Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 26 May 2011

Dear bad guys ....

Seems the bad guys don't believe we actually check sites/files we're coming across anymore, only that we look for a specific filename. I've been monitoring a couple sites leading to trojans, and having the domains shut down. Over the past few days (approx the 20th), they've disabled the specific filename the malicious code points to, possibly believing we'll say "okay, it doesn't exist anymore, stop checking it".

Up until yesterday, the filename the code always pointed to was FlashPlayer.45187.exe, and indeed, as of 2 mins ago, it still does - but loading the URL with that filename, results in a 404.



If we change the numeric, it magically works again. For example (note, DirectI have now suspended this domain (and almost beat the record, responding to and actioning the report in ~6 mins!));

toolsmedianet.in/FlashPlayer.4.exe

Incidentally, detection for this is still rubbish (detection for the previous incarnation is a little, but not much better);

http://www.virustotal.com/file-scan/report.html?id=c68fae87cb4f4843dae50b032ba4cc26af0431577cbca016e435df4e20e29d93-1306459209

The MD5 for this particular file (all files have a different MD5) is 9f292e8c1c8bcb3943dfc1c8d638e1b9, and in addition to the new filename, it's got a new size too (previously 95K, now 109K).

The IP for all domains has stayed static and is still the same as of the latest incarnation;

IP: 66.45.243.36
PTR: reverse243-34.reserver.ru
ASN: 19318 66.45.224.0/19 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC

What's curious is the fact the code still points to the filename that's 404'ing, but is still being updated with the new domains. I do love a puzzle.

Info: Notification of downtime

Just an FYI folks. To allow my ISP to identify a fault on the line, I've got to take the entire network offline for an hour. This will obviously mean all servers will be unavailable.

The network will be taken offline this evening at 19:00 GMT London, and will be back at 20:00 GMT London.

Sites affected:

*.mysteryfcm.co.uk
*.fspamlist.com
helenbenoist.co.uk
bughunter.it-mate.co.uk
pbone.it-mate.co.uk
hollmen.it-mate.co.uk
forum.abelhadigital.com

Obviously, the mail server will be offline during this time (used by sites such as sGB, hpHosts).

Wednesday 25 May 2011

hpHosts - Updated 25th May 2011

The hpHOSTS Hosts file has been updated. There is now a total of 149,988 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 25/05/2011 15:30
  2. Last Verified: 25/05/2011 01:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Tuesday 24 May 2011

Facebook Wants Your Pre-Teen

My other half, though in her 20's, is also part of the "share it all" and "it'll never happen to me" generation, despite being as paranoid and insecure as heck about everything (though generally only paranoid about what her friends think, what I think etc, rather than things that actually matter). Drives me up the wall, especially given she should be mature enough to know better.

Kids are already being brought up to "share it all" and "it'll never happen to me", and have been since I was a child. However, with the introduction of the "internet to the world", and more and more reliance on technology for everything from education to the simple act of talking to friends, and a major lack of education and monitoring by the parents (who alas are even worse than the kids they're meant to be looking after, and raising to be responsible), things are only going to get worse - especially if companies such as Facebook and Google et al, have their way.

Anyway, enough of my rambling.

If you look at the terms of service for many websites you’ll find they claim users under 13 are not allowed. This is required to protect themselves against COPPA (Child Online Privacy Protection Act). Even the search engine Ask.com notes “you may not register for the Community feature or create a user profile if you are under 13.” At the same time they market various products towards kids including Zwinky and Smiley Central using an invasive toolbar.

Facebook CEO Mark Zuckerberg is now recommending removing the under-13 restrictions. Mark’s main reason is education. I have no doubt the first lesson kids will learn is how easy it is to give away your personal information and get scammed. Then again, they might think it’s normal for Facebook to post messages to all their friends without their approval.

I haven’t talked to many people who think Facebook should be open to children under 13. That includes all the parents who already allow their pre-teens to have a Facebook account. Their response is always be how they supervise what their kids are doing online so it’s ok. If you think it’s ok for kids under 13 to create a Facebook profile or your pre-teen already has an account click comments below and share your opinion.


http://billpstudios.blogspot.com/2011/05/facebook-wants-your-pre-teen.html

BT spying on customers

Oh dear, this isn't going to end well (especially given they were involved in the Phorm debacle too);

BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course.

BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the service, or when the safety of the customer is in doubt – the latter being the motivation behind the only instance where we know the capability has been used.

That happened last week, when some BT Broadband customers received letters about the kit they had plugged into their networks.


Read more
http://www.theregister.co.uk/2011/05/24/bt_snooping/

Sunday 22 May 2011

WARNING: Telephony scams still ongoing

As if you needed telling, but sadly to state the obvious, the scammers traced back to India are still very much involved in defrauding insuspecting victims, and are now apparently going one step further by infecting their machines to boot.

In previous iterations of this scam the person on the phone would get you to click through to the event viewer to "find something red". Strangely enough there is usually something red in most people's event log log. However, do not despair if you don't have anything red, yellow is just as bad. Once the problem (well any problem) was identified your support would have expired and they redirect you to a web site where you can part with your money and download some version of malware.

The new iteration of the scam goes one step further. Rather than get the victim to look, they get you to install teamviewer (although no doubt other similar tools are likely used). They take control of your machine and start moving the files across. Manually infecting, sorry fixing, your machine. In this particular instance they noticed they were in a VM and promptly started removing the files they had moved, before the link was dropped and the phone call terminated.

The scam is obviously still working. It seems they have figured out that users can't be trusted to click a link, but installing remote control software and getting you to install the malware for them is ok.


Microsoft Support Scam (again)
http://isc.sans.org/diary.html?storyid=10912

References

Info: Telephone scammers still coming to a phone near you!
http://hphosts.blogspot.com/2011/03/info-telephone-scammers-still-coming-to.html

Support Scams: Even More Personal
http://blog.eset.com/2010/12/16/support-scams-even-more-personal

Fake Support: the War Drags On
http://blog.eset.com/2010/11/18/fake-support-the-war-drags-on

Marketing Misusing ESET’s Name
http://blog.eset.com/2010/06/23/marketing-misusing-esets-name

techonsupport.com, click4rescue.com, pcrescueworld.com: SupportOnClick revisited
http://hphosts.blogspot.com/2009/12/techonsupportcom-click4rescuecom.html

SupportOnClick: Phoned by Malwarebytes? BigPond? Anyone else?

http://hphosts.blogspot.com/2009/07/supportonclick-phoned-by-malwarebytes.html

SupportOnClick Update
http://hphosts.blogspot.com/2009/04/supportonclick-update.html

supportonclick.com scamming you by telephone!
http://hphosts.blogspot.com/2009/03/supportonclickcom-scamming-you-by.html

Fake tech support call scam - prefetch virus logmein123.com
http://www.digitaltoast.co.uk/fake-tech-support-call-scam-prefetch-virus-logmein123com

New scam - They call you by phone!
http://www.malwarebytes.org/forums/index.php?showtopic=11156

Staffordshire Council - Telephone computer support warning (PDF)
http://www.staffordshire.gov.uk/NR/rdonlyres/6997DBB0-E31E-4AFB-A886-C9DDEE114204/90090/TelephoneComputerSupportWarning.pdf

Cold call scam warns of virus infection
http://www.h-online.com/security/Cold-call-scam-warns-of-virus-infection--/news/112893

Scareware scammers adopt cold call tactics
http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam

WARNING: Fake VirusTotal site serving trojan and fake AV


My friend and co-admin at MalwareDomainList just alerted me to a site impersonating VirusTotal, for the purposes (surprise surprise) of infecting unwitting victims with both a fake AV and a trojan.

I've sent an e-mail to my friend Ross at Dot.tk, to have the .tk domain taken out, and will be getting in touch with the host and registrar, for the site it's pointing to, but in the meantime, you can read the details on this over at the MDL forums;

http://www.malwaredomainlist.com/forums/index.php?topic=4572.msg21343#msg21343

URLs/domains you'll want to add to your blacklist;

new-virustotal.tk
readman.pf-control.de/java/
readman.pf-control.de/java/signedapplet.jar
readman.pf-control.de/java/bot.exe

Details:

Hostname: readman.pf-control.de
IP: 188.40.236.16
PTR: pf-control.de
ASN: 24940 188.40.0.0/16 HETZNER-AS Hetzner Online AG RZ

Hostname: new-virustotal.tk
IP: 93.170.52.30, 93.170.52.20
PTR: No PTR available
ASN: 44557 93.170.52.0/24 DRAGONARA Dragonara Alliance Ltd

Update: 21:17 22-05-2011

I'm please to report, DomainFactory, the registrar for pf-control.de, have now suspended the domain.

Update: 15:01 23-05-2011

Better late than never, but dot.tk have now suspended new-virustotal.tk.

