Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 25 July 2013

[ALERT] Fake Google Chrome, and yet more malicious SysTweak shenanigans again

Looking up the POST beep codes for a Sony Vaio, led me to a thread on sevenforums.com a few minutes ago, which rather disgustingly (I'd say surprising, but I'm not surprised by SysTweaks ongoing badness anymore - they've been at it so long), led to 4 more examples, of misleading advertising, one belonging to Spark Trust, and 3 others belonging to SysTweak.

The first [1] of these, is at least slightly better, not because it's not misleading - it definitely is (lack of outline around the ad, despite a little icon showing it belongs to an AdChoices ad, and claims of its being free wheen it isn't), and this one belongs to SparkTrust - another company with a history of such behaviour

The second [2] of these is a link that appears to be part of a signature of one of the responders on the forum, but those of us monitoring this for more than 5 minutes, can easily identify it's actual origin.

The third [3] and fourth are yet more SysTweak adverts, using poor attempts to appear as part of the page (note specifically, both the lack of clear outline around the ad, and the placement of the threads title directly above each instance of the offending ads, at the top and bottom of the site).



And the offending URLs (first 3 are the SysTweak ads, the 4th is the SparkTrust ad);

hxxp://adclick.g.doubleclick.net/aclk?sa=L&ai=BtijeYyHxUcOcEIGt-gbe84GACenglPcDAAAAEAEgg7-CAjgAWIHMoKRzYLu-roPQCrIBE3d3dy5zZXZlbmZvcnVtcy5jb226AQk3Mjh4OTBfYXPIAQnaAWhodHRwOi8vd3d3LnNldmVuZm9ydW1zLmNvbS9ic29kLWhlbHAtc3VwcG9ydC8xNDkwOTYtb25lLWxvbmctYmVlcC10aGVuLXR3by1zaG9ydC1uby1kaXNwbGF5LXNob3duLTIuaHRtbKkCkVvptyOjuT7AAgLgAgDqAhkvMTAxNTU3OS9TRl9Cb3R0b21fNzIweDYw-AKB0h6AAwGQA4wGmAOMBqgDAeAEAaAGFg&num=0&sig=AOD64_0uhXzZReC_Ca9uGuKqcw3_Z6N5Vg&client=ca-pub-7156303416008077&adurl=https://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=SFlogoFoot&redirectto=http%3a%2f%2fsystweak.com%2fregistrycleaner%2fsf%2f&product=65757
hxxps://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=SFlogoFoot&redirectto=http%3A%2F%2Fsystweak.com%2Fregistrycleaner%2Fsf%2F&product=65757

hxxp://adclick.g.doubleclick.net/aclk?sa=L&ai=BwiMIYyHxUcKcEIGt-gbe84GACYHa6JsDAAAAEAEgg7-CAjgAWKGR6ZhcYLu-roPQCrIBE3d3dy5zZXZlbmZvcnVtcy5jb226AQlnZnBfaW1hZ2XIAQnaAWhodHRwOi8vd3d3LnNldmVuZm9ydW1zLmNvbS9ic29kLWhlbHAtc3VwcG9ydC8xNDkwOTYtb25lLWxvbmctYmVlcC10aGVuLXR3by1zaG9ydC1uby1kaXNwbGF5LXNob3duLTIuaHRtbKkCkVvptyOjuT7AAgLgAgDqAh0vMTAxNTU3OS9TRl9Ecml2ZXJfdG9wXzcyMHg2MPgCgdIekAOMBpgDjAaoAwHQBJBO4AQBoAYW&num=0&sig=AOD64_2Lro3-8iSCd2eCgAIL4vflxnLh-w&client=ca-pub-7156303416008077&adurl=https://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=SFfirst1&redirectto=http%3a%2f%2fsystweak.com%2fregistrycleaner%2fsf%2f&product=65757
hxxps://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=SFfirst1&redirectto=http%3A%2F%2Fsystweak.com%2Fregistrycleaner%2Fsf%2F&product=65757

hxxp://adclick.g.doubleclick.net/aclk?sa=L&ai=Bx7VEYyHxUcGcEIGt-gbe84GACZGK57ECAAAAEAEgg7-CAjgAWKnBnaRzYLu-roPQCrIBE3d3dy5zZXZlbmZvcnVtcy5jb226AQlnZnBfaW1hZ2XIAQnaAWhodHRwOi8vd3d3LnNldmVuZm9ydW1zLmNvbS9ic29kLWhlbHAtc3VwcG9ydC8xNDkwOTYtb25lLWxvbmctYmVlcC10aGVuLXR3by1zaG9ydC1uby1kaXNwbGF5LXNob3duLTIuaHRtbKkCkVvptyOjuT7AAgLgAgDqAhYvMTAxNTU3OS9TRl9Ub3BfNzIweDYw-AKB0h6QA4wGmAOMBqgDAdAEkE7gBAGgBhY&num=0&sig=AOD64_1i00m6dwh3j72K-0Vv5BlsbJn_HA&client=ca-pub-7156303416008077&adurl=https://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=logobig&redirectto=http%3a%2f%2fsystweak.com%2fregistrycleaner%2fsf%2f&product=65757
hxxps://systweak.cleverbridge.com/305/cookie?affiliate=9809&x-at=logobig&redirectto=http%3A%2F%2Fsystweak.com%2Fregistrycleaner%2Fsf%2F&product=65757

hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=ColBkYyHxUYSVFsPF8AOb04HQAZL7i5wDqp_0_lTAjbcBEAEgg7-CAigCUOr1_94DYLu-roPQCqABzqGj3wPIAQGoAwHIA9MEqgTFAU_Q9_jsCC0UlzJd6V5U6GkHny1bsZNwKZ6ZQTns4qojhS_0SI5rOmZh2RAAiZ4C0Pc02318b0CaMDr2wE0zrN4uk4Qetvc0Ue0Kqa2zlJG3IMfgctrXwAQWJaewi3TG74VUFl9o6_SsQyF8MLzAsrsD9m7sgrE86jKDU1xHHBENH6G8xg5whsDelEdfmp9ug4TuG_xxrMH5fBQZnXar13mmWtAoCg0z1TsY5QVGUK1m-NMtQtIQdfr1syNcku95r36-W7PciAYBgAea3twg&num=1&cid=5GiY9hllOdF6PD_5b5oCaq15&sig=AOD64_1SLQu_RdKFZ9MvBOiBZxidnA9sTA&client=ca-pub-7156303416008077&adurl=http://www.sparktrust.com/fastercomputerfix&nm=12&mb=2&bg=!A0QyWkbQpMP-3gIAAAAmUgAAACMqANfoeFF1_1mPukFOChei1Pmh8ItgRcBxfOWhLxSWpDDVueX2yfX-Sq458S11mPVB-M893V_MT_VrfzBds4I3prb-kYCAsoTX36jFacQek38efW7i1DCD-uMWd80YG8mxei2fT8M_hh5davO-Xpok7SioQnRgi9nSJYGQwgIxmljh4eWyNvrEwxUyLnGCwlNAVizp6gnFG0V3sMcRgSyAAufd96OxX-POyf9m7PO8BHLnhvtGUeIwJNnPK6gO1IPrynZeA71oNuU1_wQ_WmPaY7Al0cv_A6clzg
hxxp://www.sparktrust.com/fastercomputerfix?gclid=CKO308_dyrgCFcZd3godKkQATg


In these cases, sevenforums.com themselves must share the blame, at least partly - they're the ones that chose not only the placement of the offending ads, but also chose to further mislead people by putting the icon () and "Recommended Fix:" next to the top and bottom links for SysTweak. Shame on you!

We also have a case of PPI (pay per install) companies, using even worse methods, to peddle their adware and such - this time it's a fake Google Chrome;

googlechrome2013.com
IP: 208.113.174.122 (apache2-quell.sprite.dreamhost.com)
AS: 26347 DREAMHOST-AS - New Dream Network, LLC




The download button leads to (offender: DomaIQ);

hxxp://dls.nicdls.com/d/109/google-chrome/204/446

This is a direct download, no landing pages, nothing. So far, two different MZ's (google-chrome.exe downloaded July 11th, and google-chrome(2).exe downloaded a few minutes ago), but suspect there's more.

File    MD5    Size
/malware/dls.nicdls.com/google-chrome(2).exe    10095b71d0a9979b6e6b61a635ac713a    541.91 KB
/malware/dls.nicdls.com/google-chrome.exe    8e50c65c85f37580238624bc2bbc6b6b    222.29 KB


Downloads are detected thankfully, with the detection name varying depending on vendors. Malwarebytes users will see it detected as Adware.DomaIQ. However, you'll notice the second file served is showing far fewer detections than the one downloaded a few days ago, which shows the W3i/DomaIQ miscreants, are modifying the installer, and likely (only a suspicion at present) doing so, to prevent flagging.

google-chrome(2).exe - https://www.virustotal.com/en/file/a48d285871ed7d9cc1abde280015500608ae4aa7f3cebe054123df2278fd4cf3/analysis/1374759940/

google-chrome.exe - https://www.virustotal.com/en/file/38f7cff6d599efd4de1d155835b9489e1342d2c214225167bda32d8b4790805d/analysis/1374759948/

I'm going for takedown of this and other offending domains, but in the meantime, you'll want to block the IPs involved.

1 comment:

Scott Lange said...

I posted a link to this page on TenForums and it was deleted within an hour