Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 30 September 2009

Fake registry cleaner using same tactics as fake antimalware

I was sent this one a few moments ago, and was expecting it to be a fake AV (ala Total Protection etc), but no, to my surprise, it was infact, for Registry Repair 2008 (a bogus registry cleaner).

The site in question is (IP: -, AS32748)

Which then displays:

Following through, we're taken to:
IP: (, AS21844)

However, contrary to the address bar, the site loads the following via iFrame;

The certificate issued to is courtesy of GoDaddy:

Tuesday, 29 September 2009

Spambot Search Tool: v0.39

I've now released v0.39 of the Spambot Search Tool. Changes in this version include;

* Modified paths for include files, now uses __FILE__ to detect SBST folder (requested)
+ Added additional Sorbs DNSBL
* Period added to end of hostnames for DNSBL checks (requested)
* Minor modification to fSpamlist routine that caused a problem for the BotScout query when no username/e-mail was passed


FireEye: Killing the beast...Part 3

In the third part of this series, I'm going to discuss the command and control structure of another famous botnet, Clampi a.k.a ilomo. Clampi is all about data stealing and is famous for its anti-reversing and evasion techniques. The financial damage this information stealer can cause is evident from the fact that it has recently been publicly disclosed of a cyber theft of more than $150,000. Notorious isn't it..?

Like the first two parts where I discussed the command and control structure of the Pushdo and Koobface botnets, I'll start by showing the current geographical distribution of Clampi CnCs, followed by a brief analysis on the chances of shutting down these control servers and hence the complete botnet.

This article is not an in depth analysis of the malware itself but concentrates more on current geo locations of Clampi command and control servers. For detailed in-depth analysis of this malware, one may refer to this.

Let's start with a brief introduction to the Clampi command and control architecture which is not a classical client/server model. As a matter of fact, there are two types of CnC servers involved here.

Read more


FireEye: Killing the beast .... Part II

FireEye: Killing the beast .... Part I

Monday, 28 September 2009

RapidSwitch: UK webhosts in champagne throwing cat fight

Need another reason to avoid RapidSwitch? How about their spamming the customers of another hosting company for no other reason than, they could?

Updated Get your popcorn. It's time for the UK webhost cat fight to end all UK webhost cat fights.

Earlier this week, according to the forum dwellers at WebHosting Talk, the UK hosting outfit PoundHost sent a routine marketing email to a group of its customers - and forgot to hide their addresses in the BCC field. At which point, one of outfit's biggest competitors - RapidSwitch - snagged the addresses and sent each exposed PoundHostee a note urging them to jump ship:
Dear Poundhost Customer,

Switch your dedicated hosting to RapidSwitch, and we'll give 6 months hosting free, migration assistance, and a 100% service level agreement. As if this isn't enough, we'll even send you a bottle of champagne* to celebrate! Whether you have one server or a cluster of 100s, you can benefit from moving to RapidSwitch.
And the footnote looks like this:
* Don't worry if champagne's not your thing, we will send you a non-alcoholic hamper instead
Then, just days later, at about 11pm UK time on Thursday evening, RapidSwitch took its Maidenhead data center offline to repair a network failure - and many customers were left without service for the better part of a day. And counting. "We've got ten servers over there," one Reg reader told us very late Friday evening. "All [have] been up and [down] more than a pair of whores knickers [today]."

Read more

Fake Youtube Pages And Seekmo

Fake Youtube pages are normally the domain of fake media codecs and other scams. Here, we have two examples (hat-tip to Steven Burn of the hpHosts Blog and the Ur I.T. Mate sites for pointing these out to me) that promise the ability to view naughty movies online - yes, just like the fake media codec sites - but serve up something a little different.

The sites in question are and Visit either, and you'll see something like this:

Fake player ahoy, originally uploaded by Paperghost.

Randomly selected images of people indulging in rudieries appear down the right hand side, and a fake video (complete with star ratings, view counts etc that has clearly been ripped directly from Youtube) sits in the middle, claiming you can see the goodies within if you install "Dream Media Player". Hover over the video, and you'll see the download URL at the bottom of the image which happens to be is a domain that's been home to Zango installers for many years (now owned by, who took them over when they went boom not so long ago). Do you think we might see files that have a Zango-ish feel to them once the install is complete?

Read more!

Saturday, 26 September 2009

Full Circle Magazine: Issue 29

29 is the tenth prime number, but you didn’t want to know that. What you do want to know is that issue 29 means that we’re going to hit #30 next month!

This month, you’ll get:

- Command and Conquer
- How-To: Program in Python – Part 3, LAMP Server – Part 2, Virtual Private Networking.
- My Story – One Man’s Journey, and Walk With Ubuntu.
- Review – Kompozer.
- MOTU Interview – Iulian Udrea.
- Top 5 – Physics Games.
- Ubuntu Games, as well as all the usual goodness!

Read more

Get it while it's hot!

Issues 0 - Current



Friday, 25 September 2009

Spambot Search Tool: New MediaWiki extension

I am happy to announce, thanks to MediaWiki user, Carl Bennett, there is now a mod available for MediaWiki users, wishing to integrate the Spambot Search Tool into their Wiki's;

Thursday, 24 September 2009

Senpai IT Solutions killed malicious servers

I'm happy to report, after identifying yet more malicious activity on Senpai IT Solutions network, and sending another e-mail to them, Senpai IT Solutions have informed me they've now completely disabled the servers for the following; - - - - -

You'll no doubt already be aware that these have a recent history of malicious activity, and I'd like to thank Siarhei at Senpai for taking action and shutting them down.


I'll be continuing to monitor their network, and have asked him to shut down another couple of servers involved ( and, so we'll see what else pops up.

/edit 23:12

Little update, I've had a response from Siarhei to inform me .43 has been disabled aswell, and .154 was apparently formatted and sold to someone else two weeks ago (there's been no activity on that IP, within the last two weeks, so obviously the new owner isn't malicious (so far)).

References: - The rogues love MDL!

Web Poisoning: Youtube video lead to Rogue Antispyware - Antivirus360

Alliance and Leicester botnet: Here we go again

Looks like the Alliance and Leicester botnet is back yet again.

I've not been able to identify any other domains involved yet (haven't checked PhishTank yet however), but it's guaranteed there either is, or will be, alot more of these.

Latest IP's; - Failed to resolve - - - Failed to resolve - Failed to resolve - Failed to resolve - Failed to resolve - Failed to resolve - - - - Failed to resolve - - - - - - - - - - - - - -

E-mail content:


Thank you for banking online at Alliance & Leicester. At Alliance & Leicester bank, your security is our primary concern. And in order to guard against the recent spate of fraud and identity theft involving online account holders, we have recently introduced additional security measures and upgraded our software to protect our online account holders.

The security upgrade will be effective immediately and requires our customers to update their access and Sign in Protection activation.

Please Upgrade Your Information <>

For your security, you won't be able to gain access to your accounts until you've done this.

Best Regards.
Alliance & Leicester Security Department Team.

Alliance & Leicester is part of the Santander Group, one of the world's largest banking groups. More information on Banco Santander can be found at


Alliance and Leicester botnet

Alert: Alliance & Leicester botnet back ....

Is your computer part of the Alliance and Leicester phishing botnet?

Wednesday, 23 September 2009

YoHost/Piradius (again): and scam

Seems Piradius never learn. and appear to be two fake domain appraisal companies being "recommended" to domain owners as part of a long-running scam which we have touched on many times before. was created on 12th September to an anonymous registrant, hosted on at Katz Global Singapore. It's a copy of which is hosted on at well-known black hat hosts

He mentions the spams originating IP as being, which of course, has a PTR pointing to a range on ThePlanet ( Hosts: (now fails to resolve) is a copy of and, which are at and respectively. is also listed on the following blacklists;


I did a little digging on the CNET, and found quite a few malicious domains, including a few that have been reported to the IWF.

Tuesday, 22 September 2009

Spambot Search Tool v0.38

I've just released v0.38 of the Spambot Search Tool. This update fixes a minor bug with the StopForumSpam query.


I've also got an update for hpHosts scheduled for later today (aka, once I've finished processing the huge list of removals).

Sunday, 20 September 2009

Exploits a go-go ....

You may have noticed the major increase in domains added to the hpHosts blacklist, with the EXP classification over the past few days. Sadly, there have been thousands of sites found carrying a variety of malicious codes, from simple iFrames leading to exploits (not surprisingly, almost all have been .ru sites), to actual exploit code itself.

