Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 15 May 2013

ALERT: ad.yieldmanager.com, tuguu.com, nicdls.com, lastplayerfree.com, Babylon, 50.19.113.192

Investigating a piracy case earlier, I was absolutely disgusted to see the following, which shows Tuguu, owner of PPI programs such as Doma IQ, engaging in practices that are so misleading they make hackforums.net look legit.


Not only does this fake flash player advert lead straight to a download that is NOT (like you didn't see that coming) Flash, but is so beyond not being flash that it almost becomes Flash again. Hillariously, the installer also comes complete with a RunDLL error (obviously wasn't written to handle paths with spaces in them).

So what is your PC surprised to hell with?, well lets see shall we;

1. DropDownDeals (adware/spyware)
2. PC Utilities Pro Optimizer Pro (scareware)
3. Yontoo (adware/spyware)
4. Delta Toolbar (adware/spyware)
5. Hijacked browser homepage and search page (courtesy of Delta-search.com, affiliate ID responsible: 120519)
6. MyBackupPC
7. Browser Protect(adware - DOES NOT PROTECT AGAINST ANYTHING!!!!)**
8. Babylon*


* Dear Babylon, it doesn't matter if you name it BabSolution, BabMaint or "I'm a cuddly bear, what harm could I do" - you're still filling the users machine with crap without permission, you may as well don a strap on and tell the poor user to have their PC bend over (nice of you to drop the log_file.txt though, guessing you didn't mean to do that).


FYI folks, Babylon also adds BabMaint.exe to the scheduled tasks.

** BrowserProtect adds itself to the Scheduled Tasks, using sc.exe to auto-load it, so if you're trying to kill its task and wondering why it keeps coming back, this is one of the reasons - the other being the service it helpfully adds. This means even if you kill its tasks, the scheduled task will re-load them, and if you kill and delete both, the service it adds, will re-load and re-add them. And the service can't be stopped, it decides to present an error whenever you try (sorry PerformerSoft, I'm much quicker than your processes and service seems to be, so whilst it took 3 attempts, the service was stopped and disabled without requiring a reboot).

Instead, you need to disable the service, reboot, then kill both the processes and the scheduled task (you'll have to be quick though, or the process will re-add the scheduled task)



To make matters worse, the installer adds things to load on startup, with broken paths - again due to its not being able to handle spaces in paths - who the hell tested this thing?

And again, to make matters worse, a page is loaded in the browser, on the lastplayerfree.com site, that offers yet more scareware (RegClean Pro) - this time from SysTweak.

Oh and, if you're planning on actually using your machine after it's finished crucifying your installation, forget it - it shot the IE process up to 90%, and it's remained at between 47% - 99% ever since (and it's been at least 20 minutes so far)

These kind of tactics are getting my goat more and more, especially since the companies involved constantly complain when they're blacklisted, proclaiming their innocence, blaming everyone EXCEPT themselves, yet here we are again, with the likes of Babylon, PerformerSoft, Tuguu and their ilk, right back at it not 6 months after complaining about being blacklisted, saying they weren't doing this sort of thing. Well sorry, but you're not getting off anywhere as easy, and don't even think of being given the benefit of the doubt this time because frankly, I've had enough.

In the meantime, the URLs responsible for those that are interested, are;

hxxp://ad.yieldmanager.com/clk?3,eJydjVtrhDAQhX-NbyLGuI1F-qBVl8oaK-wi9kW8RBPrjagr7q9vxKV972E4fMzMmQHQPIFcJwCiPDdUCJBmAkgyVFQqAIasmqYJNV0HELzqSF7dJbQRqqPIRlPj2taucJuuq3Wo3u3j4E9jd9dx6BJFR8sj.nNobTROrP.L6TZaPFmcFP9rx7DeKyUcH7r9t-ae8NmnOP5qLrH.jc.RHFy9NmCAJTFml2vLcFOrSXPTAy3ScP2bfJNlOs-jBC1J80St66pUdCL8TpRi6I6O8JK07E74JjCruDJSEfEeQ09YKUEHqkiVtJciF8x6kZ5TnvXl0KX90uWEp5Rw8gOYWnNG,

-> hxxp://50.19.113.192/classify/clkreg1.aspx?nid=73,ina=UK_Flashplayer_DD%20,inu=1547438,adt=0,pid=660218,cid=6718770,sid=126766016,erf=http%3A%2F%2Fwww%2Efhserve%2Ecom%2Fwww%2Fdelivery%2Fafr%2Ephp%3Fzoneid%3D3070%26cb%3Dinsert%5Frandom%5Fnumber%5Fhere,seid=4317374,ceid=20034171,aid=,mpt=1368614960,plid=102635,dp2=wEuOB77gQQB7sjEBAAAAAOysTwAAAAAAAgAAAAIAAAAAAP8AAAAEDDhuQQAAAAAAFeJIAAAAAAAyhWYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADmyhcAAAAAAAIAAwAAgD8AZprRpz4BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJzz8fZyNHAMLMgNz46K8C3yCwgvCvZKzQmP8PW0DChxt8h11NUFANpFC5M=,u=http%3a%2f%2fcp.lastplayerfree.com%2fpasarela%2faffp%2f1090%2fClickID%3d%5bce_cid%5d%26PubID%3d%5bPUB_ID%5d

--> hxxp://cp.lastplayerfree.com/pasarela/affp/1090/ClickID=7bafd328-cfea-440f-bba5-98da0b0d7d9f,wEuOB77gQQB7sjEBAAAAAOysTwAAAAAAAgAAAAIAAAAAAP8AAAAEDDhuQQAAAAAAFeJIAAAAAAAyhWYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADmyhcAAAAAAAIAAwAAgD8AZprRpz4BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJzz8fZyNHAMLMgNz46K8C3yCwgvCvZKzQmP8PW0DChxt8h11NUFANpFC5M=&PubID=711026358266021893

---> hxxp://cp.tuguu.com/pasarela/download.php?p=1090&_so=1&_bw=2&_sv=5.1&_bv=1.5&_ip=1365764900&_cc=GB&asdd=1&_qs=ClickID%3D7bafd328-cfea-440f-bba5-98da0b0d7d9f%2CwEuOB77gQQB7sjEBAAAAAOysTwAAAAAAAgAAAAIAAAAAAP8AAAAEDDhuQQAAAAAAFeJIAAAAAAAyhWYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADmyhcAAAAAAAIAAwAAgD8AZprRpz4BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D%2CeJzz8fZyNHAMLMgNz46K8C3yCwgvCvZKzQmP8PW0DChxt8h11NUFANpFC5M%3D%26PubID%3D711026358266021893

----> hxxp://cp.lastplayerfree.com/pasarela/doma/dls.nicdls.com/p/151/FlashPlayer/364/479/1090.60.141.07ccfc34

-----> hxxp://dls.nicdls.com/p/151/FlashPlayer/364/479/V.130874420b

You'll also find the certificate the installer is signed with - was provided by GoDaddy (and yep, will be having a word with them too).

No comments: