Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 22 September 2013

iLivid, Cool Applications (Coolapptech), zippyshare.com at it again

Investigating a new malicious site, led to files housed on Zippyshare, and surprise surprise, this led once again, to misleading and blatantly fake "update required" rubbish from the likes of iLivid and the Israel based, Cool Applications (aka Coolapptech). No idea what exactly is going on over there, but there seems to be an upsurge of badness from Israel as far as misleading and blatantly irresponsible/unethical PPI/bundlers coming from there of late (one other Israel based company you'll be familiar with for example, is Installrex/Installex (aka Justplug.it) who are housing a plethora of badness on 46.19.138.158 (though their domains (e.g. amu.takegoldeninstalls.info) are now routing through CloudFlare (no big surprise, we already know they don't care)).

The URLs involved this time, are;

hxxp://www67.zippyshare.com/v/20636798/file.html
hxxp://www67.zippyshare.com/v/25295373/file.html
hxxp://www67.zippyshare.com/v/49669657/file.html
hxxp://www67.zippyshare.com/v/74299391/file.html
hxxp://www67.zippyshare.com/v/94707194/file.html
hxxp://www67.zippyshare.com/v/97528211/file.html
hxxp://www.freefilmshd.com/cash/flv/?did=35604643811379889464
hxxp://www.123-movie.com/mac/
hxxp://www.123-movie.com/iphone/
hxxp://www.123-movie.com/android/
hxxp://www.coolflvplayer.com/d/si/?dl=1&sr=mmm&chnl=adch&cid=xxxxxx
hxxp://coolflvplayer.com/d/default/default/?dl=1
hxxp://8.29.133.189/adc/download5adcuk.php?src=ADC&kw=125524&lp=4
hxxp://cpadominator.com/campaigns/index.php?g=mplayeradcuk&src=ADC&kw=125524&lp=4
hxxp://www.adcash.com/script/pop_packcpm.php?k=523f729b798eb334664.236196&h=85030c3e8afda40a25a3e5c30f8ff30c0eeb612a&id=0&ban=334664&r=146355&ref=h&data=
hxxp://lp.ilivid.com/?appid=706&subid=35604643811379889919
hxxp://download.ilivid.com/iLividSetup.exe
hxxp://www.adcash.com/ban/236180/202035_iLivid_300x250_MediaPlayerMSG.gif




The files themselves are signed using Comodo certificates, and in the case of the Cool Applications.com one, signed by;

Coolapptech
63 Rothscild Blvd.
Tel-Aviv
65785
IL

File    MD5    SHA1    SHA256    Size
coolflvplayer.com/d/default/default/FLVPlayerSetup.exe    1fe3e5d4e206e5c18781711ac4e84b35    2c5f024a67a91e2710ad19653894f85fc438576b    5771889715dddca59b17de17e0769e064ff9ce37c7c6d9b0f57886690d3b1c2e    850.20 KB
secure.oi-installer7.com/o/flashproplayer_flashproplayer/Setup.exe    afdd45a2a35a79b566a4e6bb395a25ea    ea34026502783c9160e616dfe3a579f83beb0ea8    97e10a65ebda0dca650df21212253cf5dd4e92f545d53a6cae60f4554ef71052    1629.15 KB
www.coolflvplayer.com/d/si/FLVPlayerSetup.exe    efb7f6bdbc33626ebe82f8dc9d844148    a96b06d3239bc20b4f1b1bd12b9580c22ec6e848    35ee8d005d3edd17f9fa8a86cc28f1244ac4bce860e286dede8c243392a4131c    850.20 KB
download.ilivid.com/iLividSetup.exe    b38b0d02c9b1733045b747ee43a8e44f    ed4dd9519f0e8d250dc8ee00360e482907e6dfb4    89d5797ceeca82d9925c6420d1b250b4d34ae1265e933f69bdf107ea50ea9e43    1590.00 KB


For those wondering, the files the site I was investigating led to are;

File    MD5    SHA1    SHA256    Size
Combat Arms Hack v.3.1.exe    95ce4934c1cb1d4d6dce95fe15fe8297    61330f480046600e06b21172d9fed72dd58a1444    54c62a5d25dc3fa3f3f7917991ad3b99df41e9d39643e0677cefce355089dd59    2836.50 KB
Fifa 13 Hack v.2.7.exe    aef605134d776897c3b6892ce0f61147    abad95e30e990da768e0954767d9df546326753c    a7d9bf49ca0f687f5354d2f845a103053e3112b16fa46dfe2a9435b2f44a6ea6    2215.50 KB
Forge Of Empires Hack v.1.7.exe    d79d27af5598a02017b4100d5e263cee    b95158ffa59c23696d566643656e2867e800d138    4f26351e38ed6b2c89666d4466acd2734bf9e04d572166e0062b9f707cb8d7b3    2215.50 KB
MegaPolis Hack v.1.6.exe    4e17054ca00fbf2da96cc49fc316be20    0c2b2ddaed176e8d2124c0a8663ff4bc3418df93    3c18ceb95c93c8ec28d72f9f3b900c6d9e79288779ac808d98c5fbc696e02c44    2215.50 KB
Wizard 101 Hack v. 4.2.exe    b73975959de436b7a9174ec555603ee6    9f84f0145b3b554005683bdf5524afa82038becc    5dc7baa20bc0a1ab697195d1e9332ef38de3661c7376883b5d29d50026027231    2216.00 KB
World Of Tanks Hack v.1.5.exe    03625b453fdd9126b199d4b1293d63fa    2b22f5e37f02e20986dbbd8278c81a4ab4d98183    c5ef8543e19aba784f2ba66524097898ba7b0f4a1fe4e7ea77b88dfa018bce30    2215.50 KB
Haven't analyzed these yet.

Thursday, 5 September 2013

Yet more fake codecs (softologicsa.com, smarterpcsolutions.net, content.yieldmanager.edgesuite.net)

This lovely bit of flashy badness came up whilst I was looking for the latest version of an Android VM. This time it's not an image ad, but a flash advert (I have Flash and ActiveX disabled in the shells I use for most things, only noticed this one because I loaded the site in Opera, which is the only one I allow flash to load on (and even then, it's restricted)).

This time, the advert was served from content.yieldmanager.edgesuite.net;

hxxp://content.yieldmanager.edgesuite.net/atoms/04/40/35/e5/044035e578f4dceae19d30deeeea02f8.swf?clickTag=http%3A%2F%2Fad%2Eadnetwork%2Enet%2Fclk%3F3%2CeJydTtFugjAU%2ERre1LQUoYbsAUTMNhgzwc3XWkqpFmqgivPrV4bZ4utObu49ae8550LkQ2oj2yvnyMaUwD31oQNKsPAYBosJ8H1%2EMV94LoIYT1B81UGSJGselcujEwYD0mX%2E0Qcj%2DNCeR%2E6Oh74O6r5%2Evf%2Dv2v5tZOGu%2DMTB%2ExGpbbi6c5Nn%2EHmEg2zKdngVhH9rm2t6k4csj6skX9lZxHWaxzL9Ak6WU5DkLyK9cZBFx%2Enbbeukm1%2El02RSaX2yUGDZsSlNpK2Vds6skQIXSJ6q%2EeHSttJGHi1ZNyXTTmgz1Yk1naKCyBlXikt27lhLVaNZo2dU1caLk4Iz3RkmytZC8bmVFooe4irVadHwGa9VcZasuysFf5CXQjIzIHDnGLqmuw4EAHoOgs7oTmo2u9bSst3hBCIaZgIjcwprT63ojNq9CNabN0qaCzGmriQN%2E9n5BusQpLk%3D%2C



Clicking this fake plugin missing ad, takes you to;

hxxp://www.smarterpcsolutions.net/lp/codecperformer/v7/?cid=3616&SourceId=355&CreativeId=21891807&LineItemId=7304535&PublisherId=417709&SectionId=7167196&tid=000069c0f030912714a309ee67e96a5f3f73f



