Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 31 May 2010

WARNING: Malware, scams and RedStation (AS35662,

Remember the SMS fraud housed on the RapidSwitch range? Well, now we've got yet another network involved.

This time, it's the turn of RedStation, AS35662. I've already dropped them an e-mail, but the notice on their contact page suggests this is going to have been a completely pointless exercise.

Note to Solicitors

If you are a solicitor and you wish to communicate with us about a website hosted on the Redstation network, do not telephone as we will not be able to discuss it with you. All legal communication must be in writing and sent by recorded delivery to the company's address listed above and marked for the attention of the Company Secretary.

We do not accept legal communications by email or fax.

Wonder if they consider abuse reports to be "legal communications"?? We shall see.

In the meantime, this little lot is housed on at least 2 of their IPs. Namely and

All of those I've checked thus far, have had their downloads coming from ( - ), for example;


These are NSIS packed files, and the JDownloader file for example, contains two VBS scripts that hijack the Firefox homepage and search engine to point to;


With partner ID:


No great surprise as far as where is living - our old friends RapidSwitch;

Current IP:
IP PTR: Resolution failed
ASN: 29131 RAPIDSWITCH-AS RapidSwitch

Sunday, 30 May 2010

Innovative Marketing/Byte Hosting: Scareware scam charges

Ah how this has made my day.

Federal prosecutors have accused three men of running an operation that used fraudulent ads to dupe internet users around the world into buying more than $100m worth of bogus anti-virus software.

The defendants operated companies including Innovative Marketing and Byte Hosting Internet Services, which perpetuated an elaborate scheme that tricked internet publishers into posting malware-laced ads on their websites, according to an indictment filed Wednesday. The banners allegedly presented messages falsely claiming visitors' computers contained dangerous malware and other defects that could be fixed by purchasing software that cost from $30 to $70.

Saturday, 29 May 2010

Paragon Virtualization Manager 9.5: Not quite virtualization

Paragon Software recently gave away free licences for it's Virtualization Manager, and I decided to check it out. Sadly I was to be disappointed, as contrary to it's name - it's not virtualization software at all.

I already knew I was going to be a little disappointed when I noticed it wouldn't actually allow me to run an ISO (tried ISOs of both Linux and Windows) as a virtual machine (at least, I certainly couldn't find that option, and nothing in the Virtualization menu indicated such facilities). All this program allows you to do is copy/restore/backup, partitions/disks, or sysprep an image (something Microsofts own sysprep tool does).

I am therefore left a little bewildered as to the point of this, especially given their Partition Manager, System Backup, Drive Backup etc software, already allows you to do everything this one does.

I'm going to check it's sysprep abilities as soon as I get back home on Monday/Tuesday, but as far as virtualization, I'd suggest you stick to the current offerings such as Virtual Box, Microsoft Virtual PC, MobaLiveCD, VMWare et al.

Full Circle Magazine: Issue 37

Full Circle issue #37 is out with a review of Lubuntu, more programming in Python, talk about streaming media, and more. Don’t forget to listen to the latest episode of our companion podcast for the full FCM experience!

This month:

- Command and Conquer.
- How-To : Program in Python – Part 11, Adding Screenlets, and Streaming Media.
- Review – Lubuntu.
- MOTU Interview – Stefan Lesicnik.
- Top 5 – Tiling Window Managers.
- plus: Ubuntu Women, Ubuntu Games, My Opinion, My Story, and all the usual goodness!

Read more

Get it while it's hot!

Issues 0 - Current



Friday, 28 May 2010

WARNING: Blackhat SEO turns (once again) to exploits

Not content with serving up fake AVs and the likes, it seems one of the blackhat SEO gangs have one again, turned to serving up exploits instead. Obviously this leads to a fake AV infection aswell, but I thought this worth mentioning.

The story starts not surprisingly, at Google, where you're searching for your favourite TV show, news clip, or something completely random, such as why you always wake up on the right side of the bed when going to sleep on the left.

