Blog for hpHosts, and whatever else I feel like writing about ....

Monday 31 May 2010

WARNING: Malware, scams and RedStation (AS35662, 81.94.192.0/20)

Remember the SMS fraud housed on the RapidSwitch range? Well, now we've got yet another network involved.

This time, it's the turn of RedStation, AS35662. I've already dropped them an e-mail, but the notice on their contact page suggests this is going to have been a completely pointless exercise.

Note to Solicitors

If you are a solicitor and you wish to communicate with us about a website hosted on the Redstation network, do not telephone as we will not be able to discuss it with you. All legal communication must be in writing and sent by recorded delivery to the company's address listed above and marked for the attention of the Company Secretary.

We do not accept legal communications by email or fax.


Wonder if they consider abuse reports to be "legal communications"?? We shall see.

In the meantime, this little lot is housed on at least 2 of their IPs. Namely 81.94.201.58 and 81.94.201.61.

3gpplayer-2010.biz
3gpplayer-2010.com
3gp-player-2010.com
3gpplayer-2010.info
3gpplayer-2010.net
3gp-player-2010.net
3gpplayer-2010.org
3gpplayernew.info
7zip-2010.biz
7zip-2010.info
7zip-2010.org
7zip-2010.us
7zip-be.info
7-zipnew.info
7-zipnew2.info
7zip-nl.net
7-zip--uk.com
activex-2010.biz
activex-2010.info
activex-2010.org
activex-be.net
activexdownloadcontrolnew.info
activexdownloadcontrolnew2.info
activexdownloadcontrol-uk.com
activex-nl.net
adobereadernew.info
adobereader--uk.com
antivirus-plus.biz
atubecatcher-2010.com
atubecatcher-2010.net
atubecatchernew.info
atubecatcher--uk.com
audacitynew.info
audacity-uk.com
audicity-2010.biz
audicity-2010.info
audicity-2010.org
audicity-be.com
audicity-nl.com
cccpcodecs-2010.biz
cccpcodecs-2010.com
cccpcodecs-2010.info
cccpcodecs-2010.org
cccpnew.info
cccpnew2.info
cccp--uk.com
ccleaner-2010.com
ccleaner-2010.net
ccleaner-2010.org
ccleaner-fr.com
ccleanernew.info
ccleaner--uk.com
cdburner-2010.biz
cdburner-2010.com
cdburner-2010.info
cdburner-2010.net
cdburner-2010.org
cdburner-it.com
cdburnernew.info
cdburnerxp-pro.com
cdburnerxp-pro.net
cdex-2010.com
cdex-2010.net
directx-2010.biz
directx-2010.info
directx-2010.org
directx-2010com.com
directxfr-be.com
directxfr-nl.com
directxnew.info
directxnew2.info
directx--uk.com
divxnew.info
divx--uk.com
dvd43-2010.biz
dvd43-2010.com
dvd43-2010.info
dvd43-2010.net
dvd43-2010.org
dvd43new.info
dvd-shrimk.biz
dvd-shrimk.com
dvd-shrimk.info
dvd-shrimk.net
dvd-shrimk.org
dvd-shrimknew.info
dvd-shrink-2010.com
dvd-shrink-2010.net
elisoftcodecpacknew.info
elisoftcodecpacknew2.info
elisoftcodecpack--uk.com
elisoftcodecs-2010.biz
elisoftcodecs-2010.com
elisoftcodecs-2010.info
elisoftcodecs-2010.org
eurotrucksimulator-2010.com
eurotrucksimulator-2010.net
explorer-2010.biz
explorer-2010.info
explorer-2010.org
explorer-be.net
explorernew.info
explorer-nl.net
firefox-2010.org
flashplayer-2010.biz
flashplayer-2010.com
flashplayer-2010.info
flashplayer-2010.net
flashplayer-2010.org
flashplayernew.info
formatfactory-2010.biz
formatfactory-2010.com
formatfactory-2010.info
formatfactory-2010.net
formatfactory-2010.org
formatfactorynew.info
foxitpdfreader-2010.com
foxitpdfreader-2010.net
freemp3-2010.biz
freemp3-wmaconverter.com
freemp3-wmaconverter.net
frostwine-2010.com
frostwine-2010.net
garageband-2010.com
garageband-2010.net
gimp2new.info
gimp2new2.info
gimp2--uk.com
glaryutilities-2010.com
glaryutilities-2010.net
guitarpro-2010.com
guitarpro-2010.net
incredimail-be.net
incredimail-nl.net
inkscape-2010.com
internetdownloadmanager-2010.com
internetdownloadmanager-2010.net
i-tunes-fr.com
jdownloader2010.info
jdownloader-be.net
jdownloadernew.info
jdownloader-nl.net
koyotefreevideoconverter-2010.com
koyotefreevideoconverter-2010.net
messengeres.org
movimaker-es.org