Which takes you to the actual download at (and disappointingly, detection for this is woefully pathetic);

hxxp://www.softologicsa.com/download/$o88rXZlsZA4hsjMA?exename=BestCodecsPackSetup&cid=3616&SourceId=355&CreativeId=21891807&LineItemId=7304535&PublisherId=417709&SectionId=7167196&tid=000069c0f030912714a309ee67e96a5f3f73f
MD5: b8adf15ce4d38909cabd89f61d7e663e

Installing the crap that comes with the installer, gives your machine the rubbish that is, Performersoft LLC (performersoft.com, 184.173.139.224).

You'll not be surprised to hear, this one is owned by appround.biz. It's housed on;

216.146.46.10 (redirector1.dynect.net) (without www. prefix)
216.146.46.11 (redirector2.dynect.net) (without www. prefix)
50.97.57.33 (loadbalancer2.ibariocorp.com)
184.173.139.225 (loadbalancer2.ibariocorp.com)

www(.)softologicsa.com lives on 50.97.37.140 (ibbalancer.com) and without the www prefix, it resides on the same dynect.net IPs as the above.

ibariocorp.com are the ones responsible for InstallBrain, and I'd strongly recommend you blackhole their IPs.

Domain Name: IBARIOCORP.COM
Registrar: MONIKER

Registrant [594222]:
    Felix Leshno
    2271 Melrose Ave.
    Montreal
    Quebec
    H4A 2R7
    CA

Administrative Contact [594222]:
    Felix Leshno
    2271 Melrose Ave.
    Montreal
    Quebec
    H4A 2R7
    CA
    Phone: +1.15146645051
    Fax: +1.15144856533

Billing Contact [594222]:
    Felix Leshno
    2271 Melrose Ave.
    Montreal
    Quebec
    H4A 2R7
    CA
    Phone: +1.15146645051
    Fax: +1.15144856533

Technical Contact [594222]:
    Felix Leshno
    2271 Melrose Ave.
    Montreal
    Quebec
    H4A 2R7
    CA
    Phone: +1.15146645051
    Fax: +1.15144856533

Domain servers in listed order:

    NS1.P09.DYNECT.NET
    NS2.P09.DYNECT.NET
    NS3.P09.DYNECT.NET
    NS4.P09.DYNECT.NET

    Record created on:    2011-02-15 08:10:08.0
    Database last updated on: 2013-08-19 16:27:18.58
    Domain Expires on:    2014-02-15 08:10:08.0


The severely ethical lacking ad company responsible, is Israel based;

DSNR Media Group
http://www.dsnrmg.com

Feel free to shout at them.

Monday, 2 September 2013

PropellerAds, Felix Leshno (softologic.com, appround.biz), Adf.ly, AdJuggler, AirSoftware, PerformerSoft, etc

Whether it's those god awful "fake surveys" that you can rarely get through to get the "leet crack", "free iPhone" etc from the skiddies that aren't skilled enough to do anything else, or the ad networks that keep allowing companies such as PerformerSoft, or file hosting and redirection sites such as Adf.ly, LinkBucks, FileSwap, Mediafire etc etc etc, we keep seeing a plethora of blatantly fraudulent adverts, all leading to the latest greatest rubbish that your machine keeps begging you not to install.

The latest of these include crapware such as InstallBrain via softologic.com, softologicsa.com, AirInstaller via getsoftsfree.com and noyapps.com, AMonetize from emule.com/amoninst.com and of course, Babylon and Delta, amongst many others.

Some of these do indeed, now have at least a landing page to inform you of what's going on, and the adware company name displayed on the advert itself (though to date, only around 3-4 of those companies, are doing this, the rest don't, presumably because they don't want you knowing).

The vast majority of these adverts are so beyond misleading that I keep having to remind myself this is "normal" (I know, I know - I already knew that). Surprise surprise, when they get themselves blacklisted for this activity, they're very quick to "reach out" (though rarely do these actually result in the misleading and unethical activities actually ceasing), or in some cases, send legal threats because you had the ordasity to do what is right to protect internet users.

To make matters worse, some of these not also use fake "Download" and "Plugin required" adverts (and I use the word fake, because they quite blatantly are, with both the wording and position/style of them, deliberately intended to mislead you into believing they actually are "required", or are going to actually take you to the download you wanted);



They also employ fake FlashPlayer "warnings";



And fake Chrome sites;



Sadly, this is just the tip of a rather large iceburg, where misleading and highly unethical adverts are concerned. Over the last week or two, I've noticed an extremely large proportion of adverts on Facebook, are for counterfeit apparel sites;



All of this of course, is before we get to the scummy snakeoil that is PerformerSoft and its ilk (i.e. 99.9% of "system cleaners" and every single "registry cleaner"), and the fond of misleading, MyPCBackup (FYI, on the subject of backups though, you should always ensure you've got at least 3 backups of a machine - 1 local, 1 local on an external drive (disconnected when not backing up) and 1 remotely stored (and I don't mean so-called "clouds" either! (unless you've encrypted the backup with something like TrueCrypt first)) and their ilk (I could go on, but don't want to be accused of rambling ....).

Why am I bothering to write about this? Well for starters, it's one of my pet peeves as it deliberately misleads people into believing they're going to get something they're clearly not, and in other cases, outright scams people and/or infects their machines, all the while, the ad networks and companies involved, are more than happy to let this activity continue - money talks louder than ethics it seems (yep, doesn't surprise me either).

If you'd like to help those less able, please do point these things out to them, advise them to keep as far away from them as possible. I'd also strongly advise blacklisting the offending sites responsible, and where appropriate, their IPs too. Just some of those you'll want to block (see hpHosts for a more complete listing, along with the corresponding IPs) include;

*.mediaget.com
*.download-instantly.com
*.nyoapps.com
*.softologic.com
*.metainstaller.com
*.imesh.com
*.ilivid.com
*.free2nstllr.com
*.circu.me
*.dwnldit.com
*.airinstaller.com
*.emule.com
*.amoninst.com
*.emulestore.com
*.movieseach.com
*.popker.com
*.pastdate.com
*.sotfball.com
*.motocrose.com
*.popertoys.com
*.torrentts.com
*.barcaelona.com
*.homaphones.com
*.micoscopes.com
*.airinstaller.com
*.install7.*
*.lunacom.*
*.addoncommon.info
allapplicationmy.info
amazingsoftware.info
aminoacidsguide.com
amu.abcdaddon.info
amu.add-spot-on.info
amu.addo-nclick.info
amu.boxinstallercompany.info
amu.brandnewinstall.info
amu.click2add-on.info
amu.clicktoinstalladdon.info
amu.companiesaddons.info
amu.companypage-addon.info
amu.extesnionchooeon.info
amu.generatecustomersthing.info
amu.goldenpage4install.info
amu.helpyourselfinstall.info
amu.installer4company.info
amu.installermustgolive.info
amu.installquicklyspot.info
amu.newinstallpagenine.info
amu.pageofsetups.info
amu.pagesofinstalls.info
amu.parktheextension.info
amu.pickandchooseaddon.info
amu.pickurextension.info
amu.sevenpage4install.info
amu.spotforaddonparking.info
amu.spotforallextension.info
amu.takeaddon4users.info
amu.three-installpage.info
amu.trafficproffiinfo.info
amu.twobox4addon.info
app.datafastguru.info
applicationmega.info
applow.info
apps-n-downloads.info
best-installer.info
cybeitrapp.info
cyber-mind.info
cybermindapp.info
cybermindtool.info
datadownloadscan.info
datafilehomescan.info
datainstallerscan.info
datasendmyukscan.info
dl03us.file.org
documentgoldmy.info
downloaddatascan.info
downloadkeeper.info
downmytool.info
downturk.biz
downturk.info
dr-us.net
driveridentifier-download.com
fastdatafunscan.info
favorythmic.info
fibonacci-trading-software.info
filemagnet.info
get-your-app.info
get-your-file.info
getfiledown.info
getmonetized.net
getthefilenow.info
goinstaller.net
gotovimyrok.com
grabza.net
greatdepothomey.asia
greatsaver.info
iframe.bestfilesarey.asia
iframe.bestfilesdatay.asia
iframe.documentssitey.asia
iframe.filesaredirecty.asia
iframe.filesareworldy.asia
iframe.greatfilesdatay.asia
iframe.superfilesarey.asia
image.borisoglebsk.net
installit-cloud.com
instrumpro.info
intelwinfilter.info
keep-app.info
keepapp.info
keepthefile.info
kosher-file.info
kosher-toolbar.info
kosher-transfer.info
lp.livetrafficall.info
mindyourapp.info
newfeaturesapp.info
newrealityworld.info
onthespotdownload.com
op.alllinuxapplicationsy.asia
op.applicationsforcompletey.asia
op.applicationsforentirey.asia
op.applicationsgroupforally.asia
op.bestfilesarey.asia
op.documentsguidey.asia
op.documentssitey.asia
op.filesareguidey.asia
op.filesareherey.asia
op.filesareonliney.asia
op.filesareworldy.asia
op.greatfilesarey.asia
op.greatfilesdatay.asia
op.superfilesarey.asia
op.superfilesdocumentsy.asia
saveclickersoft.info
saveneto.info
saveonapp.info
savingcollector.info
searchiseasy.info
searchitapp.com
second-reality.info
shopnsavenow.info
shopoptimzer.info
simplesearches.info
skypemoticonsbest.info
skypemoticonsinstall.info
skypemoticonsmagic.info
skypemoticonsproffi.info
superdownloaderssite.info
surfandkeep.info
systemenhancement.info
taketheaddonspot.info
systemutility.info
t1b.downturk.net
theothersworld.info
theall.net
topdogsoftware.biz
tracknl.info
transfer-gansta.info
transfer-guru.info
transfer-master.info
transfermaster.info
updatecoincide.info
updatesync.info
uptouapp.info
wdirect.downturk.net
webprotectionsoft.info
websearch.coolwebsearch.info
websearch.goodfindings.info
websearch.helpmefindyour.info
websearch.searchbomb.info
websearch.searchboxes.info
websearch.searchere.info
websearch.searchesplace.info
websearch.searchisbestmy.info
websearch.searchitup.info
websearch.soft-quick.info
websearch.wisesearch.info
winfilterdata.info
winsys-filter.info
wirelessdatadepoty.asia
zapbureya.info

... and ANYTHING that comes bundled with Delta crapware, Babylon crapware, or remotely resembling RelevantKnowledge (despite the Truste claims, sorry chaps, where "certifications" and such go, Truste are about as trusted as a polition in a brothel), it is NOT clean, it is NOT good for your machine, and YOU DO NOT WANT IT!), amongst others.

Just a word of warning when blocking IPs, there's a few of the larger outfits using CDNs such as Akamai and Amazon, to serve the actual installers and such themselves, as much as I'd love to suggest blocking the CDNs too, sadly, doing so isn't viable as there's also alot of legit sites/companies that also use them and doing so would block those too (including blocking the likes of security software updates, Microsoft updates etc etc).

I'd also strongly urge you either lock down your machine, or install WinPatrol (will notify you as soon as something tries adding a toolbar, adding a startup item, changing file associations, changing a browsers homepage/search engine, amongst many other things.);

http://www.winpatrol.com

If you've not already, also consider installing Malwarebytes AntiMalware*;

http://www.malwarebytes.org

I'd also strongly recommend uninstalling anything with Adobe's name on it, along with Java, and of course, disabling ActiveX in your browser, HTML in your emails, but annoyingly, few will actually take notice of thise as their emails look "prettier" or they are using games or some such rubbish on the likes of Facebook.

* I must note, for the purposes of full disclosure, that I am a contractor for Malwarebytes. I have not however (and will not!) linked you through an affiliate URL! (yep, not fond of those either, never have been).