Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 24 October 2011

hpHOSTS - UPDATED October 24th, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 212,624 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 24/10/2011 19:40
  2. Last Verified: 23/10/2011 17:00
Download hpHosts now!

Tuesday, 18 October 2011


I received 4 spam e-mails earlier that housed 4 links pointing to zip files on 4 sites housed on (Cronon) IP space - all of the files contain trojans - more on that later.

As I normally do, I tried dropping the address listed in the net-block info an e-mail ( and, sadly it seems they don't want to receive abuse reports;

Mail delivery to the following recipient has finally failed:
Last reason: 550 5.0.0 Mailbox unavailable/command rejected for policy reasons/no
Explanation: host [] said: message denied by policy
[M31efc90 15611 Wed, 19 Oct 2011 02:29:34 +0200 (MEST)]

Transcript of session:
... while talking to []:
>>> DATA (end of message)
<<< 550 message denied by policy [M31efc90 15611 Wed, 19 Oct 2011 02:29:34
+0200 (MEST)]

Wed 2011-10-19 01:15:06: --> RCPT To:<>
Wed 2011-10-19 01:15:07: <-- 250 2.1.5 <> Recipient ok
Wed 2011-10-19 01:15:07: --> DATA
Wed 2011-10-19 01:15:07: <-- 354 Enter data for mail with id y046e6n9IM767p
Wed 2011-10-19 01:15:07: Sending <xxxxxxxxxxxxxxxxxxxxxxxx\pd50000562659.msg> to []
Wed 2011-10-19 01:15:07: Transfer Complete
Wed 2011-10-19 01:15:07: <-- 550 5.7.1 recipients have complained about included content (B-URL)
Wed 2011-10-19 01:15:07: --> QUIT
--- End Transcript ---

And yep, I tried sending via both my Malwarebytes address and my normal address.

Until they stop rejecting abuse reports, I'd strongly recommend you put a block on their IP range.

The offending URLs, for those wondering;

hxxp:// -
hxxp:// -
hxxp:// -
hxxp:// -

Domains the malware contacts; -> /stat/stat3.php -> /dbs/0088.exe -> /dbs/images.php -> /dbs/logo84.php

Both of these are housed at;    Failed resolution    4837    4837 CHINA169-BACKBONE CNCGROUP China169 Backbone    Failed resolution    33774    33774 DJAWEB    45899    45899 VNPT-AS-VN VNPT Corp    Failed resolution    4837    4837 CHINA169-BACKBONE CNCGROUP China169 Backbone    209    209 ASN-QWEST - Qwest Communications Company, LLC -> /_private/loadera5.exe
AS: 12363 DADA-AS DADA S.p.a.

Registrars and hosts/ISPs have been notified.

Monday, 10 October 2011

Some TDL/TDSS rootkit sites to block

From my friend Conrad;

The following IPs are related to the TDL/TDSS rootkit. / appears to be a C&C server. is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea

Read more;

Saturday, 8 October 2011

ALERT:, was registered through the well known criminal friendly, BIZCN on October 7th ( existed previously, same IP range), and not surprisingly, is up to no good. The domain is presently only in German for some reason (auto-redirs to /de-DE/, and no other language dirs seem to exist).

A translation via Google, since I don't speak German, shows;

Welcome to the Microsoft activation site! This site is suitable for the activation server and Microsoft to activate copies of Windows. If you receive a message that your copy of Windows is not genuine, have received, so you need to urgently purchase an activation key and activate your copy of Windows. In the opposite case, your IP address to the police and handed over to § 126 para 3 UrhG be regarded as a violation of copyright.

The activation key you can get to the payment on this site.
You just need a paysafecard worth 100 € to buy and enter the PIN.

To continue the activation, you can also give you the identification number awarded

Quite why it's only targeting German speaking individuals is puzzling, but I suspect it's likely only a matter of time before it's active in other languages (already working on takedown of course, and have notified MSRT).

The IP it's living at will come as no surprise either;

IP PTR: Resolution failed
ASN: 41390 RN-DATA-LV RN Data, SIA

The entire range has and continues to be, a haven for criminals and malicious activity, with malware and phishing present on virtually every IP. Personally I'd strongly urge you blackhole it if you've not already.

Wednesday, 5 October 2011

RIP Steve Jobs, and a warning to keep your eyes peeled

Apple have announced the death of Steve Jobs, former CEO of Apple.

You can bet your life that the blackhat SEO gangs will be on to this like a rash in the next few hours, so please be extra careful out there.