fences squashed ....M..[I0d have to spend ..I wouldn0...I wouldn0t have to worry....It would ...A pet dinosaur would be my house and.and then another and t..Wouldn0t it be fan..While he stood in t.While he st.b.CB

Nope, I've no idea what that's about either.

The site resides at, and my database is showing this entire /24 as being dirty (so nope, not just a case of the sites being hacked). Malicious activity seen within this /24 includes;

20091216205416          Failed resolution          hxxp://

20091216205423          Failed resolution          hxxp://

20091216220940          Failed resolution          hxxp://

20091218035413          Failed resolution          hxxp://

20091218035420          Failed resolution          hxxp://

20091218035427          Failed resolution          hxxp://

20091218035433          Failed resolution          hxxp://

20091218035440          Failed resolution          hxxp://

20091219231238          Failed resolution          hxxp://

20091220000111          Failed resolution          hxxp://

20091220000119          Failed resolution          hxxp://

20091220000340          Failed resolution          hxxp://

20091220001901          Failed resolution          hxxp://

20091220001908          Failed resolution          hxxp://

20091220011435          Failed resolution          hxxp://

20091222194143          Failed resolution          hxxp://

20091222194202          Failed resolution          hxxp://

20091222194209          Failed resolution          hxxp://

20091222194257          Failed resolution          hxxp://

20091222194330          Failed resolution          hxxp://

20091222194337          Failed resolution          hxxp://

20091222194344          Failed resolution          hxxp://

20091222194423          Failed resolution          hxxp://

20091222194438          Failed resolution          hxxp://

20091222194451          Failed resolution          hxxp://

20091222194529          Failed resolution          hxxp://

20091222194536          Failed resolution          hxxp://

20091222194543          Failed resolution          hxxp://

20091222194607          Failed resolution          hxxp://

20091222194613          Failed resolution          hxxp://

20091222194631          Failed resolution          hxxp://

20091222194652          Failed resolution          hxxp://

20091222194759          Failed resolution          hxxp://

20091222194842          Failed resolution          hxxp://

20091223201100          Failed resolution          hxxp://

20091223201217          Failed resolution          hxxp://

20091223201224          Failed resolution          hxxp://

20091229031704          Failed resolution          hxxp://

20091229031807          Failed resolution          hxxp://

20091229032535          Failed resolution          hxxp://

20091229032541          Failed resolution          hxxp://

20091229032858          Failed resolution          hxxp://

20091229033818          Failed resolution          hxxp://

20091229034534          Failed resolution          hxxp://

20091229034555          Failed resolution          hxxp://

20091229034658          Failed resolution          hxxp://

20091229034925          Failed resolution          hxxp://

20091229035534          Failed resolution          hxxp://

20091229035919          Failed resolution          hxxp://

20091229035932          Failed resolution          hxxp://

20091229040137          Failed resolution          hxxp://

20091229040143          Failed resolution          hxxp://

20091229040331          Failed resolution          hxxp://

20091229040853          Failed resolution          hxxp://

20091229041019          Failed resolution          hxxp://

20091229041204          Failed resolution          hxxp://

20091229042433          Failed resolution          hxxp://

20091229044311          Failed resolution          hxxp://

20091229044317          Failed resolution          hxxp://

20091229044324          Failed resolution          hxxp://

20091229044415          Failed resolution          hxxp://

20091229044426          Failed resolution          hxxp://

20091229044504          Failed resolution          hxxp://

20091229044510          Failed resolution          hxxp://

20091229044552          Failed resolution          hxxp://

20091229044633          Failed resolution          hxxp://

20091229044738          Failed resolution          hxxp://

20091229212404          Failed resolution          hxxp://

20091229212411          Failed resolution          hxxp://

20091229212419          Failed resolution          hxxp://

20091229212510          Failed resolution          hxxp://

The /24 lies within a range ( owned by;

ASN: 9803
Desc: JINGXUN Beijing Jingxun Public Information Technology Co., Ltd

/edit 18:52

Sunbelt sandbox results

Microsoft Malware Protection Center (results will be here once analysis is finished)

/edit 19:06

The following shows some interesting stats regarding the exploit pack being used here (Fragus/Nulled);

Sunday, 27 December 2009

Crimeware friendly ISP's: Eveloz (AS27716,,,

The topic today is blackhat SEO, fake AV's and phishing. The culprit responsible for this boatload of maliciousness, is Eveloz (AS27716).

Eveloz has 3 upstream providers, namely;

AS11556 PA-CAPA2-LACNIC Cable-Wireless Panama
AS14551 ALTERNET-SA-AS UUNET Technologies
AS23520 NEWWORLDNETWORK New World Network USA, Inc.

Eveloz is also directly related to, an ISP with a history of badness. This blog isn't appropriate for that however, so I'll go into that at a later date.