Thursday 12 May 2011

RIP: Zango/Pinball Publisher Corp

Oh I do love good news in the morning. Zango/Pinball need no introduction, everyone is aware of their ongoing shenanigans over the years, and it looks like they're down for the count for now. Or at least, business filings say they are (well all know Zango tried the same hide and seek method, and left a trail that led to the switch to Pinball Corp being discovered relatively quickly).

I've said it before, and I'll say it again, Zango/Pinball, whatever they want to call themselves, will be back in one guise or another. There's simply too much money in it for them not to.

For now however, grab yourself a fresh coffee, pull up a pew, and have a little smile!

Pinball Corporation is a company that bought the remnants of Zango, a company that had a reputation for pushing slimeware. Last year I pointed out a case where Pinball Corp were clearly not keeping an eye on the actions of their affiliates, and other people have been critical of them too.

Well, there's potentially some good news.. because according to the Washington State Corporations Division, Pinball Corp became inactive on the 2nd May 2011.


Read the full details on my friend Conrad' blog.

http://blog.dynamoo.com/2011/05/pinball-corporation-rip.html

References

Pinball Publisher Corp: Hotbar.com deceptive installation.. again
http://blog.dynamoo.com/2010/07/hotbarcom-deceptive-installation-again.html

Pinball Publisher Network: Yet more blackhat SEO goodness
http://hphosts.blogspot.com/2010/03/pinball-publisher-network-yet-more.html

Pinball Publisher Network: The ghost of Zango toolbar has a Facebook fan page
http://sunbeltblog.blogspot.com/2010/01/ghost-of-zango-toolbar-has-facebook-fan.html

Google + Blackhat SEO + "Teen Porn" = SeekMo
http://hphosts.blogspot.com/2009/12/google-blackhat-seo-teen-porn-seekmo.html

Thursday 5 May 2011

AS43134: CompLife Ltd + DonServers = HOSTSERV (AS42741) = bulletproof hosting for criminals

Ever wonder why some hosting companies try and send you on a "we're waiting, it's resolved, really we're just the innocent victims here, please be patient" game, that results in your getting frustrated and the criminals staying online even longer?

Well, the answer is companies (and I use the term companies loosely in this case) such as Don Servers, which is actually the same "company" as CompLife Ltd (AS43134) who are the same entity as HOSTSERV (AS42741). HOSTSERV for those that don't know, are also known as "ALEXANDRU-NET-TM-AS S.C. ALEXANDRU NET TM S.R.L."

We've known for quite some time that CompLife Ltd are 100% criminal, but thanks to their being rather brazen (and very stupid I might add), they've allowed a simple e-mail address to tie the two of them together;

godaccs@gmail.com

This chap is a regular visitor of the equally criminal forum, GoFuckBiz (Ref: DonServers profile), using the username "Support_DonServers" and DonChicho (fans of "The Godfather" I'm guessing). DonServers incase you're wondering, are using both don.sh and donservers.ru. Both are hosted at 208.76.54.75, AS47869 Netrouting Inc. (awww, their own hosting too expensive?)

You'll also have noticed (Ref: Fake AVs back to using Instra), this is the e-mail address assigned to the WhoIs records, for HOSTSERV (who incidentally, own the IP range CompLife/DonServers happen to be using (I know, I know, no surprise there)).

inetnum: 46.161.20.0 - 46.161.23.255
netname: HOSTSERV-NET
descr: net for hostserv
country: RU
admin-c: BEV38-RIPE
tech-c: BEV38-RIPE
remarks: Abuse e-mail: godaccs@gmail.com
status: ASSIGNED PA
mnt-by: MNT-PIN
mnt-routes: MNT-PIN
mnt-routes: MNT-COMPLIFE
mnt-routes: ALEXANDRU-NET-TM-MNT
mnt-domains: MNT-COMPLIFE
mnt-lower: MNT-COMPLIFE
source: RIPE # Filtered

person: Banu Efim Vasilyevich
address: Naberegnie chelni, tukaevskii raion, pr. Suumbike 84 kv. 109
phone: +37360065663
nic-hdl: BEV38-RIPE
mnt-by: MNT-PIN
source: RIPE # Filtered

route: 46.161.20.0/24
descr: Complife Ltd.
origin: AS43134
mnt-by: MNT-COMPLIFE
source: RIPE # Filtered

route: 46.161.20.0/22
descr: HOSTSERV-NET
origin: AS42741
mnt-by: ALEXANDRU-NET-TM-MNT
source: RIPE # Filtered


So HostSERV = CompLife Ltd = DonServers, and collectively = AS42741 and AS43134 (wonder how many others they have???).