Interestingly, an IP ( - ) that houses 15 celebrity tour sites (amongst others) has almost all of the tour related sites serving exploits, with the only one not serving them being (is our attacker a Shakira fan?).

Regardless of whether your site has been compromised or not, now would be a good time to get into the habit of changing FTP etc passwords, and making sure any software you're running (e.g. WordPress, phpNuke) is up to date. Backing up your sites files whenever you make a change, and monitoring the site would be a good idea too (you do of course do that already - right?).

Saturday, 19 September 2009

EchoMetrix Inc. web-monitoring software gathers data on kids

Parents who install a leading brand of software to monitor their kids' online activities may be unwittingly allowing the company to read their children's chat messages — and sell the marketing data gathered.

Software sold under the Sentry and FamilySafe brands can read private chats conducted through Yahoo, MSN, AOL and other services, and send back data on what kids are saying about such things as movies, music or video games. The information is then offered to businesses seeking ways to tailor their marketing messages to kids.

"This scares me more than anything I have seen using monitoring technology," said Parry Aftab, a child-safety advocate. "You don't put children's personal information at risk."

The company that sells the software insists it is not putting kids' information at risk, since the program does not record children's names or addresses. But the software knows how old they are because parents customize its features to be more or less permissive, depending on age.

Five other makers of parental-control software contacted by The Associated Press, including McAfee Inc. and Symantec Corp., said they do not sell chat data to advertisers.

One competitor, CyberPatrol LLC, said it would never consider such an arrangement. "That's pretty much confidential information," said Barbara Rose, the company's vice president of marketing. "As a parent, I would have a problem with them targeting youngsters."

The software brands in question are developed by EchoMetrix Inc., a company based in Syosset, N.Y.

Read more

Special thanks to "Amishrabbit" for the heads up

Thursday, 17 September 2009

ClamWin: How to lose more users ....

I really hope they don't go ahead with this. The second they do, I'm ripping ClamWin off of every machine I take care of, and never recommending it again.

If ClamWin will finalized it to include ClamWin Free AntiVirus with Ask Toolbar, it's sad to see another security vendor's software will be added in Products with Ask Toolbar which means we will no longer post updates information about it as our signal of protesting against Security Software bundling their installers with unwanted toolbar and flag as Ad-ware or unwanted by other security vendors and malware scanners. Not to mention that this adds unnecessary component in the system of people who has no idea whether the toolbar is required (Many beginners fall into this and they are the most impacted) and instead of the program to hunt for unwanted stuff, it will add unwanted and unnecessary stuff? Geez. Can't you just use other toolbar that has no "debatable" or "suspect" status?

Read more

Tuesday, 15 September 2009 on the move to

It looks like black-hat host is on the move to a set of IP addresses owned by "Dragonara Alliance Ltd" ( - a company that claims to be Swiss (and appears to use hosting in Switzerland) but is registered in the British Virgin Islands.

Dragonara claims to be a high-reliability host where clients can weather out DDOS attacks, which is a useful service. However, a lot of the sites it host seem to be quite dubious, and a lot of sites seems to be pushing "replica" (i.e. fake) Swiss watches. The fact that a Swiss company is hosting sites in Switzerland that appear to be selling fake Swiss watches is something that might end up in an interesting conversation with some Swiss lawyers.

The IP address range to look out for is - The sites listed below are for information purposes only, many may well be perfectly legitimate. If you have any observations, then please use the comments.

Read more

Saturday, 12 September 2009

Dynamic DNS and Botnet of Zombie Web Servers

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

- They started with gambling-related .cn domains (like cheapslotplay .cn).
- They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
- They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
- They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
- In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
- And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details.

As always, it began when I started to notice a new pattern in domains of hidden iframes in Unmask Parasites reports.

Read more

Anthony and SysAdMini have also been posting a slew of these to Malware Domain List;

Thursday, 10 September 2009

Dear Symantec .....

... ever wonder how most people get infected via the interweb? (ignoring of course, P2P and e-mail). Yep - because ActiveX is enabled! This allows them to view pretty flash and Silverlight websites, but alas, it also allows the pretty much automated infection via driveby, PDF and Flash based exploits etc.

So my dear Symantec, what on earth posessed you to develop a website that is 100% Flash dependant? Indeed, I'd like to know why more and more security companies, who claim to want to protect their customers, are requring scripts and ActiveX be enabled to do something as simple as surf most of their websites?.

