Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 30 July 2009

RegCure peddled as Microsoft HotFix

I just came across this one on Google, via the sponsored adverts (surprise surprise), and am astounded that neither Google nor Paretologic have done anything about this one.

This particular site is peddling RegCure, claiming it's a Microsoft Hotfix. Not surprisingly, it also doesn't seem to care what terms you use to get to the page - aslong as you get there. For example, if I change error%201008.html to error%20i%20wanna%20kill%20rogues.html, we see;

http://microsoft.pcerror.info/errorcode/error%20i%20wanna%20kill%20rogues.html?gclid=CI__rpv1_psCFc0B4wod9Q8f-Q



You'll no doubt have guessed, all of the "awards" on the page are fake, as are the Microsoft Gold Certified "awards".

The download this site takes you to is;

http://www.pcerror.info/errorfix.exe

Which gives you a file called RegCureSetup_RW.exe. The little redirection wonderland you're taken through is;

http://bigbutton.paretologic.revenuewire.net/regcure/download
http://bigbutton.paretologic.safecart.com/regcure/download
http://www.regcure.com/download/revenuewire/
http://dl2.paretologic.com/downloads/regcure/RegCureSetup_RW.exe

Headers:

HTTP/1.1 302 Found
Date: Fri, 31 Jul 2009 02:52:16 GMT
Server: Apache
Location: http://bigbutton.paretologic.revenuewire.net/regcure/download
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 301 Moved Permanently
Date: Fri, 31 Jul 2009 02:53:10 GMT
Server: Apache
Location: http://bigbutton.paretologic.safecart.com/regcure/download
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 219
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 301 Moved Permanently
Date: Fri, 31 Jul 2009 02:53:45 GMT
Server: Apache
Set-Cookie: paretologic=3L4a6088fbba2ac21-bigbutton; expires=Wed, 21-Oct-2009 18:29:45 GMT; path=/; domain=.safecart.com
Location: http://www.regcure.com/download/revenuewire/
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Fri, 31 Jul 2009 02:54:09 GMT
Server: Microsoft-IIS/6.0
P3P: CP="ADM OUR IND COM"
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.5
Set-Cookie: rwhop=active; expires=Sat, 31-Jul-2010 02:54:09 GMT; path=/; domain=regcure.com
Set-Cookie: rwtime=1249008849; expires=Sat, 31-Jul-2010 02:54:09 GMT; path=/; domain=regcure.com
Location: http://dl2.paretologic.com/downloads/regcure/RegCureSetup_RW.exe
Content-type: text/html


Just so we're clear - it's this type of behaviour that has not only gotten Paretologic a bad name, but has also gotten them blacklisted as rogues in many people's eye's (mine being one of them).

So who owns pcerror.info? Well, if you'd believed the About page, you'd have thought Paretologic themselves do, as the BBB accreditation links to a page that certifies Paretologic are accredited by the BBB;

http://www.pcerror.info/about.php

.. and the Contact page, that displays the Paretologic address;

http://www.pcerror.info/contact.php




However, I doubt Paretologic would do this themselves, especially given they know the security community are watching them like a hawk, given their past behaviour and lack of action concerning affiliates. In this case, I'm inclined to give the benefit of the doubt, and say an affiliate runs the site.

Not surprisingly, the WhoIs for pcerror.info, doesn't give us anything as that's hidden.

http://hosts-file.net/?s=pcerror.info&wn=1

References:

Paretologic vs MalwareURL
http://hphosts.blogspot.com/2009/07/paretologic-vs-malwareurl.html

No comments: