Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 31 December 2013

Happy New Year!

Hope you all have a great new year folks!

Monday, 30 December 2013

Dear Australia ....

Sorry folks, been a fan of Adams, since I first saw him on Mock the Week. Just finished watching Adam Hills new DVD (Happyism) and - Britian is hijacking him - you can't have him anymore! (I'll swap you Jimmy Carr!)

Sunday, 29 December 2013

vURL Online updates, hpHosts status

First and foremost, with reference to the ongoing hpHosts site issues - Amazon are still blocking the server doing outgoing DNS queries for whatever reason (Malwarebytes IT guys are querying why with the Amazon guys as it's never been an issue previously (it's not blocked on the server itself - we checked (several times))).

As soon as this is resolved (one way or another), I'll update you.

vURL users will be pleased to know, there's now a few more UA's you can choose from (the missing IE10 and 11 for example), including quite a few "mobile" user agents (Chromium, Android, iPad, Windows Phone 7.x, 8.x etc). Please let me know if you notice any problems.

Thursday, 26 December 2013

Info: hpHosts site issues

Just a note for those wondering, the hpHosts site is having major issues due to Amazon messing up. First the DB server decided to throw a wobbly - no idea why, they've not said, but as you've likely have guessed - no domain is able to be resolved, which points to Amazon's blocking DNS queries from the server (it's not blocked on the server itself).

Hoping they'll pull their finger out and get it sorted, but apologies for the inconvenience in the meantime folks.

Wednesday, 18 December 2013

Updated: Outlook Export

Updated Outlook Export for those using it. Nothing major, just a bug fix.

Fixed: Exporting multiple files with the same filename resulted in file being over-written
Added: Batch file for manually registering OCX and DLL files

Download: http://support.it-mate.co.uk/?mode=Products&act=DL&p=outlookexport

Tuesday, 17 December 2013

netdirekt.com.tr: OI, Stop filtering your abuse address!

I sometimes get complaints from site owners, hosting co's, claiming they've never received an abuse report, and invariably, the problem is due to their contact address filtering using SURBL, SpamHaus etc etc. These are normally something I recommend, but in the case of ASNs, hosting companies and registrars, or indeed, any site/service/company that provides facilities for others to use their services etc, they should NEVER be filtering their bleedin abuse address - it defeats the object of their having an abuse address (and no - it doesn't make the blindest bit of difference if the report is sent with the offending content in an attached file, body of the email or whether the content is "as is" or "defanged" (in the case of URLs)).

The latest idiotic hosting company doing this, is Netdirekt.com.tr, whose mail server rejected an abuse report a few minutes ago, due to their using the SURBL and SpamHaus blacklists;

Tue 2013-12-17 10:39:01: --> RCPT To:<abuse@netdirekt.com.tr>
Tue 2013-12-17 10:39:02: <-- 250 2.1.5 abuse@netdirekt.com.tr Address Okay
Tue 2013-12-17 10:39:02: --> DATA
Tue 2013-12-17 10:39:02: <-- 354 Start mail input; end with <CRLF>.<CRLF>
Tue 2013-12-17 10:39:02: Sending <xxxxxxxxxxxxxxxxxxxxxxxx\pd50002750106.msg> to [77.223.134.94]
Tue 2013-12-17 10:39:02: Transfer Complete
Tue 2013-12-17 10:39:03: <-- 521 A URL in the email is Blacklisted by SURBL: multi.surbl.org. locked, pendikgidatarim.gov.tr on lists [mw], See: http://www.surbl.org/lists.html
Tue 2013-12-17 10:39:03: --> QUIT


Tue 2013-12-17 10:38:35: --> RCPT To:<abuse@netdirekt.com.tr>
Tue 2013-12-17 10:38:37: <-- 250 2.1.5 abuse@netdirekt.com.tr Address Okay
Tue 2013-12-17 10:38:37: --> DATA
Tue 2013-12-17 10:38:37: <-- 354 Start mail input; end with <CRLF>.<CRLF>
Tue 2013-12-17 10:38:37: Sending <xxxxxxxxxxxxxxxxxxxxxxxx\pd50002750098.msg> to [77.223.134.94]
Tue 2013-12-17 10:38:37: Transfer Complete
Tue 2013-12-17 10:38:38: <-- 521 A URL (www.kartaltarim.gov.tr) in the email resolved to a blacklisted IP: 521 The IP 77.245.149.33 is Blacklisted by zen.spamhaus.org. ttp://www.spamhaus.org/sbl/query/SBL141934 -- -- .

Tuesday, 19 November 2013

Alert: Somoto, AdworkMedia, Topfiles.me

Here yet again, we have more misleading badness from Somoto, via Adworkmedia and courtesy of Topfiles.me (one of a number of pathetic "download sites" that actually aren't ....).


The URLs;

hxxp://topfiles.me/hVVXLBYLJM
hxxp://topfiles.me/offer_set.php?file=115113&o=2912&u=6765
hxxp://www.adworkmedia.com/go.php?camp=4338&pub=4071&sid=212.56.95.253_115113_6765_4
hxxps://www.adworkmedia.com/go.php?camp=4338&pub=4071&sid=212.56.95.253_115113_6765_4&refT=http%3A%2F%2Ftopfiles.me%2Foffer_set.php%3Ffile%3D115113%26o%3D1187%26u%3D6765
hxxps://www.adworkmedia.com/stream.php?stream=aHR0cDovL3d3dy5kb3dueHNvZnQuY29tL25scC9lL2Fkd29ya21lZGlhL2ZyZWVfbWVkaWFfcGxheWVyP3AxPTEmdXRtX3NvdXJjZT1hZHdvcmttZWRpYSZ1dG1fbWVkaXVtPWFmZmlsaWF0ZSZ1dG1fY2FtcGFpZ249MSZ1dG1fY29udGVudD1mcmVlX21lZGlhX3BsYXllciZwMz0xOTc5NzUzNzAtNDA3MQ==
hxxp://www.downxsoft.com/nlp/e/adworkmedia/free_media_player?p1=1&utm_source=adworkmedia&utm_medium=affiliate&utm_campaign=1&utm_content=free_media_player&p3=197957679-4071
hxxp://download.softiglu.com/nlp/h/adworkmedia/flvplayer/dl?p1=1&p3=197957679-4071&datetime=20131119_2211&utm_source=adworkmedia&utm_medium=affiliate&utm_campaign=1&translate=en&tracking_percent=23.13&software_name=Video+Player&download_country=UK×tamp=1384899108

Oh and as for the media player it claims you're getting, what you actually get is a machine filled with adware.

I was also pointed in the direction of the following, which is yet another company involved in the peddling of this rubbish - Finedream Invest Ltd;

hxxp://www.freefilesdownloader.com
hxxp://www.freefilesdownloader.com/fetch//MS0yMDAwMC0xMzg0ODk5Nzk0LTkwMTY2MmZlODdiNDMzMzYyYjllZTU0ZGZjMzAzNmFh
hxxp://www.freefilesdownloader.com/getoxy/Downloader__2000001.exe?st=zzFRuN8tfNvOlwpKRFO-VQ&e=1384986196&fileid=901662fe87b433362b9ee54dfc3036aa


Finedream Invest Ltd claim to be at;

11 Rosemont Road
Hampstead
London
NW3 6NG

Well sorry folks, but nope - they're not;

https://maps.google.co.uk/maps?q=11+Rosemont+Road+nw3+6ng&hl=en&ll=51.549348,-0.182758&spn=0.000462,0.001321&sll=51.549259,-0.182792&hnear=11+Rosemont+Rd,+London+NW3+6NG,+United+Kingdom&t=h&z=20&iwloc=A

That address belongs to "AMR Specialist Recruitment Consultants", meaning it's likely they're using a "virtual presence" in the UK.

Sunday, 17 November 2013

hpHosts: Updated 17-11-2013

The hpHOSTS Hosts file has been updated. There is now a total of 343,717 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 17/11/2013 09:00
  2. Last Verified: 14/11/2013 00:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Wednesday, 13 November 2013

ALERT: oxits.co.uk fraud playing on Cryptolocker

/edit 26-11-2013 22:14

I've now seen the confirmation showing they have permission to reproduce the article, so am retracting the fraud claim against oxits.co.uk. The only outstanding issue is their spamming me.


Woke up to find this in my inbox earlier.

CANNOT SEE THIS EMAIL? VIEW IT IN YOUR BROWSER <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=e281ad95d1&e=226e5ef18b>

logo <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=e5016474da&e=226e5ef18b>

OXITS telephone<http://oxits.co.uk/cryptolocker/img/tel.png>

<http://oxits.co.uk/cryptolocker/img/top-rounded-bg.png>

large image <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=1b9d967fad&e=226e5ef18b>

CryptoLocker - You’re infected – if you want to see your data again, pay!

Don’t ignore this email!

Despite the pictures we have used, this is not a joke or a scam. It will take 2 minutes of your precious life but it will save your business, thousands of pounds and many days of work, stress and frustration! No, we are not selling anything. We, at Oxford IT Support are firm believers that knowledge comes free.

<http://oxits.co.uk/cryptolocker/img/bottom-rounded-bg.png>

logo <http://oxits.us3.list-manage2.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=6771391daa&e=226e5ef18b>

What type of threat is this?

There’s a big threat wiling around on the Internet right now: A particularly nasty piece of ransomware called Cryptolocker. Many, many organisations and home users are being infected with this malware every minute, everyday and sadly there is no way to avoid it and no solution to date to repair the damage once you’ve been infected.

logo <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=919dfde175&e=226e5ef18b>

What is Cryptolocker then and why is this new virus so destructive?

Instead of us filling up pages on this e-mail, detailing the technicalities, we advise you perform a quick search on Google in regard to this virus called Cryptolocker. We have collected a few links for your convenience just in case, safe and checked by us in advance: Sophos <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=b687feada2&e=226e5ef18b> , Arstechnica <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=37aa4da003&e=226e5ef18b> . Even better, watch a short movie where experts are dissecting this virus on Youtube <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=23fe02601c&e=226e5ef18b> or even check it on Wikipedia <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=781bc15ab8&e=226e5ef18b> .

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=0aa6d55034&e=226e5ef18b>

Got it? The final truth is that nobody will ever be able to retrieve their files.

NOTHING, NEVER AND NOBODY will ever be able to restore the files and photos once encrypted. Sad isn’t it? Time to close your business and go home. All of you. For good. Or time to explain your wife that the wedding pictures are all gone. Forever. Get married again? That is a possibility but for sure not with the same person.

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=cbf91d44fc&e=226e5ef18b>

Then what’s to be done? Well…thanks God, there is a way to prevent it.

Oh, now that you are well aware of Cryptolocker, would you like to hear something about Operation Hangover? Hm…Google is your best friend. Time to do your homework! If anything, do not hesitate to email us back or even give us a call, we are always here to help. Remember, PREVENTION is paramount nowadays.

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=01dbe6355f&e=226e5ef18b>

WWW.OXITS.CO.UK <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=ac8ddd66be&e=226e5ef18b> <http://oxits.co.uk/cryptolocker/img/vertical-line.png> CONTACT@OXITS.CO.UK

facebook <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=40d98c6f00&e=226e5ef18b> twitter <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=44a6122790&e=226e5ef18b> google <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=62e9c25c8e&e=226e5ef18b> mail <http://oxits.us3.list-manage2.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=a768c3b60d&e=226e5ef18b>

This is not a promotional e-mail, but an informative one. You have received this email thanks to your previous subscription to OXITS or one of its affiliates. If you no longer wish to receive informative emails CLICK HERE <http://oxits.us3.list-manage1.com/unsubscribe?u=b08f1294d8ec1f780d8fa8b4d&id=aec182f76c&e=226e5ef18b&c=f321a09f94>

Email Marketing Powered by MailChimp <http://www.mailchimp.com/monkey-rewards/?utm_source=freemium_newsletter&utm_medium=email&utm_campaign=monkey_rewards&aid=b08f1294d8ec1f780d8fa8b4d&afl=1>

COPYRIGHT © 2013 OXITS - OXFORD IT SUPPORT.


As you've no doubt noticed, I use plain text email, and they obviously don't allow for that, instead relying on suckering in those using HTML email (STOP IT ALREADY PEOPLE!!!). The HTML or original, is;



PDF here: http://temp.it-mate.co.uk/oxits.co.uk_spam.pdf

Email headers:
Return-Path: <bounce-mc.us3_23160935.221577-services=it-mate.co.uk@mail67.atl11.rsgsv.net>
Delivered-To: <[REMOVED]>
Received: from controller1.emailconfig.com ([109.68.33.144])
    by mailserver2.emailconfig.com (Dovecot) with LMTP id xd1rB0EHg1JIHwAAZ1oeBA
    for <[REMOVED]>; Wed, 13 Nov 2013 14:42:47 +0000
Received: from mailserver1.emailconfig.com ([109.68.33.146])
    by controller1.emailconfig.com (Dovecot) with LMTP id 4FG3MbV+g1JZewAAiShP7w
    ; Wed, 13 Nov 2013 14:42:47 +0000
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-9999 required=1.3
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
    RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
    URIBL_BLOCKED=0.001] autolearn=ham
Authentication-Results: mailserver1.emailconfig.com (amavisd-new);
    dkim=pass (1024-bit key) header.d=mail67.atl11.rsgsv.net;
    domainkeys=pass (1024-bit key)
    header.sender=newsletter=oxits.co.uk@mail67.atl11.rsgsv.net
    header.d=mail67.atl11.rsgsv.net
Received: from mail67.atl11.rsgsv.net (mail67.atl11.rsgsv.net [205.201.133.67])
    by mailserver1.emailconfig.com (Postfix) with ESMTP id 805FB3409E4
    for <[REMOVED]>; Wed, 13 Nov 2013 14:42:45 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail67.atl11.rsgsv.net;
h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=newsletter=3Doxits.co.uk@mail67.atl11.rsgsv.net;
bh=46xG+FtiNLCYuFOXZyzPqFxJ5tY=;
b=0UOGwoeoekWSU0IOfSGWlm88vv59z79BsSqwOn3oJsSZoSwGFXzYA3JHoDCvTFt0Wda3r7qj08WS
    BW0XFvtltmh3hJTTqWc1ABWvoIRhX2TnBWSiYyfoBCejeXmH2+nHez7+/J0+Z2D9pfFWGeUIFWJa
    6l8rrhlzU1q0sXQAfOk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail67.atl11.rsgsv.net;
b=QKdmkgKzw/zNy+FujeqEoCw/hmphbpQYNCq7w23DAWaKspO+TjVt54WX20vUWWnu0glvKWf6ibG8
    UdfjiMnlq0ZFhfNOqrlSvIj/R2CIEYWObRSHVIBwLVXo1FPUn5WNN4bOUFjosKCTfoqKqYnAjgN3
    tO1AGQJGTlBIfZ5eFHU=;
Received: from (127.0.0.1) by mail67.atl11.rsgsv.net id hge7ua1lgi0a for <[REMOVED]>; Wed, 13 Nov 2013 14:42:43 +0000 (envelope-from <bounce-mc.us3_23160935.221577-services=it-mate.co.uk@mail67.atl11.rsgsv.net>)
Subject: =?utf-8?Q?We=20have=20your=20data?=
From: =?utf-8?Q?Oxford=20IT=20Support?= <newsletter@oxits.co.uk>
Reply-To: =?utf-8?Q?Oxford=20IT=20Support?= <newsletter@oxits.co.uk>
To: =?utf-8?Q?Dear=2C=20Sir=2FMadame?= <[REMOVED]>
Date: Wed, 13 Nov 2013 14:42:43 +0000
Message-ID: <b08f1294d8ec1f780d8fa8b4d226e5ef18b.20131113144233@mail67.atl11.rsgsv.net>
X-Mailer: MailChimp Mailer - **CIDf321a09f94226e5ef18b**
X-Campaign: mailchimpb08f1294d8ec1f780d8fa8b4d.f321a09f94
X-campaignid: mailchimpb08f1294d8ec1f780d8fa8b4d.f321a09f94
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=b08f1294d8ec1f780d8fa8b4d&id=f321a09f94&e=226e5ef18b
X-MC-User: b08f1294d8ec1f780d8fa8b4d
x-accounttype: ff
List-Unsubscribe: <mailto:unsubscribe-b08f1294d8ec1f780d8fa8b4d-f321a09f94-226e5ef18b@mailin1.us2.mcsv.net?subject=unsubscribe>, <http://oxits.us3.list-manage1.com/unsubscribe?u=b08f1294d8ec1f780d8fa8b4d&id=aec182f76c&e=226e5ef18b&c=f321a09f94>
Sender: "Oxford IT Support" <newsletter=oxits.co.uk@mail67.atl11.rsgsv.net>
x-mcda: FALSE
Content-Type: multipart/alternative; boundary="_----------=_MCPart_960584300"
MIME-Version: 1.0



So oxits.co.uk, who's being a naughty boy then?

Monday, 11 November 2013

Info: BBB misrepesentation (fraud)

Not normally a fan of media sites, but this one I thought deserved attention. Not least because the sheer volume of misleading or otherwise malicious sites, that have had "good" BBB ratings over the years, meant we already knew they were meaningless;

The Better Business Bureau, one of the country's best known consumer watchdog groups, is being accused by business owners of running a "pay for play" scheme in which A plus ratings are awarded to those who pay membership fees, and F ratings used to punish those who don't.

To prove the point, a group of Los Angeles business owners paid $425 to the Better Business Bureau and were able to obtain an A minus grade for a non-existent company called Hamas, named after the Middle Eastern terror group.

"Right now, this rating system is really unworthy of consumer trust or confidence," said Connecticut attorney general Richard Blumenthal in an interview to be broadcast as part of an ABC News investigation airing tonight on 20/20.

In an official demand letter sent to the national headquarters of the Better Business Bureau Thursday, Blumenthal called on the BBB to stop using its grading system, which he said was "potentially harmful and misleading" to consumers.


Read more
http://abcnews.go.com/Blotter/business-bureau-best-ratings-money-buy/story?id=12123843

Saturday, 9 November 2013

Info: Server issues

Just an FYI folks, the server that houses mysteryfcm.co.uk, the Abelhadigital forums amongst others, suffered a hard drive failure earlier.

I'm working as quickly as I can to get a new drive put in and the system restored, but obviously, this is going to take several hours.

Sorry for the inconvenience folks.

Monday, 4 November 2013

hpObserver v0.6.12

Modified: Tools > Search menu
Modified: Tools > Check URL menu (now called "Scan URL with")

Added: Save as CSV
Added: Save as text (No line breaks) (see Release notes)
Added: Correct OpenDNS hit-nxdomain IPs (see Release notes)
Added: Windows 7/8/8.1 OS detection
Added: Send IP/Hostname to BFK
Added: Send IP/Hostname to Bing
Added: Send IP/Hostname to BGP.HE.NET
Added: Send IP/Hostname to CleanMX
Added: Send IP/Hostname to Exalead
Added: Send IP/Hostname to Google
Added: Send IP/Hostname to hpHosts
Added: Send IP/Hostname to MDL
Added: Send IP/Hostname to RobTex
Added: Send IP/Hostname to SiteAdvisor
Added: Send IP/Hostname to SafeWeb
Added: Send IP/Hostname to TrustedSource
Added: Send IP/Hostname to Web Of Trust
Added: Send IP/Hostname to URLQuery
Added: Send IP/Hostname to URLVoid
Added: Send IP/Hostname to ZeusTracker
Added: Search ASN using CIDRReport
Added: Search ASN using CleanMXASN

Notes:

"Save as CSV" will save the results as "FIELD1";"FIELD2";"FIELD3"; etc etc

"Save as Text (No line breaks", will save as the usual plain text, but will keep the IPs (where a domain resolves to multiple IPs) on the same line, instead of popping each IP on a new line.

"Correct OpenDNS hit-nxdomain IPs" will correct results where a domain that does not resolve, is showing as resolving to the OpenDNS hit-nxdomain.* and hit-servfail.* IPs (you can disable this option if you've got an account with OpenDNS, but it also requires you disable all of their options/protection/filters, this addition to the program prevents your having to do that when checking a domain with hpObserver)

Download
http://support.it-mate.co.uk/?mode=Products&act=DL&p=hpobserver

Thursday, 31 October 2013

ALERT: lnx.lu, downloadoney.com and secure.oinstaller.com

You'll be wanting to block these folks. lnx.lu is a bit.ly wannabe, but more importantly, with help from downloadoney.com and secure.oinstaller.com, it's leading straight to crapware from Tiny Installer (iBryte).

The file served: downloadmanager_Setup.exe, 49b56be1b64aea734e69e2a2bd482b78

GET /6N?http://depositfiles.com/files/lgde529fc HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Host: lnx.lu
DNT: 1
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.24 (Unix) PHP/5.4.15
X-Powered-By: PHP/5.4.15
Last-Modified: Fri, 1 Nov 2013 00:52:26 GMT
Expires: Fri, 1 Nov 2013 00:52:26 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4756
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

------------------------------------------------------------------
GET /script.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: lnx.lu

HTTP/1.1 200 OK
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.24 (Unix) PHP/5.4.15
Last-Modified: Sun, 17 Jun 2012 00:45:15 GMT
ETag: "1980aa1-1512-4c2a05cd71cc0"
Accept-Ranges: bytes
Content-Length: 5394
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/javascript

------------------------------------------------------------------
GET /images/logo.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: lnx.lu

HTTP/1.1 200 OK
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.24 (Unix) PHP/5.4.15
Last-Modified: Mon, 30 Apr 2012 08:20:32 GMT
ETag: "1980a82-41a-4bee120ad7400"
Accept-Ranges: bytes
Content-Length: 1050
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/gif

------------------------------------------------------------------
GET /images/skipadbtn.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: lnx.lu

HTTP/1.1 200 OK
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.24 (Unix) PHP/5.4.15
Last-Modified: Mon, 30 Apr 2012 08:25:47 GMT
ETag: "1980a4d-89c-4bee13373f8c0"
Accept-Ranges: bytes
Content-Length: 2204
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/gif

------------------------------------------------------------------
GET /click/i2VrnWecqZaOYWmWX8p6w4iQcphmn36ViZBqnF6bgJW3Z2uZYJypmJBqapVf?dp=7%20GB HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: network.adsmarket.com

HTTP/1.1 302 Found
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=7n8jsfdoq70hhrsn18po0n6693; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ce-visitor-jmNtl18=imGoy3zhes6qmIXJfq6fqYuEkdGfvXvam2OS1l6bepI; expires=Mon, 16-Dec-2013 00:52:26 GMT; path=/; domain=network.adsmarket.com
Set-Cookie: ce-click-jWhxlWSbe8OLZm-VYqF-l5Bi=jWhxlWSbe8OLZm-VYqF-l5Bi; expires=Sat, 02-Nov-2013 00:52:26 GMT; path=/; domain=network.adsmarket.com
Location: http://www.media970.com/click/i2Zslo2hgJWLkGnEXsp8m4tkcpiNnH-WjGSYnWKjfcOJaXGXYQ?dp=20ofNv0jRgLdPCUE3SXlqR1vC2Yq000.&SUB=_342891&ce_cid=20ofNv0jRgLdPCUE3SXlqR1vC2Yq000.
P3P: policyref="/w3c/p3p.xml", CP="NOI DEV PSA PSD IVA OTP OUR OTR IND OTC"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

------------------------------------------------------------------
GET /n4.g?login=lnxlu&d=1366x768&auto=y&pid=link&jv=true&c=32&l= HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: nht-3.extreme-dm.com

HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Fri, 01 Nov 2013 00:52:26 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Cache-Control: private,no-cache,no-store
Pragma: no-cache
Expires: Mon, 28 Sep 1970 06:00:00 GMT

------------------------------------------------------------------
GET /click/i2Zslo2hgJWLkGnEXsp8m4tkcpiNnH-WjGSYnWKjfcOJaXGXYQ?dp=20ofNv0jRgLdPCUE3SXlqR1vC2Yq000.&SUB=_342891&ce_cid=20ofNv0jRgLdPCUE3SXlqR1vC2Yq000. HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: www.media970.com

HTTP/1.1 302 Found
Date: Fri, 01 Nov 2013 00:52:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=uim8ngts2iq7aljtn44arnmu56; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ce-visitor-kGVxmA=imFprm-ge62ZibK5ktm_tIuEkdGfvXvam2OS1l6bepI; expires=Mon, 16-Dec-2013 00:52:26 GMT; path=/; domain=www.media970.com
Set-Cookie: ce-click-iWhqmGWeqZeNZ2mZZJ99nIk=iWhqmGWeqZeNZ2mZZJ99nIk; expires=Sat, 02-Nov-2013 00:52:26 GMT; path=/; domain=www.media970.com
Location: http://www.downloadoney.com/direct/downloadmanager?&adprovider=Adperio&source=Adperi0_downloadmanager_GB_direct&ce_cid=200IA51IAXyTdnuP3SXlqR1vC2Yq000.
P3P: policyref="/w3c/p3p.xml", CP="NOI DEV PSA PSD IVA OTP OUR OTR IND OTC"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

------------------------------------------------------------------
GET /direct/downloadmanager?&adprovider=Adperio&source=Adperi0_downloadmanager_GB_direct&ce_cid=200IA51IAXyTdnuP3SXlqR1vC2Yq000. HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: www.downloadoney.com

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Fri, 01 Nov 2013 00:52:26 GMT
Location: http://secure.oinstaller.com/o/downloadmanager/downloadmanager_Setup.exe?filedescription=downloadmanager&subid=Adperi0_downloadmanager_GB_direct&user_id=18d33e43-0186-448d-90f2-2e2b29076dd6&thankYouUrl=http%3a%2f%2fwww.downloadoney.com%2fGo%2fFreeTVOnline%3fsource%3dthankyou_Adperi0_downloadmanager_GB_direct%26offer%3ddownloadmanager%26userid%3d18d33e43-0186-448d-90f2-2e2b29076dd6&cancelUrl=http%3a%2f%2fwww.downloadoney.com%2fGo%2fFreeTVOnline%3fsource%3dthankyou_Adperi0_downloadmanager_GB_direct%26offer%3ddownloadmanager%26userid%3d18d33e43-0186-448d-90f2-2e2b29076dd6&adprovider=adperio&subid2=&subid3=&cpixel=http%3a%2f%2fultimate-downloads.com%2fInstaller%2fConversion%3fadProvider%3dadperio%26context%3d200IA51IAXyTdnuP3SXlqR1vC2Yq000.%26countryCode%3dGB%26userID%3d18d33e43-0186-448d-90f2-2e2b29076dd6%26source%3dAdperi0_downloadmanager_GB_direct%26subid1%3d%26subid2%3d%26offer%3ddownloadmanager&useragent=ultimate-downloads.com%7cMozilla%2f5.0+(compatible%3b+MSIE+9.0%3b+Windows+NT+6.1%3b+WOW64%3b+Trident%2f5.0%3b+Avant+Browser)
Server: Microsoft-IIS/7.5
Set-Cookie: uid=18d33e43-0186-448d-90f2-2e2b29076dd6; domain=downloadoney.com; expires=Wed, 01-Nov-2023 00:52:27 GMT; path=/
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
X-Powered-By: ASP.NET
Content-Length: 1196
Connection: keep-alive

------------------------------------------------------------------
GET /o/downloadmanager/downloadmanager_Setup.exe?filedescription=downloadmanager&subid=Adperi0_downloadmanager_GB_direct&user_id=18d33e43-0186-448d-90f2-2e2b29076dd6&thankYouUrl=http%3a%2f%2fwww.downloadoney.com%2fGo%2fFreeTVOnline%3fsource%3dthankyou_Adperi0_downloadmanager_GB_direct%26offer%3ddownloadmanager%26userid%3d18d33e43-0186-448d-90f2-2e2b29076dd6&cancelUrl=http%3a%2f%2fwww.downloadoney.com%2fGo%2fFreeTVOnline%3fsource%3dthankyou_Adperi0_downloadmanager_GB_direct%26offer%3ddownloadmanager%26userid%3d18d33e43-0186-448d-90f2-2e2b29076dd6&adprovider=adperio&subid2=&subid3=&cpixel=http%3a%2f%2fultimate-downloads.com%2fInstaller%2fConversion%3fadProvider%3dadperio%26context%3d200IA51IAXyTdnuP3SXlqR1vC2Yq000.%26countryCode%3dGB%26userID%3d18d33e43-0186-448d-90f2-2e2b29076dd6%26source%3dAdperi0_downloadmanager_GB_direct%26subid1%3d%26subid2%3d%26offer%3ddownloadmanager&useragent=ultimate-downloads.com%7cMozilla%2f5.0+(compatible%3b+MSIE+9.0%3b+Windows+NT+6.1%3b+WOW64%3b+Trident%2f5.0%3b+Avant+Browser) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://lnx.lu/6N?http://depositfiles.com/files/lgde529fc
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
DNT: 1
Host: secure.oinstaller.com

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 1969448
Content-Type: application/octet-stream
Last-Modified: Fri, 01 Nov 2013 00:52:27 GMT
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=downloadmanager_Setup.exe
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 01 Nov 2013 00:52:27 GMT
Connection: close

------------------------------------------------------------------

iLivid: Via Filerio.in

The previous one felt lonely I guess.

hxxp://yads.zedo.com/ads2/c?a=1666218;x=7177;g=171;c=2051000058,2051000058;i=0;n=2051;s=15;1=7;2=1;tg=1383266793;vr=2;m=9;w=4;os=3;ct=1;p=6;h=1581182;f=1812475;b=10;u=lmHiuGsWSN2jYetyZhTVcw**~081213;z=0.12588476478823873;ainfo=;k=http://lp.sharelive.net/?sysid=406&appid=842 hxxp://d2.zedo.com/OzoDB/4/x/1666218/V1/202039_iLivid_800x440_MediaPlayerMSG.gif

iLivid: Yet more very misleading badness

Still not getting responses from them and still coming across yet more highly misleading crap from them - the latest of which is this one, auto-loaded in popup via one of the ad networks (was just while general research on something else this time, didn't catch which ad network it came through unfortunately);

hxxp://lp.sharelive.net/?sysid=406&appid=420&lpid=2949&subid=0020047485637829949

Wednesday, 30 October 2013

Like spam? Like fraudulent based spam? So does reliablechat@gmail.com/ReputationRewards@gmail.com

Taking a break from work, and looking for something, I came across this amongst the thousands of emails in the junk folder (I get thousands of new ones every day). I couldn't help but laugh at how blatantly he (presuming based on the domains registration info) is offering fraudulent/blackhat services.

Got Bad Reviews? Need good Reviews?

We Post Good Reviews.
We do Reputation Repair.
We do Blog Advertising.
We do MYSQL and PHP Web Development and Scripts.

We can help you defend your company by posting positive Reviews, blogs and creating Websites to take over Search Results and control what people see about your company.

361-444-3559

http://www.ReviewShowcase.com for Paid Review Posting Service

How does posting positive reviews help in your businesses Google ranking?

1. Positive reviews increase your business rank by linking important and relevant websites to your website.

2. A constant stream of positive reviews improves your online reputation.

3. Positive reviews drive traffic to your business.

4. Positive reviews restore a tarnished reputation by pushing down negative reviews and links.

5. Helps protect against competitors or anyone else from attempting to ruin your ranking.

361-444-3559 ReputationRewards@gmail.com

We also do MYSQL and PHP work at http://Programskills.com and Server Administation at Http://SupportGator.com


Little FYI for anyone considering using this guys "services" - spamvertising positive reviews that are blatantly fake, is fraud - plain and simple. Instead, perhaps asking your ACTUAL customers for reviews would be more appropriate?

The headers for this email;

Return-Path: <no-reply@gmail.com>
Delivered-To: <[REMOVED]>
Received: from [REMOVED]
    by [REMOVED] (Dovecot) with LMTP id DxZrBcqWNlJVEAAAZ1oeBA
    for <[REMOVED]>; Mon, 16 Sep 2013 13:32:09 +0100
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-9999 required=1.3 WHITELISTED
    tests=[] autolearn=unavailable
Message-ID: <ODMKTLIZNOEKMHZLOVDBDAUK@yahoo.com>
From: "PHP MYSQL Work" <no-reply@gmail.com>
Reply-To: "PHP MYSQL Work" <no-reply@gmail.com>
To: [REMOVED]
Subject: Your Reputation
Date: Mon, 16 Sep 2013 15:49:54 +0300
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="--8643230795254350"
X-Priority: 3
X-MSMail-Priority: Normal

Tuesday, 29 October 2013

dot-opt-out.com (meishengchang@163.com), fraudster with fingers in many pies

I got an email a few minutes ago, which led via;

hxxp://tr.im/4jkmt

To;

hxxp://dot-opt-out.com/Email-sms/Main_Page.html

A quick look shows this particular fraudster has quite the colorful history, showing fingers in pies such as Waledac and illegal pharma, amongst other things;

db.aa419.org/fakebanksview.php?key=48997
http://www.phishtank.com/technical_details.php?phish_id=1486320
http://knujon.com/domains/pillrxshop24.com.html‎
http://lastwatchdog.com/wp/wp-content/uploads/100815_Microsoft_Waledac_motion.pdf (PDF)


Email content (I've replaced the "http" with "hxxp"):

Greetings,

My name is Giovanni Fiorellino and I am a marketing manager of an advertising agency. Should your business of selling products or services require services of an advertising agency, we are glad to offer you our help. We can help you to make sure that your products and\or services are well-known around the globe help you build loyalty, trust, and brand awareness and ensure that your commercial message is delivered to millions of potential or current customers in your target country markets, providing you and your clients with the assurance you need.

