Blog for hpHosts, and whatever else I feel like writing about ....

Friday 31 May 2013

hpHosts: Updated 01-06-2013

The hpHOSTS Hosts file has been updated. There is now a total of 193,822 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 01/06/2013 03:00
  2. Last Verified: 01/06/2013 00:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Thursday 23 May 2013

Updates: Quite a few

Quite a few updates over the past few days. First and foremost, the bug with sURL is fixed. Secondly, whilst the hpHosts site is still having issues, I've modified the config to try and alleviate the issue, so it should stay up longer than it was. I've also got updates to a few programs going up over the next 72 hours or so (desperate for sleep, and my body and sleeping tablets have decided I've got to stay awake, despite both being awake since yesterday, driving for 8+ hours from the other end of the country, back home, and stressed to holy hell and back - oh the joys). The next full hpHosts update will also be getting pushed out over the next 48 hours. There was a few others, but my brain is fried so can't remember what else I was going to mention - it'll come back to me.

Sunday 19 May 2013

Misleading marketing: Uniblue + pcguide.com - but everyone's doing it!

Doing a quick search for something earlier, I stumbled upon pcguide.com, and whilst I'm now used to (but still hate) seeing security sites and support etc forums plastering ads all over the place (some even in the first and then every other, post), I still get irked when I see this kind of thing.

What makes this worse, is that it's not being delivered via an ad network this time - the "advert", if you can call it that, is housed on pcguide.com itself.

hxxp://www.pcguide.com/uniblue.jpg

For an alleged security forum to use blatantly misleading adverts just to push their affiliate link, is simply abhorrent.



Since they didn't want to, I've added a little red box around the offending advert, for those wondering which one I'm referring to.

As for Uniblue, well we already know they're no stranger to the use of misleading marketing, given they've been caught doing such countless times, and ignoring cases where their affiliates (such as this case) use them.

Needless to say, pcguide.com has been added to the hpHosts blacklist (classification: MMT), Uniblue.com was re-added back in Feb for exactly the same thing.

URLs involved;

hxxp://www.liutilities.com/affcb/?id=DSgen&aff=3165&xat=gen
-> hxxp://www.uniblue.com/cm/general/driverscanner/dslitrafficdp/download/

No direct download (as has been the case with a few others), which is about the only good thing about this, but for those wondering, the download you're led to is;

hxxp://download.uniblue.com/cm/general/driverscanner/dslitrafficdp/setup/driverscanner.exe

Wednesday 15 May 2013

ALERT: ad.yieldmanager.com, tuguu.com, nicdls.com, lastplayerfree.com, Babylon, 50.19.113.192

Investigating a piracy case earlier, I was absolutely disgusted to see the following, which shows Tuguu, owner of PPI programs such as Doma IQ, engaging in practices that are so misleading they make hackforums.net look legit.


Not only does this fake flash player advert lead straight to a download that is NOT (like you didn't see that coming) Flash, but is so beyond not being flash that it almost becomes Flash again. Hillariously, the installer also comes complete with a RunDLL error (obviously wasn't written to handle paths with spaces in them).

So what is your PC surprised to hell with?, well lets see shall we;

1. DropDownDeals (adware/spyware)
2. PC Utilities Pro Optimizer Pro (scareware)
3. Yontoo (adware/spyware)
4. Delta Toolbar (adware/spyware)
5. Hijacked browser homepage and search page (courtesy of Delta-search.com, affiliate ID responsible: 120519)
6. MyBackupPC
7. Browser Protect(adware - DOES NOT PROTECT AGAINST ANYTHING!!!!)**
8. Babylon*


* Dear Babylon, it doesn't matter if you name it BabSolution, BabMaint or "I'm a cuddly bear, what harm could I do" - you're still filling the users machine with crap without permission, you may as well don a strap on and tell the poor user to have their PC bend over (nice of you to drop the log_file.txt though, guessing you didn't mean to do that).


FYI folks, Babylon also adds BabMaint.exe to the scheduled tasks.

** BrowserProtect adds itself to the Scheduled Tasks, using sc.exe to auto-load it, so if you're trying to kill its task and wondering why it keeps coming back, this is one of the reasons - the other being the service it helpfully adds. This means even if you kill its tasks, the scheduled task will re-load them, and if you kill and delete both, the service it adds, will re-load and re-add them. And the service can't be stopped, it decides to present an error whenever you try (sorry PerformerSoft, I'm much quicker than your processes and service seems to be, so whilst it took 3 attempts, the service was stopped and disabled without requiring a reboot).

Instead, you need to disable the service, reboot, then kill both the processes and the scheduled task (you'll have to be quick though, or the process will re-add the scheduled task)



To make matters worse, the installer adds things to load on startup, with broken paths - again due to its not being able to handle spaces in paths - who the hell tested this thing?

And again, to make matters worse, a page is loaded in the browser, on the lastplayerfree.com site, that offers yet more scareware (RegClean Pro) - this time from SysTweak.

Oh and, if you're planning on actually using your machine after it's finished crucifying your installation, forget it - it shot the IE process up to 90%, and it's remained at between 47% - 99% ever since (and it's been at least 20 minutes so far)

These kind of tactics are getting my goat more and more, especially since the companies involved constantly complain when they're blacklisted, proclaiming their innocence, blaming everyone EXCEPT themselves, yet here we are again, with the likes of Babylon, PerformerSoft, Tuguu and their ilk, right back at it not 6 months after complaining about being blacklisted, saying they weren't doing this sort of thing. Well sorry, but you're not getting off anywhere as easy, and don't even think of being given the benefit of the doubt this time because frankly, I've had enough.

In the meantime, the URLs responsible for those that are interested, are;

hxxp://ad.yieldmanager.com/clk?3,eJydjVtrhDAQhX-NbyLGuI1F-qBVl8oaK-wi9kW8RBPrjagr7q9vxKV972E4fMzMmQHQPIFcJwCiPDdUCJBmAkgyVFQqAIasmqYJNV0HELzqSF7dJbQRqqPIRlPj2taucJuuq3Wo3u3j4E9jd9dx6BJFR8sj.nNobTROrP.L6TZaPFmcFP9rx7DeKyUcH7r9t-ae8NmnOP5qLrH.jc.RHFy9NmCAJTFml2vLcFOrSXPTAy3ScP2bfJNlOs-jBC1J80St66pUdCL8TpRi6I6O8JK07E74JjCruDJSEfEeQ09YKUEHqkiVtJciF8x6kZ5TnvXl0KX90uWEp5Rw8gOYWnNG,

-> hxxp://50.19.113.192/classify/clkreg1.aspx?nid=73,ina=UK_Flashplayer_DD%20,inu=1547438,adt=0,pid=660218,cid=6718770,sid=126766016,erf=http%3A%2F%2Fwww%2Efhserve%2Ecom%2Fwww%2Fdelivery%2Fafr%2Ephp%3Fzoneid%3D3070%26cb%3Dinsert%5Frandom%5Fnumber%5Fhere,seid=4317374,ceid=20034171,aid=,mpt=1368614960,plid=102635,dp2=wEuOB77gQQB7sjEBAAAAAOysTwAAAAAAAgAAAAIAAAAAAP8AAAAEDDhuQQAAAAAAFeJIAAAAAAAyhWYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADmyhcAAAAAAAIAAwAAgD8AZprRpz4BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJzz8fZyNHAMLMgNz46K8C3yCwgvCvZKzQmP8PW0DChxt8h11NUFANpFC5M=,u=http%3a%2f%2fcp.lastplayerfree.com%2fpasarela%2faffp%2f1090%2fClickID%3d%5bce_cid%5d%26PubID%3d%5bPUB_ID%5d