So what do this chaps customers get? Well, according to one of his "private" websites, a choice of server depending on the type of content that's going to be there, as shown by this lovely little screenshot (just in case the site goes AWOL)



Yep, you noticed that too. Your choices are;

1. Malware
2. Adware
3. Botnets
4. Spam Inc
5. Fakes
6. Web spam

Now the question becomes, why their upstreams (AS6939 HURRICANE - Hurricane Electric, Inc. and AS5577 ROOT root SA) are doing absolutely nothing to get this criminal ASN taken offline, given they're the only two providing connectivity for them.

We already know why Root SA (aka Root eSolutions) aren't doing anything, but Hurricane Electric - what's your excuse?

I'm also curious as to how InterXion are going to take the news that these chaps are bragging about using their datacenter for their "bulletproof" hosting?


References

Fake AVs: Back to using Instra Corporation Pty Ltd...
http://hphosts.blogspot.com/2011/05/fake-avs-back-to-using-intra.html

Tucows + Fake AV + new (but old) /24
http://hphosts.blogspot.com/2011/04/tucows-fake-av-new-but-old-24.html

hpHosts - Updated May 2011

hpHOSTS - Updated May 2011

The hpHOSTS Hosts file has been updated. There is now a total of 124,448 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 05/05/2011 17:00
  2. Last Verified: 05/05/2011 06:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Wednesday 4 May 2011

Microsoft SysInternals update

Hat tip to the guys at the ISC for the heads up (got the Microsoft RSS on the reader but didn't notice this one).

We have received notification that Sysinternals has had some updates. One in particular that is a favorite among handlers is Process Explorer. It now includes:



Process Explorer v14.11 includes the ability to configure network and disk activity icons in the tray.



Check out the Sysinternals web site for more details @

http : // technet.microsoft.com/en-us/sysinternals/default.aspx

As you can see below you now have the option of Enabling Network and Disk Activity in the system tray


Read more
http://isc.sans.edu/diary.html?storyid=10825

Microsoft SysInternals
technet.microsoft.com/en-us/sysinternals/default.aspx

Fake AVs: Back to using Instra Corporation Pty Ltd

Seems the fake AV gang responsible for these campaigns, have gone from Tucows, back to Instra Corp again. This lot were first created March 24th, and are now being used yet again;

againstvirysscanxp.com
antisixrysscan.com
antisixrysscanxp.com
antivirysprotests.com
antivirysscan.com
antivirysscanonline.com
antivirysscanxp.com
antivirysscanxponline.com
antiviryssee.com
antivirysseexp.com
egyptvirysscan.com
enscanantivirys.com
envirysscanxp.com
enxpscanantivirys.com
myantivirysscan.com
myantivirysscanxp.com
myxpscanantivirys.com
protestsvirysscan.com
senatescanantivirys.com
senatevirysscanxp.com
theantivirysscan.com
theantivirysscanxp.com
thexpscanantivirys.com
webantivirysscan.com
webantivirysscanxp.com
xpscanagainstvirys.com
xpscanantisixrys.com
xpscanantiviren.com
xpscanantivirys.com
xpscanantivirysonline.com


Some are currently resolving to 199.58.187.48 (Instra Corp netblock), and others resolving to a well known crimeware friendly AS, HOSTSERV (AS42741), leased to CompLife Ltd (known criminal host).

inetnum: 46.161.20.0 - 46.161.23.255
netname: HOSTSERV-NET
descr: net for hostserv
country: RU
admin-c: BEV38-RIPE
tech-c: BEV38-RIPE
remarks: Abuse e-mail: godaccs@gmail.com
status: ASSIGNED PA
mnt-by: MNT-PIN
mnt-routes: MNT-PIN
mnt-routes: MNT-COMPLIFE
mnt-routes: ALEXANDRU-NET-TM-MNT
mnt-domains: MNT-COMPLIFE
mnt-lower: MNT-COMPLIFE
source: RIPE # Filtered

person: Banu Efim Vasilyevich
address: Naberegnie chelni, tukaevskii raion, pr. Suumbike 84 kv. 109
phone: +37360065663
nic-hdl: BEV38-RIPE
mnt-by: MNT-PIN
source: RIPE # Filtered

route: 46.161.20.0/24
descr: Complife Ltd.
origin: AS43134
mnt-by: MNT-COMPLIFE
source: RIPE # Filtered

route: 46.161.20.0/22
descr: HOSTSERV-NET
origin: AS42741
mnt-by: ALEXANDRU-NET-TM-MNT
source: RIPE # Filtered