Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 28 February 2009

Full Circle Magazine: Issue 22

Another month gone by, so you know what that means! Another issue of FCM. This month, we have:
  1. Command and Conquer - Resizing Images With FFMPEG.
  2. How-To : Program in C - Part 6, Web Development - Part 3
  3. Installing CrunchEEE To The EEE PC, and Spreading Ubuntu.
  4. My Story - Making The Switch
  5. Book Review - Ubuntu For Non-Geeks 3rd Edition
  6. MOTU Interview - Emanuele Gentili
  7. Top 5 - DVD Rippers
  8. PLUS: all the usual goodness…

Read More

Get it while it's hot!

Issues 0 - Current



Friday, 27 February 2009

Bad Actors Part 4 - HostFresh

Bad Actors Part 4 - HostFresh

There was an excellent report published in 2008 by HostExploit that showed the connections between Atrivo and those for whom it provided downstream services. One of those such customers was a Chinese provider called HostFresh. I thought it might be interesting to look at two IP blocks which were previously part of the Atrivo network - and - but are now routed by others.

Below we can see the information registered about HostFresh:

aut-num: AS23898
descr: HostFresh Internet
descr: Internet Service Provider
country: HK

I encourage you to read the blog archive and review parts 1, 2, and 3 of this series to familiarize yourself with the format.

Read the full story

Beijing's Top Internet Spy Arrested

The head of the internet monitoring department of Beijing's Municipal Public Security Bureau was arrested on suspicion of taking more than RMB 40 million ($5.8 million) in bribes to help an anti-virus company defeat its competitor. Yu Bing, whose bureau monitors e-mail and web usage in the country as part of China's Great Firewall surveillance system, is accused of taking money from Rising, an anti-virus firm, to frame an executive at its competitor, Micropoint Technology. A vice president of Rising has been arrested as well under suspicion of bribing Yu. Yu and fellow police officers allegedly manufactured evidence against Micropoint Vice President Tian Yakui proving that he spread computer viruses and broke into a computer system to steal trade secrets. Tian reportedly spent 11 months in prison on the charges, and Micropoint encountered three years of obstacles to launch its anti-virus software. Tian was targeted apparently because he was a former vice president at Rising who left the company with Rising's former managing director to build Micropoint.

Micropoint is planning to sue Rising for an estimated RMB 30 million ($4.3 million) in losses.

Rising has fired back at the allegations accusing Micropoint of manufacturing the claims to ruin Rising.

Read the full article

Kudos to MAD for the heads up!

Thursday, 26 February 2009

Astaro Security Gateway Free Home Edition

Haven't tried this myself yet, but it looks promising, and the free home version covers 10 machines, which is more than enough for most :o)

What Is It?

The Astaro Security Gateway Home Edition is a free license for full network protection (Network, Web and Mail Security) without any runtime restrictions. In contrast to a commercial license however, it is limited to 10 Users.

The term “users” in the sense of ASG software licensing refers to workstations, clients, servers and other devices which have an IP address and are protected by the Astaro Gateway. No differentiation is made whether the “user” is communicating with the Internet or with a device in another LAN segment. DNS or DHCP gateway queries are also counted, as is the use of proxies.

Spambot Search Tool v0.23

This release incorporates fixes, modifications and an addition, all of which are listed below.

Version: 0.23

Date: 25-02-2009

+ Added error handling in case file_put_contents() is not available (used for the counter and dumping results to text file)
+ Added error handling in case get_headers() is not available (used for the isURLOnline() function)

Special thanks to ShadowPuterDude ( for reporting these issues to me

Date: 26-02-2009

+ Added error handling in case SBST is forced to use PHP 5 on a system with PHP4 + 5 via .htaccess
* Modified check_spammers.php so the SimpleXMLElement availability check is done prior to the queries running
* Modified isURLOnline to check for PHP5 (skips and defaults to true if < PHP 5)

Special thanks to ShadowPuterDude ( for reporting the above issues to me

+ Added selective matching so you can have the SBST block only if more than one of the spammers details match (see config.php) (requested)


Wednesday, 25 February 2009

PCButts now serving malware via

This clown has a history of being an absolute tosser going back years, for everything from theft of other people's code and programs, to claiming to be an MVP when infact he isn't, and never has been.

Now it seems, he's not happy with everything he's already doing, and has gone one step further. I'll let Mike fill you in on the details;

Recently I was advised of a new site ( that is redirecting to pcbutts1 .com ... which I have mentioned before, due to the fact that it was a rip-off of my HOSTS file ... as well as many other files that Butts falsely lays claim to ...

Let's take a "Google" look ... shall we ...

Spambot Search Tool - Patch for those without get_headers() and/or file_put_contents()

The following is for those without get_headers() and/or file_put_contents() available and contains ONLY the patched files. Just extract the zip and overwrite the existing copy of the files.

Tuesday, 24 February 2009

Javeline Spins an Identity Theft Survey

Kevin Poulsen at Wired Debunked Javeline's Identity Theft Report already, but I can't help myself from lending an outraged voice to the matter.

I'm not sure if I've ever seen such a blatant spinning of the facts to meet the desires of a research sponsor. Read this statement from Javelin's report, which was funded by Wells Fargo and Intersections, Inc., an online identity protection company:

"Despite the hefty blame - largely perpetuated by the media - placed on the Internet and cyber-crime, online identity theft methods (phishing, hacking and malware) only accounted for 11% of fraud cases in 2008."

How did they reach that absolutely amazing and so absolutely inaccurate statement? server down for maintenance

Just a note folks, the fSpamlist server will be down for approx 15-20 mins for maintenance.

hpHosts network down

Just a note folks, the hpHosts network is down (as of approx 10 mins ago), I am aware of it and am doing everything I can to get it back online ASAP.

Unfortunately, this also means SMTP for the sGB etc sites, are also down.

Sunday, 22 February 2009

Spambot Search Tool v0.22

Spambot Search Tool v0.22 has been released.


+ Added function to check if server is online
+ Added notes to top of all files
* Moved getURL function to functions.php
* Re-written e-mail validation as a function and moved to functions.php
* Replaced IP validation with function by Mike (
* Moved old IP validation routine to functions.php and re-written as function
* Partial re-write of Spamhaus query routine in check_spammers_plain.php
* Fixed fSpamList SimpleXMLElement check (was only checking $xml->Email instead of all 3)
* Modified ProjectHoneyPot query so "Search Engine" and "Suspicious" aren't flagged when using check_spammers_plain.php
* Fixed SpamHaus query so PBL and CBL aren't flagged when using check_spammers_plain.php


Waledac Theme - Couponizer

It appears that the Waledac authors have decided the share the "love" theme has worn itself out, and have updated the website template to a new theme I have titled the "Couponizer". This new theme is right inline with the "sharing" social engineering trickery we have grown to expect from malware authors. This theme offers to share with you the unsuspecting website visitor money saving coupons that can only be found by downloading and installing their binary, which is really the Waledac Trojan. So instead of them sharing money saving coupons, the end user ends up sharing their bandwidth with the Waledac authors to aid in distributing more of these money saving spam emails and other spamming campaigns. All of this of course in done free of charge to the compromised host, unless your paying for bandwidth under a pay per usage format. Ouch, if you are having to use one of these outdated plans as I can only hope those types plans have long disappeared for your normal residential service connections. Imagine your phone bill if Waledac could infect your handheld device and utilize minutes on your wireless data plan. Not a pretty picture if you ask me.

Read the full story

Saturday, 21 February 2009

Outlook Export 0.1.6

Version: 0.1.6

Added: Auto-launch Outlook if it's not already loaded
Added: Ignore e-mails with ceritificate errors

KBID #258527 Your digital ID name cannot be found by the underlying security system

hpObserver 0.5.1

Version: 0.5.1

Added: Enable/disable auto-save

Fixed: Issue with logging routine not writing to correct file


Friday, 20 February 2009

RapidSwitch customers still involved in SMS Fraud ......

The second issue is a little different. We’ve noticed a site registered with a name that suggests it belongs to ESET, offering downloads of what are claimed to be downloads of not only our products, but those of a number of other major antimalware companies. In fact, the binary turns out to be an NSIS script that instructs the recipient to send a short code to a premium-rate texting service. (Nullsoft Scriptable Install System (NSIS) is a freely-available script-driven Windows installation system.) We see frequent complaints about such services apparently charging randomly for unrequested downloads such as ring tones, screensavers and so on.

Read the full article

I blogged about this in late 2008, and RapidSwitch are still the scum that are hosting a whole slew of these (nice to know they give a toss);

Spam Bot Search Tool v0.21

I've released this in response to SFS being down. All that's been added is the ability to enable/disable the checking of SFS or FSL.

To disable a database, open config.php and set the respective variable to false, for example, to disable StopForumSpam;

$CheckSFS = FALSE;

Download v0.21

StopForumSpam offline

Just a note folks, if you try accessing the StopForumSpam website, you're going to notice the following;

Bandwidth Limit Exceeded

The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.

Not sure when it's coming back, but hopefully it'll not be offline for long.

Something tells me we're going to have to find SFS a new/additional home.


It appears their being down is breaking the Spambot Search Tool (not sure why as it should be skipping over it if it's not available, I'll have to look into that)


SFS is back online folks :)

Thursday, 19 February 2009

Microsoft Knowledge Base Articles Moving

Microsoft is moving its Developer & IT Professional primary support content (also known as Knowledge Base – or KB - articles) from Web site to MSDN and TechNet, respectively. This move is to ensure that Developers and IT Professionals will see support information in the places they would most likely to be looking for it – and so that other, relevant or associated information can be more easily exposed alongside it.