You'll note, I've blogged recently (as have others) about the blackhat SEO campaigns on Google (and there's similar campaigns on the other search engines). Most of these have one thing in common - the redirector. The most recent redirector or MITM (Man in the middle) is, which resides at This domain uses the following redirs;


The redir you're taken to (1-4) seems to vary depending on the domain, but all 4 will take you to various infections (the target domain appears to change every 12-24 hours, so I'd suggest monitoring it constantly). At present, these are;

---> (Internet Antivirus Pro)




ASN: 29802 HVC

At the time of publishing, this one is returning a 404 for me for the payload (blocked IP perhaps?)



ASN: 49770 SERVERCONNECT-AS ServerConnect Sweden AB

At the time of publishing, this one is returning a 404 for me for the payload (blocked IP perhaps?)

---> (System Security variant)

ASN: 5577 ROOT root eSolutions

Over the past couple of weeks or so, only the first and fourth have resulted in an actual payload being delivered for me, the second and third have failed (the second with what looks like a fake 404, suggesting they've got all of my IP's blocked, and the third keeps timing out).

Whilst quite obviously annoyed at Google and the likes, for not doing enough to remove the results from their indexes to begin with, I find myself increasingly annoyed with their upstreams for allowing this behaviour to continue.

Eveloz for example, if we look at just one of their ranges, doesn't have so much as a single legit domain - every single one is either delivering malware or phishing scams;

I've got a router to change over now however, so we'll come back to this later.

INFO: Upcoming service interruption

Just a note folks, I treat myself to a new Netgear WNR2000 N Router today (would've loved the MaxRange N router but couldn't afford it), which means the network will be unavailable later tonight, to allow for the current routers being replaced.

I'm planning on doing the replacement at approx midnight tonight (GMT), and it shouldn't take more than 15 mins or so (allows for disconnection, connection, config, testing and backup).

/edit 01:06 28-12-2009

I've had to ditch the router replacement idea folks. The new one doesn't have a modem built into it (could've bleedin told me on the box!)

Wednesday, 23 December 2009

Twitter spam: IAC WebFetti

I received an e-mail from a friend earlier, alterting me to possible malicious content over on Twitter (surprise surprise), and what I found actually did surprise me for a change.

This spam run didn't lead to a worm, trojan, virus or other infection - but to an IAC website,

One thing they all have in common, aside from the IAC connection? Well, that would be Twivert. A site that advertises itself as a "Twitter advertising network". Quite why publishers such as IAC, who are presently trying to convince everyone they've gone legit, would think this kind of behaviour was a good thing, is beyond me.

You'll no doubt be surprised to learn, Twivert is run by an Indian based "company" (I'm beginning to wonder if there's so much as a single legit company over there, all of those I've come across have been involved in spam or phishing);

280-A LLoyds Road
Chennai, Tamil Nadu 600086

Domain Name: TWIVERT.COM
Created on: 25-May-09
Expires on: 25-May-11
Last Updated on: 25-May-09

Administrative Contact:
Sundaresan, Vignesh
280-A LLoyds Road
Chennai, Tamil Nadu 600086
00971554906134 Fax --

Technical Contact:
Sundaresan, Vignesh
280-A LLoyds Road
Chennai, Tamil Nadu 600086
00971554906134 Fax --

Domain servers in listed order:

I highly suspect IAC will blame this on rogue affiliates, but personally, I'll not be convinced.

Crimeware friendly ISP's: RapidSwitch Ltd (AS29131)

Those of you reading this blog for any length of time, or specializing in the documentation of malicious domains, will no doubt already be aware of RapidSwitch's history, but here's a little refresher for you;

242 reasons to avoid (RapidSwitch - AS29131)

RapidSwitch customers still involved in SMS Fraud ...... + Computer Solutions Group + 208.118.54.* + Xtreme Software Ltd + Saudi Arabia = Phishing and fraud network disconnected - but apparently not completely gone

Fake malwarebytes site

Legitimate Software Typosquatted in SMS Micro-Payment Scam

RapidSwitch: UK webhosts in champagne throwing cat fight

LC Escrow & Consulting Fraud

Take your time, I'll wait.

Caught up? Good, lets begin shall we? We'll start by looking at what was there, as documented September last year. How many of these are still present? How many have moved? Well, the following contains the hpObserver validation results for those listed in hpHosts as residing on 78.129.*, which were done around an hour or so ago;

I believe the results speak for themselves - the majority are still present, and still involved in malicious activities.

Now, lets look at what's appeared over there in the last few months shall we? And I should point out, this only contains those recorded in my personal database (this database is not published online for varying reasons) and as such, is only a small example.        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution                
Failed resolution                
              Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution        Failed resolution

Here we see everything from RFI's, to fake AV's (these are the most common sighting within the RapidSwitch networks) and a spot of Koobface (e.g., which as of a check a couple seconds ago, appears to have been cleaned up), with exploits such as those at (see Wepawet results for details), thrown in for good measure.

I'm afraid, given this behaviour is continuing, and is in some measures, getting worse on the RS network, I believe it's safe to say RapidSwitch quite simply don't care. They ARE aware of the malicious traffic within their networks. How do I know? Well for starters, I'm not the only one to try and report it to them, and actually have them do something (I tried back in 2008, which was a complete waste of time, and have reported malicious content to them since then, with absolutely no reply (though given they blocked e-mail from me getting through to them (or so they claimed), I'm not really surprised)).

I do wonder however, how exactly they're explaining themselves to the legit customers they do actually have, and to their shareholders and whatnot (though given shareholders typically only care about profit, I doubt they care either). I suspect it's along the lines of "we're a large ISP and can't possible know about everything, and don't have access to customers servers, and ..... and ..... ", aka: excuses.

For those interested, you'll also find malicious content within the RapidSwitch networks, documented at;




Until such time as RapidSwitch die a horrible death, or boot all of their current management/staff and hire people that actually care about more than profit, I'm personally continuing to blackhole their entire ranges, and strongly urge everyone else do the same (to those legit customers unfortunate enough to be hosted with RapidSwitch - MOVE ELSEWHERE!!!).

Tuesday, 22 December 2009

Oi! Google, WAKE UP!

After announcing to the world + dog, that they are offering their own version of OpenDNS, you'd have thought that meant they'd finally gotten serious about security (I know, I'm laughing at the thought too), but nope, Google's results are STILL littered with malicious content that will drive your PC into a frenzy, and drive you to a level of frustration you've never seen.

As a quick example, I've just spent the last 10 mins or so, going through the results for hphosts for the past month, and found the following, all of which will, if fed a Google referer, infect the living daylights out of your computer;

The sites you're taken to that deliver the payload, or act as redirectors to the payload, include;

Worse still, is many of these have been in the results for what is considered in the security world, as a long time (over 1 week for a fake AV site to stay alive, isn't very common, domains usually die anywhere within 6 - 72 hours).

Just one of the many sites listed above, is the typical fake AV site, pretending to scan your computer, and automagically find a plethora of infections, with the end results being to download an infection to your machine, and have you pay them for doing so.

You'll find the IP's and whatnot that are involved below, but suffice to say, the usual suspects are present (Hetzner, CSSGROUP, root eSolutions etc).

Given Google offer their "diagnostics", which points out sites containing infections, and given they have what is without a doubt, one of the largest indexes available, you'd have thought they'd have invested at least a small amount of time, on additional filtering that would enable them to scan a site and give it some sort of fingerprint - a fingerprint that could then be compared to, which would have very easily identified around 90% of the malware you can find via Google (and the above is less than 0.0000001%).

If I can identify this lot in around 10 minutes, and identify it MANUALLY (I have never been a fan of automation as there's too much to go wrong), imagine what Google could save you from if they bothered getting their backsides into gear (and yep, I know Google aren't the only engine affected by this - but they're the largest and most popular).

hpObserver results

Raw results
DOMAIN        IP        IP_PTR        ASN        ASN_CIDR        ASN_DESCRIPTION        URI_PATH        AS30447        INFB2-AS        /Swatches/1106/jpg.php        AS24940        HETZNER-AS Hetzner Online AG RZ        /?pid=384&sid=31797c        AS15244        ADDD2NET-COM-INC-DBA-LUNARPAGES Lunar Pages        /images/educatio90/lenugeratt.html        Failed resolution        AS20473        AS-CHOOPA Choopa, LLC        /downloader.php?affid=94400        Failed resolution        AS20473        AS-CHOOPA Choopa, LLC        /index.php?affid=94400        Failed resolution        AS20473        AS-CHOOPA Choopa, LLC        /hitin.php?land=20&affid=94400        AS48662        CSSGROUP-AS SIA _CSS GROUP_        /a/?l=searchable        AS33182        DIMENOC---HOSTDIME, Inc.        /vyy/74867.php        AS21844        THEPLANET-AS Internet Services, Inc.        /cfywk/authorized.php        Failed resolution        AS30496        COLO4 Colo4Dallas LP        /jltnu/cadets.php        AS4323        TWTC tw telecom holdings,        inc.        /xtedb/cadets.php        AS33970        OPENHOSTING M247 Ltd        /adnep/simple.php        AS4323        TWTC tw telecom holdings, inc.        /ruagj/cadets.php        AS32475        SINGLEHOP-INC SingleHop        /iheae/cadets.php        Failed resolution        AS32181        ASN-ECOMD-COLOQUEST GigeNET        /download/install.php?uid=13400        Failed resolution        AS32181        ASN-ECOMD-COLOQUEST GigeNET        /?uid=13400        AS29802        HVC-AS HIVELOCITY VENTURES CORP        /go.php?id=2004&key=ff0057594&d=1        Failed resolution        AS5577        ROOT root eSolutions        /downloader.php?affid=92800        Failed resolution        AS5577        ROOT root eSolutions        /index.php?affid=92800        Failed resolution        AS5577        ROOT root eSolutions        /hitin.php?land=20&affid=92800        Failed resolution        AS27716        Eveloz        /in.cgi?5        Failed resolution        AS4323        TWTC tw telecom holdings, inc.        /zgrcn/authorized.php