Incase you're all wondering what on earth I'm going on about, the website in question is, which I found courtesy of honeyblog. Try and view it with ActiveX disabled - go on - I dare you! (I'll save you the trip - you can't).

FileInsight updated

There's a new version of FileInsight available folks;

Today we released the new version 2.1 of McAfee FileInsight. You can download your free copy from the Avert Tools site. FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more.

Let’s go through some stages of an exemplary malware attack to highlight some of its analysis features – but don’t try this stunt at home, unless you know what you’re doing; a safe, isolated lab environment is absolutely mandatory for any such research work.

Read more + Download

Kudos to SysAdMini for the heads up!

Wednesday, 9 September 2009

A little thank you to Microsoft

Just noticed the mention of this blog in the August Microsoft Security newsletter, rather nice little surprise for me.

Tuesday, 8 September 2009

One or two updates

You may have noticed my mentioning planned maintenance the other day. Sadly I never got round to doing this (didn't have the time or finances to purchase new hardware). I have however, gotten my old Linux machine ready for use an extra server, and plan to move the more resource intensive sites over to it as soon as I get time to do so (the machine is only a 1-1.4Ghz, but has 1GB RAM, which is twice as much as the hpHosts server, and 2-3 times more than the other servers).

I've also gotten a Netgear RangeMax (DG834PN) router to replace the now very old DG834Gv2. I got it all setup and online, and there were no external issues, however, it didn't seem to like letting the machines on the network see each other, so until I get time to find out why (the current router doesn't have that problem, nor did it require any configuration to allow such), it's sitting in it's box waiting for me.

I'd also like to note, I've been completely swamped over the past few weeks, so if you've sent me an e-mail and have not yet received a response, please do let me know (either via the hpHosts forums, or the TeMerc forums, or of course, simply re-send your e-mail).

I've also been monitoring the domains I mentioned with regard to the Alliance & Leicester botnet, and these are still alive. However, I seem to have forgotten to list the IP's they were resolving to when I posted the blog. I ran through them and filtered the duplicates, and out of the > 3000 IP's, there were only 49 unique IP's, these are;    -    Resolution failed    -    -    -    Resolution failed    -    -    Resolution failed    -    -    Resolution failed    -    Resolution failed    -    -    -    Resolution failed    -    -    -    Resolution failed    -    -    -    -    Resolution failed    -    -    Resolution failed    -    Resolution failed    -    -    -    -    -    -    -    Resolution failed    -    -    -    -    -    -    -    -    -    -    Resolution failed    -    -    -    -    -    -    -    -    -    -

I'll post the latest validation results once they're finished.

/edit 03:54

The validation is now finished:

Network downtime (sorry folks)

Sorry about the downtime around 10-15 mins ago folks. I was switching the servers over to the new 4 port KVM (previously had 2 x 2 port KVM's for them).

I was also informed earlier, that the guy from the electricity came round yesterday and turned the electricity off for approx 10 mins, without giving anyone time to shut down the servers (yep, I'm extremely annoyed at them).

The vURL Online server is still running very slowly (took > 10 mins to boot), so that's next on my list to be replaced/upgraded (looked at new servers but they were extremely expensive (over £2000 for the cheapest one I saw), so am going to buy the parts seperately instead as I can do it alot cheaper that way (can get a new machine put together for around £450-£500)).

Sunday, 6 September 2009

Alert: Alliance and Leicester botnet

Oh dear, it started in July, then made a come back the middle of August, and now has returned yet again.

I've checked those that were alive in July, and they're all still dead, so they're not surprisingly, using brand new domains for this one. Quite why the registrars and ICANN et al, are allowing domain names with banking institues in them, astounds me - and obviously, is annoying.

I've only seen one such domain thus far (*, but have no doubt there are others out there;

My friend over at Clean-MX has three dated September 1st and 2nd; desc&response=alive&domain=alliance-leicester%

/edit 22:26

Just received another one pointing to a different domain;

Anthony added quite a few more to the database too, which makes the current list;

Anthony posted the hpObserver results over at MDL earlier;

I've also ran them through hpObserver again to see if there are any new IP's;

Thursday, 3 September 2009 offline

I was alerted by Sparsha earlier this week, that had gotten itself compromised and was spewing exploits. After a little run around with the hosting company, I received a response from them that they would be suspending the VPS associated with it, if no response from the customer was received.