It iv very easy to get a consultancy from us, simply fill in the form on our website

hxxp://tr.im/4jkmt

Looking forward to hearing from you.

Best regards,

Giovanni Fiorellino



Return-Path: <maudeao10@list.ru>
Delivered-To: <adb@[REMOVED]>
Received: from [REMOVED]
    by [REMOVED] (Dovecot) with LMTP id IV2ZBPi7b1LBewAA4wGEVw
    for <adb@[REMOVED]>; Tue, 29 Oct 2013 20:06:33 +0000
Received: from [REMOVED]
    by [REMOVED] with LMTP id lUSuMeUQcFK+IAAAiShP7w
    ; Tue, 29 Oct 2013 20:06:33 +0000
X-Spam-Flag: YES
X-Spam-Score: 13.873
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.873 tagged_above=-9999 required=1.3
    tests=[BAYES_50=0.8, CK_HELO_DYNAMIC_SPLIT_IP=0.152,
    CK_HELO_GENERIC=0.25, HELO_DYNAMIC_IPADDR2=3.607,
    RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,
    RAZOR2_CHECK=0.922, RCVD_IN_BL_SPAMCOP_NET=1.347,
    RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_RP_RNBL=1.31,
    RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982, SPF_SOFTFAIL=0.665,
    TVD_RCVD_IP=0.001, URIBL_BLOCKED=0.001] autolearn=spam
Received: from [38.168.37.67] (helo=xnovtawdabfiaek.zyvtanrbgcsauyr.ua)
    by 114-36-46-48.dynamic.hinet.net with esmtpa (Exim 4.69)
    (envelope-from )
    id 1MMW2X-1497dk-JY
    for adb@[REMOVED]; Wed, 30 Oct 2013 04:06:39 +0800
From: =?koi8-r?B?IvDB18XMIOTB19nEz9ci?= <maudeao10@list.ru>
To: <adb@[REMOVED]>
Subject: RE: Advertising quote request
Date: Wed, 30 Oct 2013 04:06:39 +0800
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: jivszbzbb 24
Message-ID: <6112801139.RRBHMOZG437240@ydmzyhb.jdhdmhlllgqrijf.org>


Friday, 25 October 2013

Microsoft: Update available for Windows 8, 8.1 and Server 2012 R2

Update improves the reliability of Internet Explorer 11 in Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2:

http://support.microsoft.com/kb/2901549/en-us

Hat tip to my friend Susan Bradley for the heads up!

Thursday, 24 October 2013

Updated: Outlook Export v0.1.14

Needed a break from work, and this needed updated, so here you go folks.

1. Fixed: Runtime error when selecting "Export this e-mail" and clicking cancel
2. Fixed: Save All Links and Save All Subjects were inadvertently saved in the "Export\{DATE}\{FROM}\Attachments" folder instead of "Export\{DATE}\{FROM}\"
3. Modified: Couple of typos corrected in Readme (mea culpa)
4. Modified: About dialog/disclaimer updated

Download
http://support.it-mate.co.uk/?mode=Products&p=outlookexport

Note: I've not yet tested this on Office 365 or Outlook 2013 (test machines are otherwise indisposed at present). Please let me know if you find any issues.

Info: Email issues

It seems to be the day for email issues. Both incoming and outgoing.

The issue with the incoming email is being worked on by Domain Monster (it's a known issue with their mail server), and should be resolved within 24 hours, but obviously means, I can't receive emails at present.

The outgoing mail issue should be resolved within the next few hours (hopefully).

Tuesday, 22 October 2013

ALERT: 7install - Yet more fake Flash badness

Here we have yet another crapware company, this time US based, 7install, using highly deceptive and outright malicious methods to peddle their rubbish.


The IPs in this case, is;

209.126.131.87
ASN: 10439 209.126.128.0/17 CARINET - CariNet, Inc.

7install.com - marianog61@gmail.com GODADDY.COM, LLC
7install.info - marianog61@gmail.com GODADDY.COM, LLC
7searchbox.com - marianog61@gmail.com GODADDY.COM, LLC
analytic-login.com - marianog61@gmail.com GODADDY.COM, LLC
cerberav.us - marianog61@gmail.com GODADDY.COM, LLC
freedownlodenow.com - marianog61@gmail.com GODADDY.COM, LLC
incomeinstall.net - marianog61@gmail.com GODADDY.COM, LLC
installmonster.com - marianog61@gmail.com GODADDY.COM, LLC
megafreedownload.com - marianog61@gmail.com GODADDY.COM, LLC


91.214.201.126
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM

unsecuredconnection.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updatedflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC


91.214.201.148
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM

brosertie.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
fenretosit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
forotesit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jaterisok.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
moguleroc.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
mongolero.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
brosertie.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
fenretosit.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
forotesit.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
mongolero.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
brosertie.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
fenretosit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forotesit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
jaterisok.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
moguleroc.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
mongolero.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
ventupri.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
brosertie.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
fenretosit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forotesit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jaterisok.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jerenkoli.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
moguleroc.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
mongolero.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
ventupri.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry


198.199.65.137
ASN: 46652 198.199.64.0/20 SERVERSTACK-ASN - ServerStack, Inc.

alwaysdownloads.com - Admin / 14E08F8D78D1412A945F67F34DC204D5.PROTECT@WHOISGUARD.COM ENOM, INC.


8.29.133.130
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC

freegiveawayoffers.com - Admin / ADMIN@SLHOST.COM ENOM, INC.


8.29.133.189
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC

javainstalls.com - Admin / ADMIN@SLHOST.COM ENOM, INC.


184.105.178.69
ASN: 6939 184.104.0.0/15 HURRICANE - Hurricane Electric, Inc

yesdownloads.com - Admin / support@383media.com GODADDY.COM, LLC
dl.yesdownloads.com
adobeflashfreedownload.com - Admin / support@383media.com GODADDY.COM, LLC
avgantivirusforfree.com - Admin / support@383media.com GODADDY.COM, LLC
downloadmessengerfree.com - Admin / DOWNLOADMESSENGERFREE.COM@domainsbyproxy.com GODADDY.COM, LLC
installjavafree.com - Admin / support@383media.com GODADDY.COM, LLC
yahoomessengerforfree.com - Domain Administrator / domainadmin@yahoo-inc.com Markmonitor.com


141.101.125.155
ASN: 13335 141.101.125.0/24 CLOUDFLARENET - CloudFlare, Inc.

getsoftfree.com Admin / 806AB1DA379142F7A89D556D1FB6E33E.PROTECT@WHOISGUARD.COM ENOM, INC.


If you have a gander through the domains, you'll no doubt notice the likes of "AVG" being impersonated, but there's also another one - cerberav.us, impersonating cerberav.com (Spanish AV company).

Funny thing is, the companies involved in the use of the fake Flash/Java etc deception, are still trying to convince me that they're not doing anything wrong. On that subject, iLivid, are STILL not responding, and still using things like this;


As you've no doubt already guessed, AirInstaller, who I wrote about previously, are still using the very same tactics. For example;

hxxp://trkur.com/trk?o=7945&p=71676 -> hxxp://globalpromotions.kidsclothingstore.org/?sov=226078602&hid=fvjnhjjfnffphfhr&noflu=noflu&id=XNSX.71676%3A%3APEERFLY%3A%3AUK%3A%3A29%3A%3A7945 --> hxxp://globalpromotions.kidsclothingstore.org/AIRAdobeRS2filenameGB.html


globalpromotions.kidsclothingstore.org in case you're wondering, is housed at;

208.87.34.151 - 208-87-34-151.securehost.com - 15146 - 15146 208.87.32.0/21 CABLEBAHAMAS - Cable Bahamas
23.20.106.130 - ec2-23-20-106-130.compute-1.amazonaws.com - 14618 - 14618 23.20.0.0/15 AMAZON-AES - Amazon.com, Inc.
5.199.171.205 - hst-171-205.digital-forex.net - 16125 - 16125 5.199.168.0/22 DC-AS UAB Duomenu Centras
75.101.216.99 - ec2-75-101-216-99.compute-1.amazonaws.com - 14618 - 14618 75.101.128.0/17 AMAZON-AES - Amazon.com, Inc.




Not surprisingly, some of the companies have resorted to trying to block me seeing the sites on their IPs (they're about as successful at this, as the skiddies, and a few hosts/ASNs have been - not realising I've got far more than one or two IPs at my disposal - woops!).

If you see any more fake Flash, Java, Chrome, Firefox, Windows, Skype etc etc etc sites, please do feel free to either drop me an email, or drop by the hpHosts forums.

Sunday, 20 October 2013

Alert: Lunacom Interactive Ltd and fake Java sites

Seems we've got another Israel based crapware company, this one is involved in the use of fake Chrome and Java sites, to push their files (all digitally signed FYI).


Offending IPs;

66.55.92.88 - AS32181 66.55.88.0/21 ASN-GIGENET - GigeNET
146.185.156.77 - AS46652 146.185.128.0/19 SERVERSTACK-ASN - ServerStack, Inc
54.218.7.114 - awstrack01.tguhost.com - 16509 54.218.0.0/17 AMAZON-02 - Amazon.com, Inc.
146.185.156.77 - AS46652 146.185.128.0/19 SERVERSTACK-ASN - ServerStack, Inc.
54.244.6.207 - AS16509 54.244.0.0/18 AMAZON-02 - Amazon.com, Inc.

Sites identified thus far;

googlechromeup.com
securejavaupdate.com
latestjavas.com
eu.latestjavas.com
new.latestjavas.com
securejavadownload.com
eu.securejavadownload.com
new.securejavadownload.com
upjavadownload.com
securejavafiledownload.org
securejava.org
eu.securejava.org
new.securejava.org
eu.securejavafiledownload.org
new.securejavafiledownload.org
ttb.123mediaplayer.com
dlp.123mediaplayer.com
dtrack.secdls.com
dtrack.sslsecure1.com




The MD5 for the file I got served is;

6539515369f76e50c670f663debb0c37

However, I am aware that the MD5s appear to be different for each access, so you're going to want to detect the files on their sig instead.

/Edit

2 more IPs and 2 more hostnames added.

/Edit 2

Few more hostnames added.