With this shift, you’ll see a number of changes:

· All Web sites that provide support for IT Professionals and Developers will now be directed to MSDN or TechNet.

· The initial implementation begins on February 17, 2009 with the pilot launch of 20 support articles (KBs) in English and Japanese. When the team is satisfied that major search engines are picking up these changes in search results (which should be no later than February 28, 2009), we will than add more than 55,000 articles in Chinese-Traditional, Chinese-Simplified, English, French, German, Italian, Japanese, Korean, Portuguese-Brazil, Russian and Spanish.

· Security/hotfix articles will not move to MSDN and TechNet immediately, although all IT Professional and Developer content will eventually move to MSDN or TechNet.

Read the full article at:

Thanks to Corrine for the heads up.

Orca Browser 1.1 RC4

No official change log for this, but what the heck ......



/edit 200209 - Changelog now available

Here is the changelog:

*Fixed the thumbnails preview issue with vista
*Fixed the bug that Orca would exit with fatal memory error
*Fixed the focus problem when creating new tabs with double click
+Added more languages for webpage translation
+Added option to use firefox’s password manager

Wednesday, 18 February 2009

MailWasher Pro needs Beta testers!

Go on, you know you want to!

Let’s face it, beta testing software is not very sexy, especially with the kinds of qualities that work well when dealing with software companies directly, providing them feedback and thoughts on aspects that can be improved.
  1. You are asked to install large Microsoft Frameworks which only run on XP, Vista and Windows 7.
  2. You are asked to join online forums to manage the feedback.
  3. You are asked to submit surveys, which means removing settings and options, adding them back in, setting up your software again and again.
  4. You are asked to document your processes, making little notes on small and otherwise insignificant things.
  5. You are expected to have a decent enough knowledge about computers and software to troubleshoot issues yourself, reliably reproduce bugs or errant behaviour.
  6. You need to be outspoken enough to voice your suggestions, and stick up for them when others disagree, but be able to take things well enough so that you do not get offended when others don’t share your views.
So if that wasn’t tough enough finding people with enough time to do this, we are in the process of rewriting MailWasher Pro from scratch. That means chucking out tens of thousands lines of code, work that has taken many programmers years and just saying “Bugger it, let’s do it again”

Read the full article:

Spambot Search Tool v0.20

I am happy to announce v0.20 of the Spambot Search Tool has now been released. Changes in this version include;

* Fixed $bln_SaveToFile ignored when set to false
* Moved version history from config.php to history.txt

- Removed fSpamlist submission routine from check_spammers.php for those that want to test it via the web interface


+ Added counter routine (requested)
+ Added simple e-mail validation (also does IP lookup to ensure the hostname actually resolves - it's not a valid e-mail if it doesn't)
+ Added simple IP validation
+ Added Version History link to index.php footer (next to "Get the code!")
+ Added spammers blocked (next to "Version History")

Overview & Download

hpHosts - Download list of ad/tracking servers only

Someone requested I add an option for this at the beginning of February, and instead of providing a seperate file, I thought it best to provide the same kind of file as is available for the hpHosts Partial file.

As of today, you can now download a list of hostnames within the hpHosts database that have the ATS classification. This list excludes ALL others in the database (including those without a classification).

The file is listed under "Additional Downloads" on the hpHosts download page, and can be monitored using either a program such as HostsMan or via script etc (by checking the "Last-Modified" header).

hpHosts - Ad/Tracking Servers Only

hpHOSTS - UPDATED February 18th, 2009

hpHOSTS - UPDATED February 18th, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 56,466 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 18/02/2009 18:30
  2. Last Verified: 18/02/2009 18:00

Download hpHosts now!

Tuesday, 17 February 2009

Michael Widenius, founder of MySQL, invests in WOT, Web of Trust

Our excitement here at WOT HQ has been building as discussions were conducted, ideas batted around and signatures placed on the dotted line. At last, the famed open source hero and creator of MySQL, Michael "Monty" Widenius, is joining our team! He brings with him a wealth of knowledge and an influential contact network that will help to expedite our growth and take the company to the next level.

About Monty

Monty started to write the first version of his database back in 1982. In 1994 he wrote an SQL interface on top of his old code and together with the other founders, David Axmark and Allan Larsson, released it in 1996 to the public.

MySQL has since grown to become an open source icon and the world's most popular open source database. It was acquired by Sun Microsystems in January 2008 for an impressive sum (one billion dollars - that's $1,000,000,000). Monty had a key role in the company until recently, when he announced his resignation.