All of those I've checked thus far, have had their downloads coming from allbrowsers.net (81.94.201.61 - 61-201-94-81.rackcentre.redstation.net.uk ), for example;

hxxp://www.allbrowsers.net/gb/install_jdownloader.exe?a=

These are NSIS packed files, and the JDownloader file for example, contains two VBS scripts that hijack the Firefox homepage and search engine to point to;

Homepage: pucuy.com
Search: pucuy.com/google

With partner ID:

partner-pub-3546861938806019:fn51rv5o9ne




No great surprise as far as where pucuy.com is living - our old friends RapidSwitch;

Current IP: 78.129.142.38
IP PTR: Resolution failed
ASN: 29131 78.129.128.0/17 RAPIDSWITCH-AS RapidSwitch

Sunday 30 May 2010

Innovative Marketing/Byte Hosting: Scareware scam charges

Ah how this has made my day.

Federal prosecutors have accused three men of running an operation that used fraudulent ads to dupe internet users around the world into buying more than $100m worth of bogus anti-virus software.

The defendants operated companies including Innovative Marketing and Byte Hosting Internet Services, which perpetuated an elaborate scheme that tricked internet publishers into posting malware-laced ads on their websites, according to an indictment filed Wednesday. The banners allegedly presented messages falsely claiming visitors' computers contained dangerous malware and other defects that could be fixed by purchasing software that cost from $30 to $70.


http://www.theregister.co.uk/2010/05/28/scarware_scam_charges/

Saturday 29 May 2010

Paragon Virtualization Manager 9.5: Not quite virtualization

Paragon Software recently gave away free licences for it's Virtualization Manager, and I decided to check it out. Sadly I was to be disappointed, as contrary to it's name - it's not virtualization software at all.

I already knew I was going to be a little disappointed when I noticed it wouldn't actually allow me to run an ISO (tried ISOs of both Linux and Windows) as a virtual machine (at least, I certainly couldn't find that option, and nothing in the Virtualization menu indicated such facilities). All this program allows you to do is copy/restore/backup, partitions/disks, or sysprep an image (something Microsofts own sysprep tool does).

I am therefore left a little bewildered as to the point of this, especially given their Partition Manager, System Backup, Drive Backup etc software, already allows you to do everything this one does.

I'm going to check it's sysprep abilities as soon as I get back home on Monday/Tuesday, but as far as virtualization, I'd suggest you stick to the current offerings such as Virtual Box, Microsoft Virtual PC, MobaLiveCD, VMWare et al.

Full Circle Magazine: Issue 37

Full Circle issue #37 is out with a review of Lubuntu, more programming in Python, talk about streaming media, and more. Don’t forget to listen to the latest episode of our companion podcast for the full FCM experience!

This month:

- Command and Conquer.
- How-To : Program in Python – Part 11, Adding Screenlets, and Streaming Media.
- Review – Lubuntu.
- MOTU Interview – Stefan Lesicnik.
- Top 5 – Tiling Window Managers.
- plus: Ubuntu Women, Ubuntu Games, My Opinion, My Story, and all the usual goodness!

Read more
http://fullcirclemagazine.org/2010/05/28/come-and-get-issue-37/

Get it while it's hot!
http://fullcirclemagazine.org/issue-37/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine

Friday 28 May 2010

WARNING: Blackhat SEO turns (once again) to exploits

Not content with serving up fake AVs and the likes, it seems one of the blackhat SEO gangs have one again, turned to serving up exploits instead. Obviously this leads to a fake AV infection aswell, but I thought this worth mentioning.

The story starts not surprisingly, at Google, where you're searching for your favourite TV show, news clip, or something completely random, such as why you always wake up on the right side of the bed when going to sleep on the left.