--> hxxp://cp.lastplayerfree.com/pasarela/affp/1090/ClickID=7bafd328-cfea-440f-bba5-98da0b0d7d9f,wEuOB77gQQB7sjEBAAAAAOysTwAAAAAAAgAAAAIAAAAAAP8AAAAEDDhuQQAAAAAAFeJIAAAAAAAyhWYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADmyhcAAAAAAAIAAwAAgD8AZprRpz4BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJzz8fZyNHAMLMgNz46K8C3yCwgvCvZKzQmP8PW0DChxt8h11NUFANpFC5M=&PubID=711026358266021893

---> hxxp://cp.tuguu.com/pasarela/download.php?p=1090&_so=1&_bw=2&_sv=5.1&_bv=1.5&_ip=1365764900&_cc=GB&asdd=1&_qs=ClickID%3D7bafd328-cfea-440f-bba5-98da0b0d7d9f%2CwEuOB77gQQB7sjEBAAAAAOysTwAAAAAAAgAAAAIAAAAAAP8AAAAEDDhuQQAAAAAAFeJIAAAAAAAyhWYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADmyhcAAAAAAAIAAwAAgD8AZprRpz4BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D%2CeJzz8fZyNHAMLMgNz46K8C3yCwgvCvZKzQmP8PW0DChxt8h11NUFANpFC5M%3D%26PubID%3D711026358266021893

----> hxxp://cp.lastplayerfree.com/pasarela/doma/dls.nicdls.com/p/151/FlashPlayer/364/479/1090.60.141.07ccfc34

-----> hxxp://dls.nicdls.com/p/151/FlashPlayer/364/479/V.130874420b

You'll also find the certificate the installer is signed with - was provided by GoDaddy (and yep, will be having a word with them too).

Info: hpHosts server down

hpHosts server has been down the last couple hours or so. Aware of the problem and trying to get it resolved.

Sorry for any inconvenience folks.

Monday 6 May 2013

SparkTrust: You've still not learnt then?

Yet another instance of misleading advertising by SparkTrust was found a few minutes ago, this time via Google Adwords (surprise surprise).



And the site you're pointed to, also fails miserably, to notify you that the program is NOT free, that you HAVE TO PAY FOR IT, before it'll actually do anything other than scan.



You'd have thought these companies would've learnt by now, but sadly not, and I doubt they'll change as long as there's money to be made from vulnerable and gullible victims.

References:

IAC Toolbars and Traffic Arbitrage in 2013
http://www.benedelman.org/news/012213-1.html

Misleading Advertising: SparkTrust has a go
http://hphosts.blogspot.com/2013/01/misleading-marketing-sparktrust-has-ago.html

Malwarebytes Unpacked: Misleading advertising
http://blog.malwarebytes.org/intelligence/2012/12/misleading-advertising/

Comodo replace malware with err - malware?
http://hphosts.blogspot.co.uk/2009/07/comodo-replace-malware-with-err-malware.html

Twitter spam: IAC WebFetti
http://hphosts.blogspot.co.uk/2009/12/twitter-spam-iac-webfetti.html

IAC: Still not stopping "rogue affiliates"
http://hphosts.blogspot.co.uk/2010/11/iac-still-not-stopping-rogue-affiliates.html

Mindspark/IAC: Misleading marketing (again)
http://hphosts.blogspot.co.uk/2010/05/mindsparkiac-misleading-marketing-again.html

Misleading marketing: Fake IM advert - Déjà Vu
http://hphosts.blogspot.co.uk/2010/05/misleading-marketing-fake-im-advert.html

IAC/MindSpark: Scamming with a twist
http://hphosts.blogspot.co.uk/2010/02/iacmindspark-scamming-with-twist.html

Symantec - we knew they weren't trustworthy, but this is a new low
http://hphosts.blogspot.co.uk/2009/03/symantec-we-knew-they-werent.html

Saturday 4 May 2013

[INFO] Email server issues

Just a note folks, the incoming mail server started having issues again yesterday (incoming server is controlled by Domain Monster). Spoke to them today and they're looking into it, but in the meantime, it means I can't receive e-mails.