You find a result and go "Ooooh, that'll have my answer", and go clickity click - but woops! You find yourself going through the recognizable MITM (man in the middle), in this case, ( - Failed resolution, AS48984 VLAF-AS Vlaf Processing Ltd), and on to an exploit (in this case, at ( - Failed resolution, AS6851 BKCNET _SIA_ IZZI) and ( - Failed resolution, AS6851 BKCNET _SIA_ IZZI).

I've added the domains involved to MDL and hpHosts, and Malwarebytes AntiMalware users will be pleased to know, the IPs involved are already blocked by the IP Protection facility.

For those wanting samples, the headers are below.

HTTP/1.1 302 Moved Temporarily
Date: Fri, 28 May 2010 10:03:17 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/
X-Powered-By: PHP/5.2.12
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Set-Cookie: SL_12_0000=_1_;; path=/; expires=Sat, 29-May-2010 10:01:30 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:03:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275041000; expires=Fri, 04-Jun-2010 10:03:20 GMT; path=/;

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:59:30 GMT
Server: Apache/1.3.41
X-Powered-By: PHP/5.2.10
Connection: close
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Set-Cookie: SL_9_0000=_1_;; path=/; expires=Sat, 29-May-2010 10:57:41 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:59:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275044372; expires=Fri, 04-Jun-2010 10:59:32 GMT; path=/;

These are only allowing access once per IP, so you'll find the vURL Online results for the doorway pages below (I don't have caching written in for vURL Online yet, but incase you'd like it, the URL to the vURL dissection for this is

The exploits they're using include;

Snapshot Viewer Control
Acrobat PDF
MDAC (Microsoft Data Access Components)
Java Deployment Kit

Sunday, 23 May 2010

INFO: is back

Just a note folks. The maintenance took less time than expected, so MDL is now back online :o)

Eset, Star Wars, and rogues ....

On the hunt as usual, I came across yet another rogue, again using etc via blackhat SEO, but using .tk domains (surprise surprise). What I did find rather humorous however, was a javascript file that was loaded.

The javascript contained a lovely little snippet, and a note for the folks over at Eset (though evidently, the bad guys got their Star Wars and Star Trek mixed up, as it was the Borg that said Resistance is futile - not anyone from Star Wars);

/*hello nod32 guys; the force is strong with u, young Padawans, but u won't defeat us; any resistance is futile;*/

The file in question;


I did some checking, and not surprisingly, there's alot more than this one that's been created (I've already dropped abuse reports to, including;

I've got a verification going to ID any more of these. Until change their policy of not taking down domains that the registrant has paid them for, I feel pretty confident that we're going to see more and more .tk domains involved in criminal activity.

As far as the IPs involved, you'll no doubt have guessed that it's the usual suspects;

31252 STARNET-AS StarNet Moldova
47869 NETROUTING-AS Netrouting Data Facilities

If you've not already, feel free to blackhole the lot of them (and until change their policy, you might want to consider a blanket block on the entire Tokelau TLD - money should never come before user safety).

References Use and abuse us as you wish

Crimeware friendly ISPs:

Friday, 21 May 2010

hpHOSTS - UPDATED May 21st, 2010

hpHOSTS - UPDATED May 21st, 2010

The hpHOSTS Hosts file has been updated. There is now a total of 125,099 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 21/05/2010 18:20
  2. Last Verified: 20/05/2010 16:00

Download hpHosts now!

Planned outage: Malware Domain List

Just a note folks. Malware Domain list will be unavailable from May 21st (1700 EDT) until Monday 24th (1700 EDT).

Wednesday, 19 May 2010

3FN (APS Telecom) shut down

I have just one thing to say - it's about bleedin time!


Reporting abuse to APS Telecom/3FN? Your wasting your time

APS Telecom/3FN have some explaining to do

Tuesday, 18 May 2010

AS50896 PROXIEZ – Overview of a Crime Server

At 9:00am EST on Friday May14th AS50896 PROXIEZ lost its ability to infect the Internet. To avoid confusion there were ‘unsuccessful’ attempts to reconnect on Saturday & Sunday May 15/16th. This is where there may have been reports of connections to bots and Malware being still alive.

The upstream peer AS50818 DIGERNET was also disconnected from the Internet @ 10:30am EST on Friday May14th. AS50908 EVAUA (InfoPlus Ltd.) is currently attempting to serve the Zeus C&Cs as a replacement for Proxiez.