You find a result and go "Ooooh, that'll have my answer", and go clickity click - but woops! You find yourself going through the recognizable MITM (man in the middle), in this case, typeforman.net (195.88.144.80 - Failed resolution, AS48984 195.88.144.0/23 VLAF-AS Vlaf Processing Ltd), and on to an exploit (in this case, at splitssoft.com (91.188.59.55 - Failed resolution, AS6851 91.188.32.0/19 BKCNET _SIA_ IZZI) and vvvne.in (91.188.59.55 - Failed resolution, AS6851 91.188.32.0/19 BKCNET _SIA_ IZZI).



I've added the domains involved to MDL and hpHosts, and Malwarebytes AntiMalware users will be pleased to know, the IPs involved are already blocked by the IP Protection facility.

For those wanting samples, the headers are below.

shirleybarbers.com/polwe/xgfedn.php?jx=716054

http://typeforman.net/in.cgi?12
http://typeforman.net/redirect3/
http://splitssoft.com/x/?src=dg&id=20758


HTTP/1.1 302 Moved Temporarily
Date: Fri, 28 May 2010 10:03:17 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.12
Location: http://typeforman.net/in.cgi?12
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Set-Cookie: SL_12_0000=_1_; domain=typeforman.net; path=/; expires=Sat, 29-May-2010 10:01:30 GMT
Location: http://typeforman.net/redirect3/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Location: http://splitssoft.com/x/?src=dg&id=20758
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:03:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275041000; expires=Fri, 04-Jun-2010 10:03:20 GMT; path=/; domain=splitssoft.com


magnusbystrom.com/qosbi/hwsqbs.php?n=318039

http://typeforman.net/in.cgi?9
http://typeforman.net/redirect3/
http://splitssoft.com/x/?src=dg&id=20758


HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:59:30 GMT
Server: Apache/1.3.41
X-Powered-By: PHP/5.2.10
Location: http://typeforman.net/in.cgi?9
Connection: close
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Set-Cookie: SL_9_0000=_1_; domain=typeforman.net; path=/; expires=Sat, 29-May-2010 10:57:41 GMT
Location: http://typeforman.net/redirect3/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Location: http://splitssoft.com/x/?src=dg&id=20758
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:59:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275044372; expires=Fri, 04-Jun-2010 10:59:32 GMT; path=/; domain=splitssoft.com


These are only allowing access once per IP, so you'll find the vURL Online results for the doorway pages below (I don't have caching written in for vURL Online yet, but incase you'd like it, the URL to the vURL dissection for this is http://vurldissect.co.uk/?url=1355697).
http://it-mate.co.uk/temp/vURL_Online_results_-_shirleybarbers_com.pdf

The exploits they're using include;

MSOfficeWebComponents
Snapshot Viewer Control
Acrobat PDF
MDAC (Microsoft Data Access Components)
Java Deployment Kit

Sunday 23 May 2010

INFO: Malwaredomainlist.com is back

Just a note folks. The maintenance took less time than expected, so MDL is now back online :o)

Eset, Star Wars, dot.tk and rogues ....

On the hunt as usual, I came across yet another rogue, again using xorg.pl etc via blackhat SEO, but using .tk domains (surprise surprise). What I did find rather humorous however, was a javascript file that was loaded.

The javascript contained a lovely little snippet, and a note for the folks over at Eset (though evidently, the bad guys got their Star Wars and Star Trek mixed up, as it was the Borg that said Resistance is futile - not anyone from Star Wars);

/*hello nod32 guys; the force is strong with u, young Padawans, but u won't defeat us; any resistance is futile;*/


The file in question;

hxxp://www2.megosave2.tk/107ad6ae3feaa24b00263864f0be76edbcf43009611.js

I did some checking, and not surprisingly, there's alot more than this one that's been created (I've already dropped abuse reports to dot.tk), including;

http://www2.megosave1.tk
http://www2.megosave2.tk
http://www2.megosave3.tk
http://www2.megosave4.tk
http://www2.megosave5.tk
http://www2.megosave6.tk
http://www2.megosave7.tk
http://www2.megosave8.tk
http://www2.megosave9.tk
http://www1.allclearnow1.tk
http://www1.allclearnow2.tk
http://www1.allclearnow3.tk
http://www1.allclearnow4.tk
http://www1.allclearnow5.tk
http://www1.allclearnow6.tk
http://www1.allclearnow7.tk


I've got a verification going to ID any more of these. Until dot.tk change their policy of not taking down domains that the registrant has paid them for, I feel pretty confident that we're going to see more and more .tk domains involved in criminal activity.