Now Monty embarks on his next adventure. He will focus on his company, Monty Program AB, and the development of the Maria engine, a transactional storage engine for MySQL. And through his investment company Open Ocean, he is seeking to invest in disruptive technology start-up companies that create open source and community products. WOT is pleased to among the first of these companies

Read the full story

hpObserver v0.4.9 released

Version: 0.4.9

Added: Now saves last opened window size + position

Fixed: PTR not shown if hostname only resolves to a single IP
Fixed: IP import (via Load From File) failed to work if "IP PTR" on the results tab (Tools > Settings) was disabled, but Auto-resolve (Misc tab) was enabled

Modified: Several other minor modifications


Special thanks to HardHead and Rodney for the bug fixes :o)


Developments in the FTC v Innovative Marketing et al lawsuit…

Filed - Consent motion to withdraw motion to dismiss for lack of personal jurisdiction of defendants James Reno and ByteHosting Internet Services, LLC - 12 February 2009

“By agreement of the Plaintiff the Federal Trade Commission and Defendants James Reno and ByteHosting Internet Services, LLC, and in anticipation of resolution of the claims against said Defendants in the near future, which is under discussion, the parties hereby move to withdraw the Motion to Dismiss for Lack of Personal Jurisdiction of Defendants James Reno and ByteHosting Internet Services, LLC (Doc. 50), without waiving any defences.”

Filed - Plaintiff's consolidated opposition to the motions for a temporary stay filed by defendants Sam Jain and Kristy Ross - 12 February 2009

Read the full article

DShield Web Honeypot - Alpha Preview Release

The attack dynamics had significantly changed since DShield went into service 8 years ago. Web attacks are becoming more popular these days. The SANS ISC is releasing an alpha version of the DShield Web Honeypot today to extend DShield's visibility into this traffic. The intention of the web honeypot project is to harness multiple capture points run by volunteers for the collection of potentially harmful traffic on the web.

The goal of the Web honeypot project is inline with the original DShield project, the data collected through the sensors feed the Dshield web database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. In addition, we would like to use the honeypot data to measure web attack prevelance and find objective metrics to recommend protective measures. The data collected will also be shared with the research community upon request later this year and be made available in aggregated form via the DShield website.

Read the full article

Bad Actors Part 3 - Internet Path/Cernel

Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog. While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed.

The connection between Internet Path/Cernel, Intercage/Atrivo, Hostfresh, UkrTeleGroup, etc, is a tangled mess which others have written about extensively. In this article I'll be looking at UkrTeleGroup and Internet Path/Cernel.

This simple exercise can be done for any of the examples below, but for posterity's sake, I'll just point out one simple way to convince yourself that it is probably all the same group. Below I look deeply into the networking side of the DNSChanger trojan, much of which uses malicious DNS servers in the block. Simply whoising the IP shows the following:

inetnum: -
netname: UkrTeleGroup
mnt-routes: UKRTELE-MNT

Read the full article

Previous episodes:

Bad Actors Part 2 - ZlKon

Bad Actors Part 1 - Starline Web Services

Spambot Search Tool v0.19 re-released

Just a note folks, due to a couple of changes and one or two bug fixes, I've re-released v0.19. The main bug fix concerns the web interface and BotScout (when an error is returned by BS, it was flagging it as a spammer), and a minor bug fix with view_spammers.php.

I've still got one or two things to add into the next release, such as a cache and counter feature (both requested), but strongly recommend downloading this update in the meantime.

Monday, 16 February 2009

Linux have scammers too!

Linux has the most die hard fanboys I've ever seen (yep, even more than the MAC fanboys), so you can guarantee this isn't going to end well (and strangely in this case, I actually agree with them - this is nothing more than a scam).

I have nothing against commercial Linux distribution. As a matter of fact, my first Linux experience was a commercial version of SUSE 7 almost nine years ago. I remember it had 6 CDs in a very professionally made CD pack, and SUSE did a very good job at making the installation process as user friendly as possible at that time. (Before SUSE decided to go evil). Its safe to say that I thought that the experience was good enough for me to justify paying for a Linux distribution.

Enter iMagic OS

Its not everyday that you see an announcement of a new commercial Linux distribution. We obviously see a lot of Linux distribution popping up every few days, which is essentially just a fork of some popular distribution out there. So what’s wrong with iMagic OS that its worth talking about?

Read the full article

Linuxsysconfig chimed in too;

Saturday, 14 February 2009

A useful new tool from Google focused on malvertisements

Malvertisements (malicious advertisements) have been a bane of advertising networks the world over. Sleazy malware distributors try to place malicious ads onto legitimate advertising networks using all kinds of tricks (one blogger has made a specialty of tracking all these malicious ads).

Read the full story:

Thursday, 12 February 2009

Comodo don't like users saying no .....

It would seem Comodo weren't happy with users saying no to the crapware, as they're now being even more persistent in getting you to install it FOR THEM (and yes, it is for them - the crapware they're bundling does NOT give you anything beneficial - it's spyware at best, all it does is give Comodo money from, and give your computer a headache);

When are these damn companies, especially the security companies, going to learn that the users don't want malware on their machine - THAT'S WHAT THE SECURITY PROGRAM IS SUPPOSED TO PREVENT!

hpObserver 0.4.6

hpObserver 0.4.6 has now been released.


Fixed: "Index out of bounds" occurs when the file you are importing has an EOL (empty line) at the end of the file

Modified: When importing, you are no longer asked if you want to verify the sites you are importing. Instead, there is a setting for this (Tools > Misc) (see screenshot attached)

Modified: Change notifications are no longer presented when running single pass verification (unusual for this to occur anyway, but I've disabled them for this mode all the same)

Modified: Change notifications in continuous mode can now be disabled (it will log changes to file instead), via Tools > Misc (see screenshot attached)

Modified: If change notifications are enabled, the program will be put on top of all other running programs when a prompt is presented, just incase you happen to be doing something else and don't notice it (this is to prevent it hanging the program)



Spambot Search Tool v0.19

v0.19 of the SBST has now been released. The main change in this release includes a re-write of the functions used to query fSpamlist, StopForumSpam and BotScout in the check_spammers_plain.php.

Changes in this release include:

- BotScout, fSpamlist and StopForumSpam query routines re-written in check_spammers_plain.php to improve efficiency

- True/false echo in check_spammers_plain.php moved to just below "END CHECK DNSBL" to fix a problem with PHP4

Overview & Download

Wednesday, 11 February 2009

farm* removed from hpHosts

I had someone e-mail me today that was disappointed to find user images were not being displayed on Flickr. I did some testing and the culprit was It seems Flickr are now using these hostnames for user images aswell as adverts.

Because of this, and because I don't want to block legit graphics, I've removed the following from the hpHosts database;

These removals will be reflected in the actual hpHosts HOSTS file on the next update (due for release by Wednesday next week).

As an aside, removals from the database can now be monitored if you wish as they are now recorded in the following file;

If you come across any other hostnames in hpHosts that cause problems such as this, please do let me know.

New phpBB3 mod

I've just written a new mod for those using phpBB3 that want to prevent posting by spammers that are already registered :o) (thus preventing you having to rush around to delete their accounts).

Tested on phpBB 3.0.4

Tuesday, 10 February 2009

Important notice for Index.dat Suite + Windows Vista users

This is an important notice for those using Index.dat Suite on Vista. Whilst I don't have Vista myself, I've not had anyone report any major problems when using the program and using the WinLogon option (instead of the default RunOnce).

Today however, I had a user e-mail me to inform me that he followed the instructions usually given to Vista users, and his computer no longer boots (recovery instructions have been given). I must therefore recommend those using Vista NOT ask Index.dat Suite to use the WinLogon setting until I can find out what happened.

If you do ask the program to use the WinLogon key instead of the Run/RunOnce keys, and experience the same issue, please use the following instructions to allow the system to boot again;

Boot into Safe Mode and disable the batch file

To boot the computer into Safe Mode;

1. Whilst the computer is loading, tap the F8 key until the boot menu appears
2. Select Safe Mode from the list of options
3. Once in Safe Mode, click Start
4. Enter the following into the Search/Run box and press enter;


5. Locate the Index.dat Suite entry and remove it
6. Close msconfig (DO NOT re-start if asked to)

Restore the original WinLogon value

To restore the original WinLogon value;

1. Click Start
2. Enter the following into the Search/Run box and press enter;

C:\Program Files\Index.dat Suite\reg_winlogon_backup.reg

3. Click Yes when asked if you want to merge the file

This will restore the WinLogon registry key to it's original value

Finally, re-start your computer

/edit 17-06-2009

I've been trying to reproduce this and whilst I've been successful on some systems, others have behaved normally, so at this point, I'm unable to give an answer as to why this is occuring. Based on this, I would not recommend using Index.dat Suite to delete the index.dat files unless you are competent in using the command line to restore the original registry value, should this issue occur on your system.

If you do NOT have access to the desktop after following the above, or cannot locate the Index.dat Suite entry in msconfig

1. Whilst the computer is loading, tap the F8 key until the boot menu appears
2. Select Safe Mode with Command Prompt from the list of options
3. Navigate to the Index.dat Suite folder;

cd "C:\Program Files\Index.dat Suite\"

4. Import the original WinLogon value;

regedit /I reg_winlogon_backup.reg

5. Finally, re-start your computer.

Symantec's "KhanhT" talking bollocks

It normally takes alot to annoy me to the point of profanity, but this guy has pissed me off with a single sentence. Just about to have a smoke, I read;

By partnering with we can offer server-side security features embedded in search results that cannot be achieved with Norton 360 alone

The above is a partial quote, taken from his post at;

I'm afraid "KhanhT", you're talking bollocks. You COULD do that with ANY of your products, WITHOUT requiring the Ask crapware - Web of Trust and Site Hound, amongst others, have shown that you CAN provide security embedded in search results, WITHOUT having to go to the dark side and partner with a known crapware vendor!!!.