Alert: Compromised sites housing iFrame to *.sytes.net hostnames

Been seeing quite a bit of yet more compromised sites of late (yep, it never stops), leading to *.sytes.net hostnames, all housed on a single IP;

IP: 130.0.238.15 AS: 15626 130.0.232.0/21 ITLAS ITL Company

Path on the hostnames;

/atb/counter.php

Hostnames seen thus far;

acnmtwyd.sytes.net
addbweys.sytes.net
adjgrezyr.sytes.net
adrlnnu.sytes.net
aeghzfr.sytes.net
agnzjycwl.sytes.net
ahiwwwhe.sytes.net
aitnsglw.sytes.net
aizxemx.sytes.net
ajyeepnh.sytes.net
amavbpn.sytes.net
amwwzesm.sytes.net
anbumvt.sytes.net
anrhrsl.sytes.net
aobxnbo.sytes.net
aqkjdxhlb.sytes.net
asicbjpnr.sytes.net
asmpbbqj.sytes.net
atchaexapf.sytes.net
avpohxjt.sytes.net
avppggjxz.sytes.net
avqzbjiwv.sytes.net
avvoignwy.sytes.net
awlpynqd.sytes.net
awstzub.sytes.net
azsgiyao.sytes.net
azwhoreojk.sytes.net
azzhwgcmne.sytes.net
basabmn.sytes.net
bbveuac.sytes.net
behgnpr.sytes.net
benhwxnl.sytes.net
bhovmjn.sytes.net
bhrztuan.sytes.net
bijvpztx.sytes.net
bkdcivj.sytes.net
bkmxpvqxr.sytes.net
blhifgcn.sytes.net
bmgslcjzn.sytes.net
bolqxvcqan.sytes.net
boutjojjg.sytes.net
bpkeyhcni.sytes.net
bquedzerpe.sytes.net
bremmfukm.sytes.net
bscyrbgmad.sytes.net
btrakkqrst.sytes.net
bvlmvygu.sytes.net
bwjpsyyph.sytes.net
bwlvkhe.sytes.net
bxbywzgz.sytes.net
bxjstvazx.sytes.net
bxkiaai.sytes.net
bxwuoxig.sytes.net
bytpufoea.sytes.net
byuwgwgpi.sytes.net
byvvzicwhp.sytes.net
bzfucvgvj.sytes.net
cataehsb.sytes.net
caujtfeey.sytes.net
cawjhwfd.sytes.net
cbtdzmgqby.sytes.net
cesckfd.sytes.net
cfhvfytv.sytes.net
cfsjhiocq.sytes.net
cfvnmdwo.sytes.net
cggammhx.sytes.net
cirsboc.sytes.net
cjqihwwm.sytes.net
cjwalux.sytes.net
ckofoiz.sytes.net
clajeoq.sytes.net
cmuhstt.sytes.net
cmuuaciltf.sytes.net
cmxkmnt.sytes.net
cobvstkyns.sytes.net
cpupjblwm.sytes.net
crdrmvx.sytes.net
cslynwfqp.sytes.net
ctdlioxv.sytes.net
cuthldkp.sytes.net
cvbreqh.sytes.net
cvpyzlihyq.sytes.net
cvxeyiqy.sytes.net
cwzepme.sytes.net
cxmkuju.sytes.net
cxvtmaojp.sytes.net
cyfxovrn.sytes.net
cyhyovzd.sytes.net
dahwxbvq.sytes.net
dauuctusx.sytes.net
davhtailhb.sytes.net
dbytvkcpi.sytes.net
dcopciquu.sytes.net
dcxbadvp.sytes.net
ddaaamlwh.sytes.net
ddvdtekh.sytes.net
dfdbtaxbsb.sytes.net
dfpbuhsb.sytes.net
dggzyfkfdm.sytes.net
dgugnixqf.sytes.net
dhwrdjsr.sytes.net
dipgaxcsfc.sytes.net
diyicuiezh.sytes.net
djgzyomdd.sytes.net
dkllzrnj.sytes.net
dlglypx.sytes.net
dmligrsla.sytes.net
dnepqxopzh.sytes.net
dnrlztvjs.sytes.net
dntmtay.sytes.net
dpenkggvj.sytes.net
dsudwgvec.sytes.net
dsuiezmkoy.sytes.net
duklgwi.sytes.net
dumpqqod.sytes.net
dvujzhsgtu.sytes.net
dxgegxkb.sytes.net
dykcgxek.sytes.net
dysguqf.sytes.net
dzcdwcucsu.sytes.net
ebbpolkf.sytes.net
ecixdnyzp.sytes.net
eeiqzjm.sytes.net
efxmykilnl.sytes.net
egqzhiuctl.sytes.net
ehlkhnn.sytes.net
ehqfzijkds.sytes.net
eizglfx.sytes.net
ejlogrur.sytes.net
ejyvpgidbg.sytes.net
elavmxw.sytes.net
elescpf.sytes.net
eloneyzch.sytes.net
eofobmct.sytes.net
eolwjdlk.sytes.net
eqfaykyfdc.sytes.net
eqycmjb.sytes.net
ermechdvrp.sytes.net
esixejp.sytes.net
etbyscryk.sytes.net
eugyuizzjy.sytes.net
euucbfzt.sytes.net
euwmcluiql.sytes.net
evgnpyy.sytes.net
ewtmmsn.sytes.net
faearrv.sytes.net
fauzimodlp.sytes.net
fbahwqrbhv.sytes.net
fbdyuwsdyx.sytes.net
fbzdvjm.sytes.net
fewhwxk.sytes.net
ffenxhn.sytes.net
fhdbzfz.sytes.net
fhgeukfdm.sytes.net
fhhouboah.sytes.net
fidbvek.sytes.net
fieoovhkx.sytes.net
fiesfjzd.sytes.net
fiqcyho.sytes.net
fisztleg.sytes.net
fncfyxz.sytes.net
fovgzrtzn.sytes.net
fqvirlk.sytes.net
frerelkdx.sytes.net
frlkcex.sytes.net
fsukzcgz.sytes.net
ftwzufw.sytes.net
fwfmjmspq.sytes.net
fxmfoudq.sytes.net
fzwdcepjq.sytes.net
gcrfzjdu.sytes.net
gdqglpfgy.sytes.net
geruakjn.sytes.net
gesbcukva.sytes.net
gewlbsak.sytes.net
ggmpahygy.sytes.net
ggxqrmypkd.sytes.net
giwmtjsyq.sytes.net
gkdnzadty.sytes.net
glcztgoyd.sytes.net
glfsjmd.sytes.net
glvtybpxmy.sytes.net
goqguclotk.sytes.net
govuftnx.sytes.net
gpfobkz.sytes.net
gqpveoyra.sytes.net
grnnmrrc.sytes.net
gtnmrmk.sytes.net
gttspuih.sytes.net
gveojjoznj.sytes.net
gvpbotic.sytes.net
gxwthwhcnx.sytes.net
gzrpslpweb.sytes.net
hbjzjzg.sytes.net
hczpaqkq.sytes.net
hdlseuoqzo.sytes.net
hdosqesfkd.sytes.net
heuiqrhd.sytes.net
hguxljh.sytes.net
hhfqgewdql.sytes.net
hhztnslqp.sytes.net
hiiqjjz.sytes.net
hjkxskvbry.sytes.net
hjshivs.sytes.net
hlleaclgk.sytes.net
hmemwgni.sytes.net
hmushidlmv.sytes.net
hoknjvahb.sytes.net
hsgyxhwxhl.sytes.net
htehtcj.sytes.net
hugyautjk.sytes.net
hvwvxcl.sytes.net
hwduyml.sytes.net
hxexxeoh.sytes.net
hyhhoghxh.sytes.net
ibcbeqblx.sytes.net
ibdjobduds.sytes.net
ibfpslrinf.sytes.net
ibfryysdub.sytes.net
idibhrwy.sytes.net
idtqnad.sytes.net
idytfhqbv.sytes.net
ifwuhcdek.sytes.net
ifxctxorbc.sytes.net
iiypddm.sytes.net
ikhvtebddy.sytes.net
ilxbepofnv.sytes.net
inrfjont.sytes.net
ioflgdym.sytes.net
ionwywwen.sytes.net
ipjsnwdb.sytes.net
iprrcjbbp.sytes.net
ipwzbykfrf.sytes.net
iqeyhohzy.sytes.net
isfmmhvgg.sytes.net
ismlzkf.sytes.net
ispsrooo.sytes.net
iularlp.sytes.net
iviujibmz.sytes.net
iwjqlgluc.sytes.net
ixmkuvwqes.sytes.net
ixnehkkg.sytes.net
ixrmjsct.sytes.net
iyfqfawsr.sytes.net
izyyhuvxw.sytes.net
jccnmnl.sytes.net
jdabtbiwtq.sytes.net
jdllrtzdv.sytes.net
jekkimcpun.sytes.net
jeqmeupa.sytes.net
jfbeiqfe.sytes.net
jfjsoajsri.sytes.net
jfkcfzwo.sytes.net
jftqfsvx.sytes.net
jgtsifc.sytes.net
jhufribzgu.sytes.net
jofqqxfry.sytes.net
jomrgjorg.sytes.net
jotlfphys.sytes.net
jpssefcve.sytes.net
jqbgypu.sytes.net
jqvciffvjl.sytes.net
jrogzyutef.sytes.net
jrykwtfyf.sytes.net
jwrbtla.sytes.net
jwsqiqhmal.sytes.net
jzfcfya.sytes.net
jzsaignke.sytes.net
kbjdjhtmsb.sytes.net
kbxcpqjve.sytes.net
kchplzuj.sytes.net
kcuhkil.sytes.net
kdluhhuw.sytes.net
kexcxilqpx.sytes.net
kgzdnhx.sytes.net
khyyvry.sytes.net
kixlcjrh.sytes.net
kjcepogk.sytes.net
kjrngpvijf.sytes.net
kkalffgo.sytes.net
kldmpcdv.sytes.net
klgvcjmn.sytes.net
kmwrniwkvx.sytes.net
knpbntx.sytes.net
kplbyroxga.sytes.net
kplcrunqce.sytes.net
krkwbgd.sytes.net
ksodetusbg.sytes.net
kszmrvhm.sytes.net
kutljvvfgw.sytes.net
kvxiuby.sytes.net
kwaiqhhojc.sytes.net
kwmjzicbz.sytes.net
kwpteoeh.sytes.net
kxhhjpfrg.sytes.net
kyozuqo.sytes.net
kzfgzlfjjw.sytes.net
kzfsueptj.sytes.net
lawomrrew.sytes.net
lbnyigm.sytes.net
lbwmjobznk.sytes.net
lcwqbmhy.sytes.net
ldbowlzr.sytes.net
ldnrpwu.sytes.net
lfuiszps.sytes.net
lfxlzmkp.sytes.net
lhurfstzwb.sytes.net
liburnirlc.sytes.net
liwikzywv.sytes.net
ljeptfubm.sytes.net
ljxachipe.sytes.net
llydedd.sytes.net
lnxipernv.sytes.net
lofruiqtoq.sytes.net
lpauiixay.sytes.net
lptkvilbbn.sytes.net
lteescktc.sytes.net
lubtvueiaa.sytes.net
luvdqiutm.sytes.net
lwaqdul.sytes.net
lwgktizn.sytes.net
lwrnvct.sytes.net
lxuschhdd.sytes.net
madfmac.sytes.net
mbbtzmhsk.sytes.net
mdfovmq.sytes.net
mftsfgn.sytes.net
mghqaumqok.sytes.net
mgkuedp.sytes.net
mgylduvn.sytes.net
mhaayla.sytes.net
mhuvfnoqpm.sytes.net
mjfumkiiuo.sytes.net
mkbvlpvl.sytes.net
mkisthgnuo.sytes.net
mkqtvzxw.sytes.net
mlbppxpma.sytes.net
mnakeqr.sytes.net
mnlnkvg.sytes.net
mnmypnzv.sytes.net
moxlrthnz.sytes.net
mozxjrv.sytes.net
mqgprggdp.sytes.net
mqmvjdql.sytes.net
mqwmyxw.sytes.net
mrkmwxj.sytes.net
mrtscwptfj.sytes.net
mucktuijay.sytes.net
muljmnuf.sytes.net
muqkmdl.sytes.net
mwtywcx.sytes.net
mwtzgtl.sytes.net
mxxhtndgyi.sytes.net
mzlmbwbqgc.sytes.net
nbtrrjszy.sytes.net
nbuhjmop.sytes.net
ncdmyuln.sytes.net
nckgewjp.sytes.net
nczwpdnt.sytes.net
ndhhnch.sytes.net
ndsvgqu.sytes.net
neanprn.sytes.net
neaygyt.sytes.net
nheghxgkrm.sytes.net
njlgpunoto.sytes.net
njrebavfx.sytes.net
nkghnrprga.sytes.net
nlkilxxv.sytes.net
nmahqhzmr.sytes.net
nnawqblz.sytes.net
nnycbvbobo.sytes.net
norgoty.sytes.net
npcckba.sytes.net
nrdnetxbp.sytes.net
nrhmrbyjq.sytes.net
nsgmnexwv.sytes.net
ntfsqny.sytes.net
nurvsngxk.sytes.net
nvhwghlxo.sytes.net
nzsjzrix.sytes.net
oagiedhf.sytes.net
oalpjye.sytes.net
ocfrlknzh.sytes.net
oczqjqpazs.sytes.net
odbrsogvt.sytes.net
oeokxycqo.sytes.net
oeoshody.sytes.net
oeyenlndhf.sytes.net
offmscylu.sytes.net
ofpcfgm.sytes.net
ofrfvgir.sytes.net
ogjlffw.sytes.net
ohqsugrwl.sytes.net
oicaqarxso.sytes.net
oiklkxna.sytes.net
oizxhitonp.sytes.net
okiaaynfz.sytes.net
okwkwei.sytes.net
ologvkyc.sytes.net
olyjbaxiws.sytes.net
omysuxn.sytes.net
onmqlxix.sytes.net
oohjatm.sytes.net
oowcdtwesd.sytes.net
opumwew.sytes.net
opzsputh.sytes.net
oqfxyffok.sytes.net
oqnzdxpt.sytes.net
orysfzhlx.sytes.net
ovnfhyc.sytes.net
owquryprwp.sytes.net
oxntyjq.sytes.net
oyevofpb.sytes.net
oymzjnvgil.sytes.net
ozacxeru.sytes.net
oziiwyzr.sytes.net
ozlygre.sytes.net
papxloop.sytes.net
pbfznyw.sytes.net
pbgupuusi.sytes.net
pbtfemy.sytes.net
pdtzgrlve.sytes.net
pdubxeajwg.sytes.net
pdxdgfm.sytes.net
pfqvaxjc.sytes.net
pgetpbcprs.sytes.net
pglldlxa.sytes.net
phrwuuq.sytes.net
pjapdnbe.sytes.net
pljaxvyvmd.sytes.net
pnibuvfn.sytes.net
pntczrel.sytes.net
poqrnmscvg.sytes.net
pplvzzumv.sytes.net
ppooapzg.sytes.net
ppsaxsasxu.sytes.net
ppxcsna.sytes.net
ppzdrfexs.sytes.net
pqgpmveue.sytes.net
prlnhtd.sytes.net
puyzrumbfe.sytes.net
pxodqqtey.sytes.net
pxrqrpk.sytes.net
qafhbbag.sytes.net
qbpvdapc.sytes.net
qcblabdut.sytes.net
qckcdvngwt.sytes.net
qcmfjnm.sytes.net
qeevmuoyr.sytes.net
qevdqzieb.sytes.net
qfnkvojz.sytes.net
qftutkz.sytes.net
qfznugkd.sytes.net
qghxgwbhk.sytes.net
qiercahtra.sytes.net
qiklmgaoka.sytes.net
qjsseqvhd.sytes.net
qkcfzfr.sytes.net
qmvoaztw.sytes.net
qnmpucffr.sytes.net
qoavgbelin.sytes.net
qoreqnfns.sytes.net
qowiziepbf.sytes.net
qrluvblcr.sytes.net
qtrlbwukxs.sytes.net
qwktxxehy.sytes.net
qxouceo.sytes.net
qxytdsf.sytes.net
ragnblqk.sytes.net
ravgfpbk.sytes.net
rcenglqyre.sytes.net
rcfnbxsjx.sytes.net
rcoqnqgm.sytes.net
rfabxfty.sytes.net
rgiyuitm.sytes.net
rgsoyznczz.sytes.net
rhwfgly.sytes.net
ricpiewbc.sytes.net
ridjrbv.sytes.net
rjpabdgz.sytes.net
rntmygab.sytes.net
roltcezwrw.sytes.net
romdhxci.sytes.net
rotchedko.sytes.net
rpcovkimb.sytes.net
rpknxwtgrc.sytes.net
ruqpcioktj.sytes.net
rvhgpua.sytes.net
rwiaetqyr.sytes.net
rwofekkfw.sytes.net
rwseswvp.sytes.net
rwubmwsxu.sytes.net
rxxtlrfgfo.sytes.net
sbblczke.sytes.net
sbbnwssku.sytes.net
scgfiytcpa.sytes.net
sdgaqizc.sytes.net
sfdlhfeco.sytes.net
shghrypc.sytes.net
shoqcgr.sytes.net
sjfivkvrys.sytes.net
skhsarl.sytes.net
sopleuivd.sytes.net
spnixrgy.sytes.net
stmpwmp.sytes.net
sumdylylav.sytes.net
sunffil.sytes.net
suylefnkig.sytes.net
svchjue.sytes.net
svjsimm.sytes.net
svrsahmqqo.sytes.net
sweiozime.sytes.net
swpurmruc.sytes.net
sxozrvq.sytes.net
syfynenagh.sytes.net
sztrosuc.sytes.net
tasbwrfz.sytes.net
tciggxirjo.sytes.net
tdgsrknuci.sytes.net
tdnosyj.sytes.net
tdrrxbyujv.sytes.net
thtzaddxo.sytes.net
tkjhaiey.sytes.net
tlqpiwvq.sytes.net
tluqscdc.sytes.net
tmaqrjjv.sytes.net
tmtfctujzq.sytes.net
tofkihpuy.sytes.net
tqighcicu.sytes.net
ttbnkqp.sytes.net
ttgllaujry.sytes.net
tusutmy.sytes.net
tvkmuukk.sytes.net
txvjcvapit.sytes.net
tykpqmfsw.sytes.net
tynyohp.sytes.net
tztegklind.sytes.net
ubojfziask.sytes.net
ucnnvgv.sytes.net
ucrosjnl.sytes.net
udsgfry.sytes.net
udsueae.sytes.net
ufxhvzsglc.sytes.net
ugggiou.sytes.net
ugzxiwxns.sytes.net
uhjvqkbx.sytes.net
uhkbhlkqt.sytes.net
uitzenro.sytes.net
ujfwyps.sytes.net
ulvmtswpv.sytes.net
ulwyrevvj.sytes.net
ungxazh.sytes.net
unhjrygyhk.sytes.net
unrvtvq.sytes.net
uonelhtqyo.sytes.net
uqxfqrnz.sytes.net
usdzxpqd.sytes.net
ushyudp.sytes.net
utlxboj.sytes.net
utrzqkto.sytes.net
uvqmlxfd.sytes.net
uvwijntuwz.sytes.net
uyscpcq.sytes.net
uytpoltiy.sytes.net
uzifkfq.sytes.net
uzoeeuscd.sytes.net
uzxhukkfz.sytes.net
vaurybbn.sytes.net
vdklkwomm.sytes.net
vfomgvb.sytes.net
vjoritcwww.sytes.net
vkchqkm.sytes.net
vkjbdsrxt.sytes.net
voccqqxx.sytes.net
voismrfoqs.sytes.net
vpprkczttw.sytes.net
vqertvjt.sytes.net
vqiuzlbtkh.sytes.net
vqtqcki.sytes.net
vqttgjt.sytes.net
vrpvqefon.sytes.net
vrsbzmihlx.sytes.net
vtsjylwpn.sytes.net
vtxuovx.sytes.net
vufmyutaa.sytes.net
vuqwotxjzh.sytes.net
vuszrrxgz.sytes.net
vvmlhwqdyf.sytes.net
vvqhtcqlag.sytes.net
vwpllgrzyi.sytes.net
vztxvnbvcm.sytes.net
waqogzx.sytes.net
wazeuamub.sytes.net
wbczcqvyqy.sytes.net
wberlpcamv.sytes.net
wcazyteltl.sytes.net
wcrutow.sytes.net
wcrzaay.sytes.net
wdrqinhog.sytes.net
wdxbkbkvfb.sytes.net
weerlmvf.sytes.net
wfcwdjpns.sytes.net
wfgdmeyh.sytes.net
wjpidxm.sytes.net
wkbxbphc.sytes.net
wkkonmr.sytes.net
wlcyxyset.sytes.net
wlwkpviaxo.sytes.net
wmjtzgvh.sytes.net
wnabpopd.sytes.net
wncvzmc.sytes.net
wnnobbrg.sytes.net
wopsxkr.sytes.net
wpjayns.sytes.net
wqbfspc.sytes.net
wqdmvidq.sytes.net
wqwotaff.sytes.net
wrksngvww.sytes.net
wwnvban.sytes.net
wwojxgft.sytes.net
wyosismir.sytes.net
wzngkbrnd.sytes.net
xaeyszyqb.sytes.net
xbjfnkh.sytes.net
xcrfxuwj.sytes.net
xdceqpmicv.sytes.net
xdunbolwp.sytes.net
xfkfvhlop.sytes.net
xftimelou.sytes.net
xifdigshb.sytes.net
xlqjuqjbu.sytes.net
xmghaiejgg.sytes.net
xmrooxov.sytes.net
xnijvhf.sytes.net
xnzfkga.sytes.net
xoyaxychfl.sytes.net
xpbulfwwzq.sytes.net
xpygkqywr.sytes.net
xrovnig.sytes.net
xrvmhqr.sytes.net
xsczctw.sytes.net
xsgxbpq.sytes.net
xsndilgqeo.sytes.net
xsrtmss.sytes.net
xtrxecn.sytes.net
xuszvcnrx.sytes.net
xxonpsjfp.sytes.net
xxqmbikoe.sytes.net
xzyvjkpsp.sytes.net
yasuwllnr.sytes.net
yaxxqlaeq.sytes.net
ybmsxldkxn.sytes.net
ydbzfswl.sytes.net
yftgcckpo.sytes.net
ygmiwtfo.sytes.net
yinhvdqypq.sytes.net
yjcwhlsoem.sytes.net
yjlcnxldea.sytes.net
yklnwbe.sytes.net
ymyslhqpu.sytes.net
ynmuveq.sytes.net
yntumiarur.sytes.net
yscpjyr.sytes.net
ywiqdkzn.sytes.net
yxcdcir.sytes.net
yyptzpia.sytes.net
yzzzjjhkd.sytes.net
zacioknthc.sytes.net
zaixfhag.sytes.net
zbuchkkire.sytes.net
zdrekdml.sytes.net
zemyqkhh.sytes.net
zigtkmwpi.sytes.net
zkybqqy.sytes.net
zkzldcyt.sytes.net
zmycttq.sytes.net
zosrtgxrgv.sytes.net
zsefjuub.sytes.net
zuwiipeyt.sytes.net
zuxjnyvdv.sytes.net
zzfcleki.sytes.net


The latest compromised site has been taken down (was cleaned, then got re-compromised - oh the joys), but be careful folks, as we all know, those found are likely just a very small portion to those actually housing malicious compromised. If you do find anymore leading to these, or any other malicious content, please do drop me an email or drop by the hpHosts forums, and let me know.

Friday, 18 October 2013

Alert: Malvertisement from 8.29.133.140

Investigating a new malicious site (reason7crack.com) led to zippyshare.com URLs, which once again, has led to malvertisements. This time from cpadominator.com (8.29.133.140).

The path for this little bit of badness was;

hxxp://reason7crack.com
-> hxxp://reason7crack.com/download/
--> hxxp://4j4.me/reason7crackmac.php
---> hxxp://a4caed69.linkbucks.com
--> hxxp://www30.zippyshare.com/v/80240661/file.html
---> hxxp://8.29.133.140/download/download5adcuk.php?src=ADC&kw=125524&lp=4
----> hxxp://cpadominator.com/campaigns/index.php?g=adcuk&src=ADC&kw=125524
-----> hxxp://cpadominator.com/campaigns/index.php?g=mplayeradcuk&src=ADC&kw=125524&lp=4
------> hxxp://secure.oi-installer7.com/o/flashproplayer_flashproplayer/Setup.exe?subid=flashproplayer_ADCUK-4-125524&filedescription=Setup&adprovider=flashproplayer&
--> hxxp://www57.zippyshare.com/v/65769005/file.html
---> hxxp://8.29.133.140/download/download5adcuk.php?src=ADC&kw=125524&lp=4
----> hxxp://cpadominator.com/campaigns/index.php?g=adcuk&src=ADC&kw=125524
-----> hxxp://cpadominator.com/campaigns/index.php?g=mplayeradcuk&src=ADC&kw=125524&lp=4
------> hxxp://secure.oi-installer7.com/o/flashproplayer_flashproplayer/Setup.exe?subid=flashproplayer_ADCUK-4-125524&filedescription=Setup&adprovider=flashproplayer&

Depending on the browser you're using, you'll see one of the following. The first was with the Gecko engine, and the second, with the Trident engine;



So iBryte/Optimum Installer - still want to try and tell me you're a fully ethical and legit, and non-adware company?

In both cases by the by, the offending ad network as usual (and as with almost all previous cases), was adscash.com. A few refreshes of the page, led to one of the other major offenders of fake Flash player etc pages, Performersoft LLC, courtesy of;

hxxp://clkmon.com/adServe/sa?pid=3092&cid=125524
-> hxxp://www.noyapps.com/lp/codecperformer/v17/?cid=3975&clickid=0038245225419101508&orig_client=ADCASHDWN-125524
--> hxxp://www.softologicsb.com/download/$qPo%2BRZlsIQYpuQgO?exename=CodecPerformerSetup&cid=3975&clickid=0038245225419101508&orig_client=ADCASHDWN-125524



Not surprisingly, these chaps (along with AirInstaller as it happens, who are protesting at their host (SingleHop) that they aren't malicious at all, and these documented accounts of malicious and otherwise misleading and unethical behaviour, are "spurious complaints" - of course they are - NOT!) are also swearing blind that they're legit.

Well sorry to burst your obviously opaque bubble, but as far as I am concerned, and there's plenty of evidence (such as the above) to support this, you're about as legit as Zango were, and the sooner your respective companies are shut down, the better for everyone (and as iLivid (aka iMesh, BearShare etc) have stopped responding to complaints, the same goes for them too).

Thursday, 17 October 2013

Alert: Fake Barclays email leads to banking trojan

This lovely little bit of maliciousness just arrived in my inbox, and isn't for a change, a phishing scam. Instead, it links to a banking trojan housed on Amazon's EC2 platform.



The image is the only thing displayed in the email, for those of you still keeping HTML email enabled (really should be using plain text only folks!), links to;

WARNING: FILE IS A TROJAN!!!!, NO CLICKITY ACTION UNLESS YOU KNOW WHAT YOU ARE DOING PLEASE!

hxxps://s3-us-west-2.amazonaws.com/ffg4t4/Co-operative_Safeguard.exe

MD5: 0f285aef13f5aa65487036019d5b6e38
SHA1: 9623e81b516995155d6584dd07bcfdc873f5a601
SHA256: baceb49fa853b536f460703f081c8ce05cd5a16403ad8b70de0a2cfe1a50d731

Sadly, only 3 detections are showing on VT for this at the time of writing

The headers for this one are;

Return-Path: <security@co-operative.co.uk><br> Delivered-To: <[REMOVED]><br> Received: from controller2.emailconfig.com ([109.68.33.145])<br>     by mailserver2.emailconfig.com (Dovecot) with LMTP id QQJhG2uGYFK0VgAAZ1oeBA<br>     for <[REMOVED]>; Fri, 18 Oct 2013 07:19:25 +0100<br> Return-Path: <security@co-operative.co.uk><br> Received: from mailserver2.emailconfig.com ([109.68.33.147])<br>     by controller2.emailconfig.com (Dovecot) with LMTP id 24VhE41tYFI2EwAAH46cUA<br>     ; Fri, 18 Oct 2013 07:19:25 +0100<br> X-Spam-Flag: YES<br> X-Spam-Score: 2.362<br> X-Spam-Level: **<br> X-Spam-Status: Yes, score=2.362 tagged_above=-9999 required=1.3<br>     tests=[BAYES_05=-0.5, HTML_IMAGE_ONLY_12=2.059, HTML_MESSAGE=0.001,<br>     HTML_SHORT_LINK_IMG_1=0.001, MPART_ALT_DIFF=0.79,<br>     RCVD_IN_DNSWL_NONE=-0.0001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001]<br>     autolearn=no<br> Received: from p3plsmtpa09-02.prod.phx3.secureserver.net (p3plsmtpa09-02.prod.phx3.secureserver.net [173.201.193.231])<br>     by mailserver2.emailconfig.com (Postfix) with ESMTP id A89304C050F<br>     for <[REMOVED]>; Fri, 18 Oct 2013 07:19:24 +0100 (BST)<br> Received: from xza3 ([168.61.24.93])<br>     by p3plsmtpa09-02.prod.phx3.secureserver.net with <br>     id eWKM1m00X20WsiG01WKPcm; Thu, 17 Oct 2013 23:19:23 -0700<br> x-spam-cmae: v=2.0 cv=atZs/1lV c=1 sm=1 p=miGKQwDS5fvxS68D:21<br> a=Gr/uMxE52D6c40cXNo6YQw==:17 a=268azE3ZuWQA:10 a=Eeb08FW8mmMA:10<br> a=EbKJ-zwr8X8A:10 a=M8Rd8IaqAAAA:8 a=g6oVcqyqMw4A:10 a=zSRKy_izAAAA:8<br> a=njwu2AU39EesGh8cbpQA:9 a=wPNLvfGTeEIA:10 a=WT9NgGiw_BEA:10<br> a=POmh68JVvv0A:10 a=w5t1Vozl0l2GyijLDsUA:9 a=_W_S_7VecoQA:10<br> a=Gr/uMxE52D6c40cXNo6YQw==:117<br> x-spam-account: ma844@vrnmtnef32982.com<br> x-spam-domain: vrnmtnef32982.com<br> From: "The Co-operative Bank" <security@co-operative.co.uk><br> Subject: The Co-operative Bank Security Module<br> To: [REMOVED]<br> Content-Type: multipart/alternative; boundary="uo4gwIAL9R7TXK=_WQ9msmDvC6vwWm595u"<br> MIME-Version: 1.0<br> Reply-To: security@co-operative.co.uk<br> Date: Fri, 18 Oct 2013 06:19:23 +0000<br> Message-Id: <20131018061921C32741A96F$1A61A32843@XZA><br> <br>

419: Fraudulent FedEx emails

The lads (and lasses) from Lagos are still alive and kicking, or rather, alive and spamming the crap out of everyone. Not that this is news - it's not stopped, they still come in daily, in their droves. The latest I've received arrived a few minutes ago, in the form of a fraudulent FedEx email.

We have been waiting for you to contact us for your Confirmable Package that is registered with us for shipping to your residential location.We had thought that your sender gave you our contact details.It may interest you to know that a letter is also added to your package.

We understand that the content of your package itself is a Bank Draft worth of $450,000.00 USD, FedEx do not ship money in CASH or in CHEQUES but Bank Drafts are shippable.The package is registered with us for mailing by your colleague, and your colleague explained that he is from the U.S.A but he is currently in Asia for a three (3) months Surveying Project as he works with a consultant firm in India, We are sending you this email because your package is been registered on a Special Order.

For your information,the VAT & Shipping charges as well as Insurance fees have been paid by your colleague before your package was registered. Note that the payment that is made on the Insurance, Premium & Clearance Certificates, are to certify that the Bank Draft is not a Drug Affiliated Fund (DAF) neither is it funds to sponsor Terrorism in your country. This will help you avoid any form of query from the Monetary Authority of your country.

However, you will have to pay a sum of $185USD to the FedEx Delivery Department being full payment for the Security Keeping Fee of the FedEx company as stated in our privacy terms & condition page. Send your Postal address ,telephone and your name in full this is mandatory to reconfirm your Postal address and telephone. Please note that packages are not shipped nor delivered on Saturday, Sunday and on holidays. If your order has been placed on any of these days, then it may be shipped the following business day.

Kindly complete the below form and send it to the FEDEX DELIVERY POST with the below information.This is mandatory to re-confirm your Postal address and telephone numbers.
FULL NAMES:
TELEPHONE:
POSTAL ADDRESS:
SEX:
AGE:
OCCUPATION:
CITY:
STATE:
COUNTRY:

FEDEX DELIVERY POST
Email:fedexdeliveryservicec@live.com
Phone number:+918587934306
Contact Person: Mr. Oscar J. Pinto

**ALL PACKAGES ARE SIGNATURE REQUIRED.
If you have any other questions or concerns, please feel free to contact
us between Monday ? Friday: 9:00am ? 9:00pm EST
Saturdays: 10:00am ? 5:00pm EST
Sundays: 10:00am - 4:00pm EST

Have a great day!

Federal Express Co-operation.
FedEx Online Team Management.
All rights reserved. © 1995-2013.



Headers:

Return-Path: <info@fedEx.com><br> Delivered-To: <[REMOVED]><br> Received: from controller1.emailconfig.com ([109.68.33.144])<br>     by mailserver2.emailconfig.com (Dovecot) with LMTP id eftgG2uGYFK0VgAAZ1oeBA<br>     for <[REMOVED]>; Fri, 18 Oct 2013 06:37:02 +0100<br> Return-Path: <info@fedEx.com><br> Received: from mailserver1.emailconfig.com ([109.68.33.146])<br>     by controller1.emailconfig.com (Dovecot) with LMTP id wEHXKXSiYFKicgAAm9UGAw<br>     ; Fri, 18 Oct 2013 06:37:02 +0100<br> X-Spam-Flag: YES<br> X-Spam-Score: 11.473<br> X-Spam-Level: ***********<br> X-Spam-Status: Yes, score=11.473 tagged_above=-9999 required=1.3<br>     tests=[ADVANCE_FEE_2_NEW_FORM=1.855, ADVANCE_FEE_2_NEW_FRM_MNY=0.098,<br>     ADVANCE_FEE_2_NEW_MONEY=2.665, BAYES_00=-1.9, DKIM_ADSP_DISCARD=1.8,<br>     FILL_THIS_FORM=0.001, FILL_THIS_FORM_LONG=3.404,<br>     FREEMAIL_FORGED_REPLYTO=2.095, LOTS_OF_MONEY=0.001, MONEY_FORM=0.001,<br>     RCVD_IN_BRBL_LASTEXT=1.449, SPF_FAIL=0.001,<br>     TO_EQ_FM_DOM_SPF_FAIL=0.001, TO_EQ_FM_SPF_FAIL=0.001,<br>     URIBL_BLOCKED=0.001] autolearn=no<br> Received: from mail.ranksitt.net (mail.ranksitt.net [202.40.176.66])<br>     by mailserver1.emailconfig.com (Postfix) with ESMTP id 9456A3408B9<br>     for <[REMOVED]>; Fri, 18 Oct 2013 06:37:01 +0100 (BST)<br> X-Virus-Scanned: amavisd-new at ranksitt.net<br> Received: from mail.ranksitt.net ([127.0.0.1])<br>     by localhost (mail.ranksitt.net [127.0.0.1]) (amavisd-new, port 10024)<br>     with ESMTP id LhmgMIKMbeko; Fri, 18 Oct 2013 11:35:18 +0600 (BDT)<br> X-Virus-Scanned: amavisd-new at ranksitt.net<br> Received: from mail.ranksitt.net ([127.0.0.1])<br>     by localhost (mail.ranksitt.net [127.0.0.1]) (amavisd-new, port 10026)<br>     with ESMTP id DrSzsycnA_6X; Fri, 18 Oct 2013 11:35:18 +0600 (BDT)<br> Received: from [101.63.190.85] (unknown [101.63.190.85])<br>     by mail.ranksitt.net (Postfix) with ESMTPSA id C107020EBDC;<br>     Fri, 18 Oct 2013 11:35:12 +0600 (BDT)<br> Content-Type: text/plain; charset="iso-8859-1"<br> MIME-Version: 1.0<br> Content-Transfer-Encoding: quoted-printable<br> Content-Description: Mail message body<br> Subject: You have a package with us<br> To: Recipients <info@fedEx.com><br> From: FedEx Delivery Service <info@fedEx.com><br> Date: Fri, 18 Oct 2013 06:36:41 +0100<br> Reply-To: fedexdeliveryservicec@live.com<br> Message-Id: <20131018053512.C107020EBDC@mail.ranksitt.net><br> <br>


Tuesday, 8 October 2013

Info: Attention Windows 7 (SP1) users

Microsoft have released an article and hotfix, that allows Windows 7 SP1 users to remove outdated (updates that have been superseded by newer updates) updates from their systems.

This article describes an update for the Disk Cleanup wizard in Windows 7 Service Pack 1 (SP1).

This update adds a new plugin to the Disk Cleanup wizard. After you install this update, you can use the Windows Update Cleanup option to delete Windows updates that you no longer need.

Notes

The Windows Update Cleanup option is available only when the Disk Cleanup wizard detects Windows updates that you do not need on the computer.

To enable you to roll back to previous updates, updates are stored in the WinSxS store even after they are superseded by later updates. Therefore, after you run the Disk Cleanup wizard, you may be unable to roll back to a superseded update. If you want to roll back to a superseded update that the Disk Cleanup wizard deletes, you can manually install the update.


Update is available that enables you to delete outdated Windows updates by using a new option in the Disk Cleanup wizard in Windows 7 SP1
http://support.microsoft.com/kb/2852386

Friday, 4 October 2013

hpHosts: Updated 04-10-2013

The hpHOSTS Hosts file has been updated. There is now a total of 246,284 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 04/10/2013 18:10
  2. Last Verified: 01/10/2013 13:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Sunday, 22 September 2013

iLivid, Cool Applications (Coolapptech), zippyshare.com at it again

Investigating a new malicious site, led to files housed on Zippyshare, and surprise surprise, this led once again, to misleading and blatantly fake "update required" rubbish from the likes of iLivid and the Israel based, Cool Applications (aka Coolapptech). No idea what exactly is going on over there, but there seems to be an upsurge of badness from Israel as far as misleading and blatantly irresponsible/unethical PPI/bundlers coming from there of late (one other Israel based company you'll be familiar with for example, is Installrex/Installex (aka Justplug.it) who are housing a plethora of badness on 46.19.138.158 (though their domains (e.g. amu.takegoldeninstalls.info) are now routing through CloudFlare (no big surprise, we already know they don't care)).

The URLs involved this time, are;

hxxp://www67.zippyshare.com/v/20636798/file.html
hxxp://www67.zippyshare.com/v/25295373/file.html
hxxp://www67.zippyshare.com/v/49669657/file.html
hxxp://www67.zippyshare.com/v/74299391/file.html
hxxp://www67.zippyshare.com/v/94707194/file.html
hxxp://www67.zippyshare.com/v/97528211/file.html
hxxp://www.freefilmshd.com/cash/flv/?did=35604643811379889464
hxxp://www.123-movie.com/mac/
hxxp://www.123-movie.com/iphone/
hxxp://www.123-movie.com/android/
hxxp://www.coolflvplayer.com/d/si/?dl=1&sr=mmm&chnl=adch&cid=xxxxxx
hxxp://coolflvplayer.com/d/default/default/?dl=1
hxxp://8.29.133.189/adc/download5adcuk.php?src=ADC&kw=125524&lp=4
hxxp://cpadominator.com/campaigns/index.php?g=mplayeradcuk&src=ADC&kw=125524&lp=4
hxxp://www.adcash.com/script/pop_packcpm.php?k=523f729b798eb334664.236196&h=85030c3e8afda40a25a3e5c30f8ff30c0eeb612a&id=0&ban=334664&r=146355&ref=h&data=
hxxp://lp.ilivid.com/?appid=706&subid=35604643811379889919
hxxp://download.ilivid.com/iLividSetup.exe
hxxp://www.adcash.com/ban/236180/202035_iLivid_300x250_MediaPlayerMSG.gif




The files themselves are signed using Comodo certificates, and in the case of the Cool Applications.com one, signed by;

Coolapptech
63 Rothscild Blvd.
Tel-Aviv
65785
IL

File    MD5    SHA1    SHA256    Size
coolflvplayer.com/d/default/default/FLVPlayerSetup.exe    1fe3e5d4e206e5c18781711ac4e84b35    2c5f024a67a91e2710ad19653894f85fc438576b    5771889715dddca59b17de17e0769e064ff9ce37c7c6d9b0f57886690d3b1c2e    850.20 KB
secure.oi-installer7.com/o/flashproplayer_flashproplayer/Setup.exe    afdd45a2a35a79b566a4e6bb395a25ea    ea34026502783c9160e616dfe3a579f83beb0ea8    97e10a65ebda0dca650df21212253cf5dd4e92f545d53a6cae60f4554ef71052    1629.15 KB
www.coolflvplayer.com/d/si/FLVPlayerSetup.exe    efb7f6bdbc33626ebe82f8dc9d844148    a96b06d3239bc20b4f1b1bd12b9580c22ec6e848    35ee8d005d3edd17f9fa8a86cc28f1244ac4bce860e286dede8c243392a4131c    850.20 KB
download.ilivid.com/iLividSetup.exe    b38b0d02c9b1733045b747ee43a8e44f    ed4dd9519f0e8d250dc8ee00360e482907e6dfb4    89d5797ceeca82d9925c6420d1b250b4d34ae1265e933f69bdf107ea50ea9e43    1590.00 KB


For those wondering, the files the site I was investigating led to are;

File    MD5    SHA1    SHA256    Size
Combat Arms Hack v.3.1.exe    95ce4934c1cb1d4d6dce95fe15fe8297    61330f480046600e06b21172d9fed72dd58a1444    54c62a5d25dc3fa3f3f7917991ad3b99df41e9d39643e0677cefce355089dd59    2836.50 KB
Fifa 13 Hack v.2.7.exe    aef605134d776897c3b6892ce0f61147    abad95e30e990da768e0954767d9df546326753c    a7d9bf49ca0f687f5354d2f845a103053e3112b16fa46dfe2a9435b2f44a6ea6    2215.50 KB
Forge Of Empires Hack v.1.7.exe    d79d27af5598a02017b4100d5e263cee    b95158ffa59c23696d566643656e2867e800d138    4f26351e38ed6b2c89666d4466acd2734bf9e04d572166e0062b9f707cb8d7b3    2215.50 KB
MegaPolis Hack v.1.6.exe    4e17054ca00fbf2da96cc49fc316be20    0c2b2ddaed176e8d2124c0a8663ff4bc3418df93    3c18ceb95c93c8ec28d72f9f3b900c6d9e79288779ac808d98c5fbc696e02c44    2215.50 KB
Wizard 101 Hack v. 4.2.exe    b73975959de436b7a9174ec555603ee6    9f84f0145b3b554005683bdf5524afa82038becc    5dc7baa20bc0a1ab697195d1e9332ef38de3661c7376883b5d29d50026027231    2216.00 KB
World Of Tanks Hack v.1.5.exe    03625b453fdd9126b199d4b1293d63fa    2b22f5e37f02e20986dbbd8278c81a4ab4d98183    c5ef8543e19aba784f2ba66524097898ba7b0f4a1fe4e7ea77b88dfa018bce30    2215.50 KB
Haven't analyzed these yet.