Checking earlier today, showed the original infection had been cleaned up. However, either the site had been re-hacked, or the cleanup simply wasn't done properly, as the site was still spewing malware via an iFrame to;


There are over 100 other malicious sites in the hpHosts database, that are on this IP/range, a list of which can be found here)

After informing the hosting company of this, they have suspended the VPS and will be updating me once they hear from their customer. As soon as I hear more from them, I'll let you all know.

Until this matter is resolved, will be offline.


Tuesday, 1 September 2009

What is Windows Home Server?

Since Windows Home Server is a new addition to The Windows Blog, we thought it would be a good idea to give everyone a refresh on what exactly Windows Home Server is and what it can do for you.

Windows Home Server was designed for households and home-based offices that have more than one personal computer. It was created to help you simplify your digital life, and provide an easy way to access your media and files from any computer, inside or outside your home. The leading benefits of Windows Home Server will help you “Share, Protect, Organize, and Grow” all of your digital content on up to 10 PCs through three basic services. These include automatic PC back-up, restoration ; document and file sharing ; and remote access capabilities. Windows Home Server software will typically be sold with new server hardware from companies like Acer and HP.

Read more

Planned maintenance: hpHosts/fSpamlist/vURL network

Just a note folks, the following outlines plans for maintenance of the servers within the hpHosts network, and details of the work involved.

When is this work happening?

September 2nd - September 6th

What does it affect?

Access to the following sites may be affected during the transition.


Certain aspects of the following services/products, could be affected;

sGB - Mail server (i.e. new guestbook notifications, new registrations)
sURL - hpHosts access for querying blacklisted domains
Spambot Search Tool - fSpamlist queries
hpObserver - hpHosts queries

How long will it take?

Currently unknown, though I'm hoping to have the work completed by September 6th (depends on sleep, free time to do it and finances I can spare for it).

What does the work involve?

I am planning on a complete re-build of all of the servers on the network, along with a redesign of the network topology, with additional hardware replacements where required (mainly including additional RAM for the hpHosts server, new hard drives for the * and hpHosts servers, new gateway server, and a new mail server (thanks to Alt-N Technologies))

Is it likely to cause problems?

I will be rebuilding the servers one at a time, using a temporary server to house the sites on the server being replaced, whilst the rebuild is being performed, so I do not expect there to be much downtime. A little interruption may be required whilst service is transferred to the new server.

Why is this being done?

The servers have served me fantastically for years, with very little problems. However, recently there has been a major spike in the resources and bandwidth required for each server, and some of them simply cannot cope. As such, upgrades, replacements and in one or two cases, reconfigurations to allow for higher traffic levels, is required.

Is there anything else I need to know?

Given this is to be done during my free time, the times/dates referenced should be taken as approximations only. I'll keep the downtime to an absolute minimum.

Windows Server: New PHP cache extension and a new home

Microsoft today, announced a new home for Windows Home Server. You can read all about it at;

The folks from the Windows Server division, also announced a new PHP caching extension that those of you running PHP on Windows Server will absolutely love, as it speeds up PHP performance (will be checking it out myself when I rebuild the servers this week).

Read all about it at;

Koobface World Tour

Koobface wrecks Search results

One question that people often ask when we describe how millions of computers are infected with malware is "Why would anyone do that?" The answer of course is: MONEY.

Some of these money making schemes are so convolluted that it seems unlikely that anyone could make any money at them, but even if they only make a couple pennies per day on each machine, when you have millions of compromised machines, that adds up over time.

Ellen Mesmer of Network World documented America's Ten Most Wanted Botnets last month, and placed Zeus at #1, followed by Koobface at #2. That's a pretty good prioritization system, and one we are following at UAB in our Malware Analysis lab. Zeus is straight-forward. It steals money by compromising their banking credentials, and stealing the money out of their bank accounts. Koobface is far more subtle. With more than 2.9 million compromised American computers, its well worth looking at closer.

UAB Computer Forensics now has three Malware Analysts looking at malware. Brian Tanner, the most senior of the crew, has been looking at Koobface on a regular basis since January, and has a good understanding of how it works. He walked me through the paces yesterday, explaining the most recent version, starting by clicking on a link posted by a "friend" we maintain on Facebook because we can always count on him to provide a link to the current malware.

Read more