If they can do it, why can't you? Woops that's right, YOU DO!.

But wait, there's more ......

Search is a fundamental part of the online user experience and it underlies most online activities. By embedding the search box in the Norton toolbar, we make it easy for users to access and benefit from the Safe Search feature.

Oh no you don't! ShellExecute and a text box does the same damn thing, with a dropdown for the search engine selection. I could throw a search box into one of my applications in 30 seconds, and I don't have millions of $$$ and a team of developers, and guess what - I STILL WOULDN'T NEED TO RESORT TO ASK.COM TO DO IT!

If you're going to try and defend something, at least use the REAL reasons, and not a complete load of tosh.

/edit 24-04-2009

Seems Symantec moved the thread I referenced above without wanting anyone to know. The new URL is below, with the old one now leading to a login box;

Kudos to Donna @ CoU for locating the new thread for me :o)

Monday, 9 February 2009

Security vendors partnering with Ask (Woops?)

I'll leave you to read what Donna has to say as she's pretty much summed up my thoughts on the subject;

I’m not happy to see that the list of security company who bundle or partner their product or services to ASK is growing.

Why I’m calling the attention of Anti-Spyware Coalition?

Simple. It’s because some members of the said coalition is partnering with ASK. You will see the list of members at

NOTE: CastleCops is still listed as member. The site has been stopped for months now. Not sure if their membership is still OK.

I’m not a lawyer but there are so many papers in the ASC website where the current members should use as guideline or at least basis on what they need to do to help detect a spyware or unacceptable programs or what they call also as “Other Potentially Unwanted Technologies”

hpHosts: A little clarification

I've had a couple of interesting e-mails recently and thought I'd clarify a few things publicly.

Inclusion of torrent sites

I know some of you have an issue with the torrent sites being included in the hpHosts file. Please note, these were not included due to the adverts on their sites (those are a whole different issue, and something they still need to address, especially given alot of them are adult orientated), but due to alot of the torrents being infected with malware.

If the operators of the torrent sites will start listening to complaints about this, and remove those that are infected, I'd be more than happy to remove them. Sadly at present, the reports myself and others have sent, have went ignored.

False positives

There are alot of concerns with sites being blocked that shouldn't be, such as MySpace. I'll save going into why some of the social networking sites are blocked as I've addressed that before.

However, if you feel any site included, is a false positive, please PLEASE fire me an e-mail! (I can't look into it if I'm not aware of it). As with anything, I'm not immune to mistake, as such, it's not unheard of for sites to be included that shouldn't be, and I'll be more than happy to address issues of such.

/edit 20-06-2009

Now that the forums are back online, the following is a reference concerning MySpace;

ClamWin + Worm.Pinit-4 + User32.dll = disaster!

That is, if you've asked ClamWin to auto-remove/quarantine any files it finds as infected. Alas, this one is a false positive (confirmed on their forums and their sigs have apparently already been updated, so shouldn't occur as of today). Something I learnt AFTER it had taken out the gateway and my stepdads computer.

If you've had this happen and are stuck, all you need to do is;

1. Insert Windows CD
2. Press R to repair Windows
3. At the prompt, enter the following and press enter;

copy d:\i386\user32.dl_ c:\windows\system32\user32.dll

4. Remove the Windows CD, and re-start the computer

This of course, assumes C is your Windows drive, and D is your CD/DVD drive.

If you haven't got a Windows CD, either create a boot disk as per Microsoft's instructions, download, or download DamnSmallLinux.

Note however, if you go with a boot CD other than the original Windows CD, you will need to ensure you are familiar with the location of the ClamWin quarantine folder (assuming you asked it to quarantine the infections and not automagically remove them), as you'll need this path to restore the user32.dll file. For example, on my computer, it is located at;

C:\Documents and Settings\All Users\.clamwin\quarantine\

The command to restore the file would then be;

copy "C:\Documents and Settings\All Users\.clamwin\quarantine\infected.USER32.dll" c:\windows\system32\user32.dll

Note, the quotes MUST be in place for the command to work.

If you asked it to auto-remove the infections it finds, I'm afraid you're going to need a little more work. Simply because you can't easily restore it without a copy of the file (and no, downloading it from a peer to peer network is NOT a good idea!!!!!! (where do you think most infections flourish?)). If this is the case, ask a friend (with the same version of Windows), to copy the user32.dll file to CD for you, and copy it from there (or better yet, ask them to create a boot disk for you and stick a copy of the user32.dll file onto the CD!!)