As far as the IPs involved, you'll no doubt have guessed that it's the usual suspects;

44565 188.124.5.0/24 VITAL TEKNOLOJI
49981 217.23.0.0/20 WORLDSTREAM
31252 195.5.161.0/24 STARNET-AS StarNet Moldova
47869 94.228.208.0/20 NETROUTING-AS Netrouting Data Facilities

If you've not already, feel free to blackhole the lot of them (and until dot.tk change their policy, you might want to consider a blanket block on the entire Tokelau TLD - money should never come before user safety).

References

dot.tk: Use and abuse us as you wish
http://hphosts.blogspot.com/2009/12/dottk-use-and-abuse-us-as-you-wish.html

Crimeware friendly ISPs: xorg.pl
http://hphosts.blogspot.com/2010/04/crimeware-friendly-isps-xorgpl.html

Friday 21 May 2010

hpHOSTS - UPDATED May 21st, 2010

hpHOSTS - UPDATED May 21st, 2010

The hpHOSTS Hosts file has been updated. There is now a total of 125,099 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 21/05/2010 18:20
  2. Last Verified: 20/05/2010 16:00

Download hpHosts now!
http://hosts-file.net/?s=Download

Planned outage: Malware Domain List

Just a note folks. Malware Domain list will be unavailable from May 21st (1700 EDT) until Monday 24th (1700 EDT).

Wednesday 19 May 2010

3FN (APS Telecom) shut down

I have just one thing to say - it's about bleedin time!

http://sunbeltblog.blogspot.com/2010/05/us-federal-judge-shuts-down-3fn-levies.html

References:

Reporting abuse to APS Telecom/3FN? Your wasting your time
http://hphosts.blogspot.com/2008/10/reporting-abuse-to-aps-telecom3fn-your.html

APS Telecom/3FN have some explaining to do
http://hphosts.blogspot.com/2008/10/aps-telecom3fn-have-some-explaining-to.html

Tuesday 18 May 2010

AS50896 PROXIEZ – Overview of a Crime Server

At 9:00am EST on Friday May14th AS50896 PROXIEZ lost its ability to infect the Internet. To avoid confusion there were ‘unsuccessful’ attempts to reconnect on Saturday & Sunday May 15/16th. This is where there may have been reports of connections to bots and Malware being still alive.

The upstream peer AS50818 DIGERNET was also disconnected from the Internet @ 10:30am EST on Friday May14th. AS50908 EVAUA (InfoPlus Ltd.) is currently attempting to serve the Zeus C&Cs as a replacement for Proxiez.


Read more
http://hostexploit.com/blog/14-reports/3512-as50896-proxiez-overview-of-a-crime-server.html

Friday 14 May 2010

AnchorFree: HotSpot Shield - Nice try

AnchorFree have responded to Sunbelts blog concerning the adware nature of their software/service, and hillariously, have failed miserably.

Read more at;

http://sunbeltblog.blogspot.com/2010/05/anchorfree-responds-on-hotspot-shield.html

Cybercrime: The Franchise

Do-it-yourself cyber-crime kits have emerged for the average PC user, with built-in anti-virus protection and complete online security avoidance features.

Once upon a time, professional hackers needed the skills of willing script kiddies to exploit your PC or enterprise. Then along came the exploit kit, such as the “MPack,” courtesy of the RBN (Russian Business Network), and a new business enterprise was born.

Today, a new generation of exploits is available in off-the-peg kits requiring no more operational skill than that of a competent user.

One of the latest headline victims of an exploit kit was the US Treasury Website. Panda Security detailed how it happened -- and how a new generation of kits or packs can identify security vulnerabilities, select the preferred method of intrusion, and carry out the exploit, whether that be by PDF, an embedded iframe, or any other chosen method of exploitation.


Read more
http://www.internetevolution.com/author.asp?section_id=717&doc_id=191997

Thursday 13 May 2010

Hotspot Shield: What part of “no adware” don’t you understand?

We’ve gotten some inquiries about why VIPRE has been detecting Hotspot Shield (http://www.hotspotshield.com/) as adware since May 4. Some thought it might be a false positive. It isn’t.

The Hotspot Shield web site carries the below graphic that says “NO spyware / adware.”


Well just SAYING “NO spyware / adware” doesn’t make it happen.

Here’s what the Hotspot Shield “terms of service” say (http://hotspotshield.com/terms/):


Read more
http://sunbeltblog.blogspot.com/2010/05/what-part-of-no-adware-dont-you.html

CyberDefender Corporation: Lessons in intimidation

It would seem CyberDefender Corporation, still haven't learnt from the already huge amount of bad publicity they've received from a plethora of avenues, as they are yet again, going after someone with their law firm, for publishing their findings and opinions. This time, it's Allen Harkleroad from statesboro.biz.

A week or two ago I (Allen Harkleroad) expressed my personal opinion of MyCleanPC and DoubleMySpeed, which by the way are owned by the CyberDefender Corporation.

While in the past legal threats and legal intimidation may have served CyberDefender well in regards to stifling consumers and individuals public opinions. However, such threats do not work on me as everyone involved will soon find out. I will speak and/or publish my opinions of businesses as I see fit without fear of prosecution or persecution.

CyberDefender Corporation and the law firm that represents them (Catanese & Wells of Westlake Village, California) must have never heard of a US Citizens 1st Amendment freedom of speech rights. I intend to educate all of the involved parties as to what the first amendment is and what it covers.


Read more
http://statesboro.biz/News/482/CyberDefender-Corp-MyCleanPC-DoubleMySpeed-and-Catanese-and-Wells-Never-Heard-of-the-1st-Amendment.aspx

Hat tip to "John D's Computer and Network services" for the heads up.

References

CyberDefender: Oh dear, here we go again
http://hphosts.blogspot.com/2009/10/cyberdefender-oh-dear-here-we-go-again.html

CyberDefender update: Sort of happy news!
http://hphosts.blogspot.com/2009/04/cyberdefender-update-sort-of-happy-news.html

CyberDefender: Want your money back? Forget it!
http://hphosts.blogspot.com/2009/03/cyberdefender-want-your-money-back.html

Rogue company, CyberDefender, uses MBAM to clean infections
http://hphosts.blogspot.com/2009/03/rogue-company-cyberdefender-uses-mbam.html

CyberDefender: Early Deceit
http://mysteryfcm.co.uk/?mode=Articles&date=17-04-2007

CyberDefender and it’s adverts!
http://www.securitycadets.com/2007/05/cyberdefender-and-its-adverts/

Sunday 2 May 2010

Misleading marketing: Fake IM advert - Déjà Vu

This summary is not available. Please click here to view the post.

Mindspark/IAC: Misleading marketing (again)

Investigating malware, I was led to a URL at mediafire.com, a file sharing site similar to RapidShare, that is intent on shoving popups in your face.

What (didn't) surprise me however, was an advert claiming to be an IM chat (yes of course it is), loaded via;

http://ad.xtendmedia.com/rw?title=New%20offer%21&qs=iframe3%3FJyUgAJKsCwA7WEoAAAAAAOUyFAAAAAAAAgAAAAAAAAAAAP8AAAABFGGqDAAAAAAA7IQXAAAAAABUaBsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwHAIAAAAAAAICAwAAAAAAAAAAAAAAAAAAAETEdQfxPwAAAAAAAAAAAAAcR8Rh%2ED8AAAAAAAAAAAAAaC%2EY6wJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADUhB1RY6gmCHT9mTt993ypsMbxIcNzPpUtgdSEAAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Emediafire%2Ecom%252F%253F2nyneotbnwh%2CZ%253D0x0%2526y%253D28%2526s%253D765074%2526%5Fsalt%253D1263203474%2526B%253D10%2526r%253D1%2C42067dc2%2D5618%2D11df%2Da677%2D001d0963f677

This "advert", displayed what you see in the screenshot to the top left. Where did this lead you ask? Well as you've probably guessed by the title - it led me to myfuncards.com, a website owned by Mindspark/IAC, that peddles the likes of SmileyCentral, MyFunCards - collectively known as "Fun Web Products" (FYI: They're anything *but* "fun" for your computer or privacy).

Whilst not surprised to see this kind of advert loading that directs to them, it has to be asked why they've still not learnt that this kind of behaviour is just one of the reasons that many of us, both have them blocked for those using our services, and recommend people stay as far away from them as possible.

I've dropped an e-mail over to Kirk Lawrence at Mindspark, to see if we can get an explanation for this particular incident.