Read more

Friday, 14 May 2010

AnchorFree: HotSpot Shield - Nice try

AnchorFree have responded to Sunbelts blog concerning the adware nature of their software/service, and hillariously, have failed miserably.

Read more at;

Cybercrime: The Franchise

Do-it-yourself cyber-crime kits have emerged for the average PC user, with built-in anti-virus protection and complete online security avoidance features.

Once upon a time, professional hackers needed the skills of willing script kiddies to exploit your PC or enterprise. Then along came the exploit kit, such as the “MPack,” courtesy of the RBN (Russian Business Network), and a new business enterprise was born.

Today, a new generation of exploits is available in off-the-peg kits requiring no more operational skill than that of a competent user.

One of the latest headline victims of an exploit kit was the US Treasury Website. Panda Security detailed how it happened -- and how a new generation of kits or packs can identify security vulnerabilities, select the preferred method of intrusion, and carry out the exploit, whether that be by PDF, an embedded iframe, or any other chosen method of exploitation.

Read more

Thursday, 13 May 2010

Hotspot Shield: What part of “no adware” don’t you understand?

We’ve gotten some inquiries about why VIPRE has been detecting Hotspot Shield ( as adware since May 4. Some thought it might be a false positive. It isn’t.

The Hotspot Shield web site carries the below graphic that says “NO spyware / adware.”

Well just SAYING “NO spyware / adware” doesn’t make it happen.

Here’s what the Hotspot Shield “terms of service” say (

Read more

CyberDefender Corporation: Lessons in intimidation

It would seem CyberDefender Corporation, still haven't learnt from the already huge amount of bad publicity they've received from a plethora of avenues, as they are yet again, going after someone with their law firm, for publishing their findings and opinions. This time, it's Allen Harkleroad from

A week or two ago I (Allen Harkleroad) expressed my personal opinion of MyCleanPC and DoubleMySpeed, which by the way are owned by the CyberDefender Corporation.

While in the past legal threats and legal intimidation may have served CyberDefender well in regards to stifling consumers and individuals public opinions. However, such threats do not work on me as everyone involved will soon find out. I will speak and/or publish my opinions of businesses as I see fit without fear of prosecution or persecution.

CyberDefender Corporation and the law firm that represents them (Catanese & Wells of Westlake Village, California) must have never heard of a US Citizens 1st Amendment freedom of speech rights. I intend to educate all of the involved parties as to what the first amendment is and what it covers.

Read more

Hat tip to "John D's Computer and Network services" for the heads up.


CyberDefender: Oh dear, here we go again

CyberDefender update: Sort of happy news!

CyberDefender: Want your money back? Forget it!

Rogue company, CyberDefender, uses MBAM to clean infections

CyberDefender: Early Deceit

CyberDefender and it’s adverts!

Sunday, 2 May 2010

Misleading marketing: Fake IM advert - Déjà Vu

Remember this? Well this time, we've got the same fake IM advert and again, from, except;

1. This time, the ad network is (owned by "DSNR Media Group", a company with ties to known scam sites such as,, and;

2. The target URL isn't mindspark' MyFunCards, but;

Wonder where it'll lead to next?


Mindspark/IAC: Misleading marketing (again)

Mindspark/IAC: Misleading marketing (again)

Investigating malware, I was led to a URL at, a file sharing site similar to RapidShare, that is intent on shoving popups in your face.

What (didn't) surprise me however, was an advert claiming to be an IM chat (yes of course it is), loaded via;

This "advert", displayed what you see in the screenshot to the top left. Where did this lead you ask? Well as you've probably guessed by the title - it led me to, a website owned by Mindspark/IAC, that peddles the likes of SmileyCentral, MyFunCards - collectively known as "Fun Web Products" (FYI: They're anything *but* "fun" for your computer or privacy).

Whilst not surprised to see this kind of advert loading that directs to them, it has to be asked why they've still not learnt that this kind of behaviour is just one of the reasons that many of us, both have them blocked for those using our services, and recommend people stay as far away from them as possible.

I've dropped an e-mail over to Kirk Lawrence at Mindspark, to see if we can get an explanation for this particular incident.