Thursday, 5 February 2009

Spambot Search Tool v0.17

Another little release. This one fixes a bug in check_spammers_plain.php.


Should have been


I'd written it correctly in check_spammers.php, so this would have only affected the directly accessed script (if you had both cURL and file_get_contents available, you wouldn't have noticed any problems).

Thanks to Mike at Bot Scout for letting me know :o)

Download the new version at;

Wednesday, 4 February 2009

hpHOSTS - UPDATED February 4th, 2009

hpHOSTS - UPDATED February 4th, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 55,472 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 04/02/2009 11:00
  2. Last Verified: 04/02/2009 10:00

Download hpHosts now!

Tuesday, 3 February 2009

Practical Web Application Security with WebGoat

Web application security principles, methods and technologies are a challenge to learn. Encoding types, scripting languages, HTML/XML concepts, AJAX, and more, all need to be understood, not only from a developer’s perspective, but also from the perspective of the attacker. The challenge is that it is very hard to find a safe infrastructure on which you can gain an understanding of all these technologies and how they can be exploited. Thankfully, the OWASP has put together an excellent learning tool known as WebGoat.

WebGoat is the result of an effort led by the OWASP group to help web developers and security professionals understand web application security. It is a self-contained learning environment through which people can come to terms with the many security issues that are found in web applications. Ironically, this is accomplished through a very, very insecure web application that uses a Java backend to parse the incoming exploits and output the results. Unlike other web application security training tools, such as Foundstone's Hackme series and Badstore, WebGoat was primarily designed to be an educational tool. While the other training applications are valuable learning environments, WebGoat takes the learning aspect to the next level by including lessons plans, a report card, project hints, and even a "final exam" that tests the student's collective knowledge

Younexus want me to serve you adverts!

Oh dear, this was never going to end well.

I received an e-mail earlier today from Kevin at Younexus, offering well - see you yourself;


Iam very interested in your software. The quality and performancearevery impressive. I believe that you want to make more money fromyoursoftware product. Do you have backup revenue plan for yoursoftware?

If not, Younexus Advertising Program for publishercan be your backuprevenue plan. The way it works is to empower yoursoftware to makemoney from advertising. Please see for demo and more details.

Inaddition to making more money, Younexus Advertising ProgramforPublisher can help you to gain insight into critical details aboutyourcustomers such as their location, usage of your software.

Please feel free to contact me if you have any question. I am looking forward to your feedback.



You'll no doubt have noticed the first signs of a problem right? Well it gets better as this doesn't stop at an e-mail. I decided to check this one out (don't worry folks, you'll never see adverts in any of my programs), and their website isn't much better;

The "Term and Condtions" (ya gotta love it) referred to by the way, are at;

Their plugin instructions are at;

Essentially, they want developers to include a DLL (ynapwin.dll, PrevX analysis) in their application, that displays adverts to the user. I've not checked to see what type of adverts are displayed, but if their website is anything to go by - you can bet it's not going to be good.

Phishing: .gif not just for graphics

I've seen millions of phishing scams, and they've almost always had one thing in common - they pointed to or /phish/file.html etc. Today however, I saw something new (to me at least), the phishing link pointed to a .gif file;

a.gif however, isn't what it actually appears to be. All the phisher has done is configure the server to serve .gif files as it would a .html;

vURL Desktop Edition v0.3.7 Results
Source code for:
Server IP: [ ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 03 February 2009
Time: 15:52:23:52
<meta http-equiv="REFRESH"

This phish is also valid as;

The headers for this e-mail show it was sent through either an open, or compromised mail server at; (IP:

Both and have been notified.

hpHosts: One or two changes to note

If you've been to hpHosts in the last 24 hours, you may have noticed one or two modifications. The first is quite obvious if querying a hostname already in the database;

This change was done to make it easier to differentiate between the sites current information, and what is stored in the database for it.

The above screenshot should actually give you a hint as to the second change - the history (shown in the above as "( H )" after the hostname). Clicking the "H" will show you any IP's that are known to be used by the hostname (or at least, those that are logged in the database as used by it). You'll likely notice this more with fast-flux domains such as;

I should note however, these are ONLY updated when someone queries the hostname in the database. I've not got any automation going to try and automagically find any new IP's that a hostname is known to be using.

