Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 30 July 2013

Oh dear ... Yelena Mizulina out does Cameron!

Just when you thought it couldn't get stupider than Cameron' imposing of the smut ban in the UK, this Russian politico has decided to out-do Cameron in the "yep, we can be even more brainless!".

http://www.theregister.co.uk/2013/07/29/russia_to_ban_swearing_on_social_networks_good_luck/

This woman has clearly never seen some of the Russian and Ruskranian blackhat forums I monitor (or for that matter, the majority of forums/social networks etc)

Thursday 25 July 2013

[ALERT] Fake Google Chrome, and yet more malicious SysTweak shenanigans again

Looking up the POST beep codes for a Sony Vaio, led me to a thread on sevenforums.com a few minutes ago, which rather disgustingly (I'd say surprising, but I'm not surprised by SysTweaks ongoing badness anymore - they've been at it so long), led to 4 more examples, of misleading advertising, one belonging to Spark Trust, and 3 others belonging to SysTweak.

The first [1] of these, is at least slightly better, not because it's not misleading - it definitely is (lack of outline around the ad, despite a little icon showing it belongs to an AdChoices ad, and claims of its being free wheen it isn't), and this one belongs to SparkTrust - another company with a history of such behaviour

The second [2] of these is a link that appears to be part of a signature of one of the responders on the forum, but those of us monitoring this for more than 5 minutes, can easily identify it's actual origin.

The third [3] and fourth are yet more SysTweak adverts, using poor attempts to appear as part of the page (note specifically, both the lack of clear outline around the ad, and the placement of the threads title directly above each instance of the offending ads, at the top and bottom of the site).



And the offending URLs (first 3 are the SysTweak ads, the 4th is the SparkTrust ad);

hxxp://adclick.g.doubleclick.net/aclk?sa=L&ai=BtijeYyHxUcOcEIGt-gbe84GACenglPcDAAAAEAEgg7-CAjgAWIHMoKRzYLu-roPQCrIBE3d3dy5zZXZlbmZvcnVtcy5jb226AQk3Mjh4OTBfYXPIAQnaAWhodHRwOi8vd3d3LnNldmVuZm9ydW1zLmNvbS9ic29kLWhlbHAtc3VwcG9ydC8xNDkwOTYtb25lLWxvbmctYmVlcC10aGVuLXR3by1zaG9ydC1uby1kaXNwbGF5LXNob3duLTIuaHRtbKkCkVvptyOjuT7AAgLgAgDqAhkvMTAxNTU3OS9TRl9Cb3R0b21fNzIweDYw-AKB0h6AAwGQA4wGmAOMBqgDAeAEAaAGFg&num=0&sig=AOD64_0uhXzZReC_Ca9uGuKqcw3_Z6N5Vg&client=ca-pub-7156303416008077&adurl=https://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=SFlogoFoot&redirectto=http%3a%2f%2fsystweak.com%2fregistrycleaner%2fsf%2f&product=65757
hxxps://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=SFlogoFoot&redirectto=http%3A%2F%2Fsystweak.com%2Fregistrycleaner%2Fsf%2F&product=65757

hxxp://adclick.g.doubleclick.net/aclk?sa=L&ai=BwiMIYyHxUcKcEIGt-gbe84GACYHa6JsDAAAAEAEgg7-CAjgAWKGR6ZhcYLu-roPQCrIBE3d3dy5zZXZlbmZvcnVtcy5jb226AQlnZnBfaW1hZ2XIAQnaAWhodHRwOi8vd3d3LnNldmVuZm9ydW1zLmNvbS9ic29kLWhlbHAtc3VwcG9ydC8xNDkwOTYtb25lLWxvbmctYmVlcC10aGVuLXR3by1zaG9ydC1uby1kaXNwbGF5LXNob3duLTIuaHRtbKkCkVvptyOjuT7AAgLgAgDqAh0vMTAxNTU3OS9TRl9Ecml2ZXJfdG9wXzcyMHg2MPgCgdIekAOMBpgDjAaoAwHQBJBO4AQBoAYW&num=0&sig=AOD64_2Lro3-8iSCd2eCgAIL4vflxnLh-w&client=ca-pub-7156303416008077&adurl=https://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=SFfirst1&redirectto=http%3a%2f%2fsystweak.com%2fregistrycleaner%2fsf%2f&product=65757
hxxps://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=SFfirst1&redirectto=http%3A%2F%2Fsystweak.com%2Fregistrycleaner%2Fsf%2F&product=65757

hxxp://adclick.g.doubleclick.net/aclk?sa=L&ai=Bx7VEYyHxUcGcEIGt-gbe84GACZGK57ECAAAAEAEgg7-CAjgAWKnBnaRzYLu-roPQCrIBE3d3dy5zZXZlbmZvcnVtcy5jb226AQlnZnBfaW1hZ2XIAQnaAWhodHRwOi8vd3d3LnNldmVuZm9ydW1zLmNvbS9ic29kLWhlbHAtc3VwcG9ydC8xNDkwOTYtb25lLWxvbmctYmVlcC10aGVuLXR3by1zaG9ydC1uby1kaXNwbGF5LXNob3duLTIuaHRtbKkCkVvptyOjuT7AAgLgAgDqAhYvMTAxNTU3OS9TRl9Ub3BfNzIweDYw-AKB0h6QA4wGmAOMBqgDAdAEkE7gBAGgBhY&num=0&sig=AOD64_1i00m6dwh3j72K-0Vv5BlsbJn_HA&client=ca-pub-7156303416008077&adurl=https://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=logobig&redirectto=http%3a%2f%2fsystweak.com%2fregistrycleaner%2fsf%2f&product=65757
hxxps://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=logobig&redirectto=http%3A%2F%2Fsystweak.com%2Fregistrycleaner%2Fsf%2F&product=65757

hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=ColBkYyHxUYSVFsPF8AOb04HQAZL7i5wDqp_0_lTAjbcBEAEgg7-CAigCUOr1_94DYLu-roPQCqABzqGj3wPIAQGoAwHIA9MEqgTFAU_Q9_jsCC0UlzJd6V5U6GkHny1bsZNwKZ6ZQTns4qojhS_0SI5rOmZh2RAAiZ4C0Pc02318b0CaMDr2wE0zrN4uk4Qetvc0Ue0Kqa2zlJG3IMfgctrXwAQWJaewi3TG74VUFl9o6_SsQyF8MLzAsrsD9m7sgrE86jKDU1xHHBENH6G8xg5whsDelEdfmp9ug4TuG_xxrMH5fBQZnXar13mmWtAoCg0z1TsY5QVGUK1m-NMtQtIQdfr1syNcku95r36-W7PciAYBgAea3twg&num=1&cid=5GiY9hllOdF6PD_5b5oCaq15&sig=AOD64_1SLQu_RdKFZ9MvBOiBZxidnA9sTA&client=ca-pub-7156303416008077&adurl=http://www.sparktrust.com/fastercomputerfix&nm=12&mb=2&bg=!A0QyWkbQpMP-3gIAAAAmUgAAACMqANfoeFF1_1mPukFOChei1Pmh8ItgRcBxfOWhLxSWpDDVueX2yfX-Sq458S11mPVB-M893V_MT_VrfzBds4I3prb-kYCAsoTX36jFacQek38efW7i1DCD-uMWd80YG8mxei2fT8M_hh5davO-Xpok7SioQnRgi9nSJYGQwgIxmljh4eWyNvrEwxUyLnGCwlNAVizp6gnFG0V3sMcRgSyAAufd96OxX-POyf9m7PO8BHLnhvtGUeIwJNnPK6gO1IPrynZeA71oNuU1_wQ_WmPaY7Al0cv_A6clzg
hxxp://www.sparktrust.com/fastercomputerfix?gclid=CKO308_dyrgCFcZd3godKkQATg


In these cases, sevenforums.com themselves must share the blame, at least partly - they're the ones that chose not only the placement of the offending ads, but also chose to further mislead people by putting the icon () and "Recommended Fix:" next to the top and bottom links for SysTweak. Shame on you!

We also have a case of PPI (pay per install) companies, using even worse methods, to peddle their adware and such - this time it's a fake Google Chrome;

googlechrome2013.com
IP: 208.113.174.122 (apache2-quell.sprite.dreamhost.com)
AS: 26347 DREAMHOST-AS - New Dream Network, LLC




The download button leads to (offender: DomaIQ);

hxxp://dls.nicdls.com/d/109/google-chrome/204/446

This is a direct download, no landing pages, nothing. So far, two different MZ's (google-chrome.exe downloaded July 11th, and google-chrome(2).exe downloaded a few minutes ago), but suspect there's more.

File    MD5    Size
/malware/dls.nicdls.com/google-chrome(2).exe    10095b71d0a9979b6e6b61a635ac713a    541.91 KB
/malware/dls.nicdls.com/google-chrome.exe    8e50c65c85f37580238624bc2bbc6b6b    222.29 KB


Downloads are detected thankfully, with the detection name varying depending on vendors. Malwarebytes users will see it detected as Adware.DomaIQ. However, you'll notice the second file served is showing far fewer detections than the one downloaded a few days ago, which shows the W3i/DomaIQ miscreants, are modifying the installer, and likely (only a suspicion at present) doing so, to prevent flagging.

google-chrome(2).exe - https://www.virustotal.com/en/file/a48d285871ed7d9cc1abde280015500608ae4aa7f3cebe054123df2278fd4cf3/analysis/1374759940/

google-chrome.exe - https://www.virustotal.com/en/file/38f7cff6d599efd4de1d155835b9489e1342d2c214225167bda32d8b4790805d/analysis/1374759948/

I'm going for takedown of this and other offending domains, but in the meantime, you'll want to block the IPs involved.

Monday 22 July 2013

Alert: (Yet more) misleading adverts [iLivid, Tuguu]

One of these days (yep, day dreaming again), I'll go on a little virtual walk, and not bounce off of misleading adverts such as the following. All were found in the usual places (adf.ly, adfoc.us) and sites engaged in scamming (watchfreemovies.ch - found whilst investigating another site).



The award for the most disgusting scareware advert goes surprise surprise, to SysTweak - who are responsible the latter of the above.

The offending ad networks include;

a.adorika.net
webtrackerplus.com
network.adsmarket.com
ad.yieldmanager.com
ad.xtendmedia.com


I know what most of you are likely thinking - tell us something we don't know, well I'm afraid - I can't. It's simply blatant misleading adverts, used to push bundleware rubbish. Needless to say - avoid them like the plague they are (those using ad blockers, HOSTS files etc, shouldn't see these).

Offending URLs:

hxxp://vube.com/SexyGirls/OTOWA0fW6U/L/vote?t=s
hxxp://www.webtrackerplus.com/?a_aid=4e7794ed28862&a_bid=d0b987a9
hxxps://cinaplay.com/Registration?&theme=flowplayerregister_darkblue&a_aid=4e7794ed28862&a_bid=d0b987a9&chan=&pubid=&sid=&clickid=&subid=&g=6bec347f256837d3539ad619bd489de7&
hxxps://vidzstar.com/Registration?&theme=flowplayerregister_darkblue&a_aid=4e7794ed28862&a_bid=d0b987a9&chan=&pubid=&sid=&clickid=&subid=&g=47e2c20850a2d37694681de58a4054d7&
hxxp://www.webtrackerplus.com/?a_aid=4e7794ed28862&a_bid=d0b987a9
hxxps://filmlair.com/Registration?&theme=flowplayerregister_darkblue&a_aid=4e7794ed28862&a_bid=d0b987a9&chan=&pubid=&sid=&clickid=&subid=&g=89302c777b1da7c5ca06e784d2d2c81a&
hxxp://www.webtrackerplus.com/?a_aid=4e7794ed28862&a_bid=d0b987a9
hxxps://hdattack.com/Registration?&theme=flowplayerregister_darkblue&a_aid=4e7794ed28862&a_bid=72491354&chan=&pubid=&sid=&clickid=&subid=&g=47e2c20850a2d37694681de58a4054d7&
hxxp://www.webtrackerplus.com/?page=flowplayer&a_aid=4e7794ed28862&a_bid=72491354
hxxp://www.webtrackerplus.com/?a_aid=4e7794ed28862&a_bid=d0b987a9
hxxp://ad.xtendmedia.com/clk?3,eJytTUFuwjAQfE1uUWV7U2pk9WDHSYUUQwMpCG6OIQ6BNBE1asvr6wDiBR2tRrOzsxoMjNBohKDaafTyTGBHGY4Q8l4JCIeIMYYRghEdAyFhsygvXMXbmeXZZ6IEH6CS-SLnN9iB1jf9TgeO07E7L-9nMscV.xcI29X3Hj659lpJeX0Sb3HCxSMml81GisN0lZBstb6o4sOpIj2qPa5nhUFZkYP3YNPkP0qa72n--HwNw9q5PgAekNRP3xt3Mocn07V-O.ae9LbqzPnLq1a7rv31IhrCkGodgLTlH1qSYkc=,
hxxp://www.ooopsvideo.com/ps/continue/?pub_id=2284&ce_cid=20ocal0oHo7oRJJQ3SXlqR1v1nCR000.
hxxp://www.ooopsvideo.com/ps/continue?pub_id=2284&ce_cid=20ocal0oHo7oRJJQ3SXlqR1v1nCR000.
hxxp://network.adsmarket.com/click/imNxmY2ff5a3ZG6VXpyplLdhmJWNm6mU?ctype=ctz&dp=RMX_A6233561_P5533403_V15935117_RSheffield_S0_C21208075_B0&dp2=jSbzAMCdOgALnEMBAAAAAMERSQAAAAAAAgAAAAYAAAAAAP8AAAACF9tuVAAAAAAA2R1fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgohYAAAAAAAIAAgAAgD8ALN1GCEABAAAAAAAAADYzYTBjNTA4LWYzMTUtMTFlMi05M2YyLTFjYzFkZTAzOTgyZQAAAAAAAAA=,eJxLjfIqKg1yzMqNCA1Lj0j0z.ZwqYqILPK0TEwuy6.wiDBJ19UFAPDEDJk=&dp3=Uhxxp://ppctrck.com/lp/adfocus/matomy/4/?aa=gb
hxxp://ad.yieldmanager.com/clk?3,eJytTUFuwjAQfE1uUWV7U2pk9WDHSYUUQwMpCG6OIQ6BNBE1asvr6wDiBR2tRrOzsxoMjNBohKDaafTyTGBHGY4Q8l4JCIeIMYYRghEdAyFhsygvXMXbmeXZZ6IEH6CS-SLnN9iB1jf9TgeO07E7L-9nMscV.xcI29X3Hj659lpJeX0Sb3HCxSMml81GisN0lZBstb6o4sOpIj2qPa5nhUFZkYP3YNPkP0qa72n--HwNw9q5PgAekNRP3xt3Mocn07V-O.ae9LbqzPnLq1a7rv31IhrCkGodgLTlH1qSYkc=,
hxxp://ad.xtendmedia.com/clk?3,eJytTUFuwjAQfE1uUWV7U2pk9WDHSYUUQwMpCG6OIQ6BNBE1asvr6wDiBR2tRrOzsxoMjNBohKDaafTyTGBHGY4Q8l4JCIeIMYYRghEdAyFhsygvXMXbmeXZZ6IEH6CS-SLnN9iB1jf9TgeO07E7L-9nMscV.xcI29X3Hj659lpJeX0Sb3HCxSMml81GisN0lZBstb6o4sOpIj2qPa5nhUFZkYP3YNPkP0qa72n--HwNw9q5PgAekNRP3xt3Mocn07V-O.ae9LbqzPnLq1a7rv31IhrCkGodgLTlH1qSYkc=,
hxxp://adfoc.us/679079050323
hxxp://www.ooopsvideo.com/ps/continue/gis.php?g=pub_id%3D2284%26ce_cid%3D20ocal0oHo7oRJJQ3SXlqR1v1nCR000.
hxxp://dlp.xvidupdate.com/p/151/Player_Setup/476/540/3ckfdWzZ
hxxp://ttb.ooopsvideo.com/download/request/51a9b6bf5f1c1ed61f000002/9jBdIk9u?ce_cid=20ocal0oHo7oRJJQ3SXlqR1v1nCR000.&pub_id=2284
hxxp://ad.yieldmanager.com/clk?3,eJytjc1ugzAQhJ-GG6qM7WIi1MMCISKK26RxSM0NTGJ-BUqpquTpa9Q0T9DRavTtaFbrEP9ET.T5TF3CMHEXauE7FCGPugUrPRv5vk-Q42ITeshu9sUNeFi-aUizOglg1pa1Au7SsPxD2HqzhzFL4eP7N8Kr9wb-RYEeKnnnJDF.QUceVCxbhUsIHrUobWWfIHk84M1R3rg4TFzEHa-dWgrpbMS6fm0U5mJ35VHXZrvH5YttV9M0WgQsHJsZRzVdVPukht5s3WgsL8-D-vo01OfT0F8N0LlM4jy3SKSLH8SeYr0=,
hxxp://network.adsmarket.com/click/i2lxnWPKfZmMaXLEXsp6w4lpbppjnH-Vt2hql2bKfZuLamrEZZuCnYti?dp=RMX_A6513880_P6242485_V15935117_RSheffield_S0_C19031573_B0&dp2=jSbzAMCdOgAVZiIBAAAAAP7kTAAAAAAAAgAEAAAAAAAAAP8AAAACF7VAXwAAAAAA2GRjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgohYAAAAAAAIIAgAAgD8A0rdICEABAAAAAAAAAGFjMGRjM2UwLWYzMTUtMTFlMi1iZmJjLTc4ZTNiNTExMzEzMAAAAAAAAAA=,eJxLjfIqKg1yzMqNCA1Lj0j0z.ZwqYqILPK0TEwuy6.wiDBJ19UFAPDEDJk=&dp3=Uhxxp://ppctrck.com/lp/adfocus/matomy/4/?aa=gb
hxxp://ad.yieldmanager.com/clk?3,eJytjc1ugzAQhJ-GG6qM7WIi1MMCISKK26RxSM0NTGJ-BUqpquTpa9Q0T9DRavTtaFbrEP9ET.T5TF3CMHEXauE7FCGPugUrPRv5vk-Q42ITeshu9sUNeFi-aUizOglg1pa1Au7SsPxD2HqzhzFL4eP7N8Kr9wb-RYEeKnnnJDF.QUceVCxbhUsIHrUobWWfIHk84M1R3rg4TFzEHa-dWgrpbMS6fm0U5mJ35VHXZrvH5YttV9M0WgQsHJsZRzVdVPukht5s3WgsL8-D-vo01OfT0F8N0LlM4jy3SKSLH8SeYr0=,
hxxp://content.yieldmanager.edgesuite.net/atoms/98/d0/b7/cf/98d0b7cf045bb33291bbd49d41f13782.gif
hxxp://www.ooopsvideo.com/ps/playerupdate/?pub_id=2284&ce_cid=20ocab3BxacpRaMX3SXlqR1v1nIk000.
hxxp://www.watchfreemovies.ch/images/english-green2-watch-download.png hxxp://a.adorika.net/c/banner_s?tenant=AD&selection=5280&size=120x600&skin=script hxxp://a.adorika.net/c/banner_s?tenant=AD&selection=5280&size=160x600&skin=script hxxp://suddennesses16.veritise.com/chan-9350279/all_p14.html hxxp://systweak.com/registrycleaner/dsnr/?utm_source=dsnr&utm_campaign=dsnr&SourceId=366&CreativeId=5651622&SectionId=411665


Friday 12 July 2013

SysTweak: Misleading marketing via Speedtest.net

Had my lines upgraded to Fibre recently, and did a couple of speed tests on speedtest.net. Disappointingly, it seems speedtest.net are allowing misleading adverts such as the following;



These lead to;

hxxp://www.systweak.com/registryCleaner/newst/1/?xat=RC1;GB;L;1

Which leads to; hxxp://sr.systweak.com/speedtest/rcp/?x-at=RC1;GB;L;1 -> hxxp://sr.systweak.com/speedtest/rcp/rcpsetup/rcpsetupst_RC1_GB_L_1.exe

In this case, the advert is flash, and comes from;

hxxp://ads.ookla.com/www/delivery/ck.php?oaparams=2__bannerid=9314__zoneid=42__cb=26d3e6fd47__oadest=http%3A%2F%2Fwww.systweak.com%2FregistryCleaner%2Fnewst%2F1%2F%3Fxat%3DRC1%3BGB%3BL%3B1

hpHosts users won't see this advert as ads.ookla.com is already blocked by the hpHosts HOSTS file.