The final change is the matches. Previously this was linked to as "&DM=1#matches". This was changed to "&view=matches", try and keep things simple. For example;


Just a note folks, the history feature has been expanded to include sites that aren't listed in the database (I'll be keeping a close eye on storage usage however, to ensure the server can handle the storage that's going to be required for this)

Full Circle Magazine: Issue 21

  1. Command and Conquer - Formatting Output. (shell script can be downloaded from this page)
  2. How-To : Program in C - Part 5, Web Development - Part 2, Changing Video Aspect Ratios & Ubuntu ISO to Bootable USB.
  3. My Story - Creative Zen V Plus in Ubuntu
  4. Game Review - Tribal Trouble 2
  5. My Opinion - Missed Opportunity
  6. MOTU Interview - Nicolas Valcarcel
  7. Top 5 - Torrent Tools
  8. PLUS - FCM#20 Survey Results

Read More

Get it while it's hot!

Issues 0 - Current


Wiki: - Fast Scam! Free Alternative Software

I'm alot late with posting this but, now that I've come across it again, I'm posting it incase I forget again. need to be taught a lesson, the first of which is that their scam will always be noticed.

While it was not the first clue that something was wrong with this commercial, I had to LMAO when I saw the MacBook, in the commercial, showing a “blue screen of death”. An outrageous faux pas in my view - after all this is supposedly a Windows based PC service.

It’s not the first commercial I’ve seen selling Windows based Pc services, (they seem to be popping up all over), but I must admit; it’s the first one I’ve seen where the actors are using iMacs and iBooks in place of a proper Windows based PC.

Read the full article:

Monday, 2 February 2009 - Someone's still holding a grudge

... either that or they really really dislike your members. Fret not however, the idiot(s) doing this are obviously amateurs (or of course, are of the impression that your members will open anything sent to them) as we've thus far seen the e-mail pointing to a link, then of course, coming with an attachment. This time, they've opted for a mixture of the two - a linky (, hosted by Netfirms) pointing directly to the malicious file.

Exported by: Outlook Export v0.1.5

From: josh brown [ - ]
Date: 02/02/2009 07:59:23
Subject: funny one

Link: hxxp://
IP: [ ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: false

Text Version
************************************************************************** <>

HTML Version
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<!-- Converted from text/plain format -->

<P><FONT SIZE=2> <<A HREF=""></A>><BR>


Delivered-To: [REMOVED]
X-FDA: 61867751400
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 73,5,0,d41a7607dfd749a7,e7e6e4fffc7a31a5,,[REMOVED],RULES_HIT:152:355:
0,MSF:not bulk,SPF:fu,MSBL:none,DNSBL:none
Received: from ( [])
by (Postfix) with ESMTP
for <[REMOVED]>; Mon, 2 Feb 2009 09:20:19 +0000 (UTC)
Received: from ([])
by (StrongMail Enterprise 4.1.0(4.1.0-41174)); Mon, 02 Feb 2009 02:59:24 -0500
X-VirtualServerGroup: Default
X-MailingID: 1191441202::89328493::1234::0000::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.0(4.1.0-41174)
X-Destination-ID: [REMOVED]
Content-Disposition: inline
Content-Type: text/html;
MIME-Version: 1.0
Message-ID: <>
Subject: funny one
Date: Mon, 02 Feb 2009 02:59:23 -0500
From: "josh brown" <>

The file the e-mail points to (, MD5: DF06802FD10BABFE742B1783B29FB05F) is infected with the HIDDENEXT/Worm.Gen infection, and when extracted, we see it attempting to masquerade as a .pnt file. Alas not surprisingly, it's got a ton of spaces after the .pnt extension, and finishes with a .scr extention.

A quick peek at the file shows it's a VB6 file (MD5: 64FA0169B4C52DA16EDDA9B762389006).

File properties:
  1. Version:
  2. Copyright: silw3r
  3. Comments: Pub STB
  4. Company: eXpert
  5. Internal Name: stiki
  6. Original Name: stiki.exe
  7. Product Name: STB

More interestingly, it contains the following snippet of code;

Notice the chromehtml src? Seems they want to play with Google Chrome exploits too, how nice. resolves to


Virus Total results for pic545.pnt{MANY_SPACES}.scr

Virus Total results for

Sunday, 1 February 2009

WinPatrol v16 Monitors Changes to UAC Settings

If you are running Vista or Windows 7, give it a shot and let Bill know your thoughts and suggestions!

WinPatrol v16 is still in beta and may be for a while if folks like Microsoft MVP Corrine keeps giving me great suggestions. This latest new feature was a must after reports surfaced that User Account Control settings in Windows 7 could be changed by malware. In fairness, as this Microsoft response points out "The only way this could be changed without the user’s knowledge is by malicious code already running on the box".

I’d like WinPatrol users to know we have their back if some malicious program or even a family member changes the UAC settings on their machine. WinPatrol was also the first program to monitor changes to Windows AutoUpdate settings. Sure enough we’re starting to see many trojans and viruses in the wild trying to monkey with autoupdate setting

Read and download: