Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 15 March 2013

Misleading marketing (yet again): InstallQ, Amonetize, bechiroapps.com

I know this isn't a surprise anymore, but it still annoys the hell out of me.

Whilst following a malware trail, I found 3 more examples of misleading marketing. One of them on depositfiles.com, and 2 of them on zippyshare.com. In all 3 cases, the route went through adsmarket.com (also not a surprise).

First we have a fake flash player. This was loaded by;

hxxp://www76.zippyshare.com/pop.jsp?a=1

And goes straight to a download at (domains PD houses the same thing too);

hxxp://www.adobeflashplayeryukle.com/dl.php

No landing page, no warnings.



And InstallIQ, and you'll notice (follow the red arrow), the fake "plugin required" advert;



Which leads to the landing page here;



URLs:

hxxp://ad.xtendmedia.com/clk?3,eJytTd1qgzAUfhrvRGJiRJFdpDqLZcomdqI3Q02ssVqlDVP79Iu29An2cTjn-zmHoyOHoYqxsrYtjKFNGXZ0RM26BnqpGypwHAdiCGwAsAXV48Q6l-VLNJHymAOy4TBW8fSg5LS24ME.rbXvvcVNjs-4dH1K.gVukMbZkwfb35NnkV3cTuUd7F5r-3cY9gceJXn3kTTnrM1EmPhdyHUepdJLAxR5lIdtaOTp9zn.el2-qWojxKggokBfVnVlheC.TJsFu9CeUV5o1dDLZLwO8yJnX4ihX7Zks7RG9J2C.IL-iGVkCvIKqkBTyhu.rxIBMEMMpHdjleDDZfVMhCzb-AMcNHmH,
-> hxxp://ad.yieldmanager.com/clk?3,eJytTd1qgzAUfhrvRGJiRJFdpDqLZcomdqI3Q02ssVqlDVP79Iu29An2cTjn-zmHoyOHoYqxsrYtjKFNGXZ0RM26BnqpGypwHAdiCGwAsAXV48Q6l-VLNJHymAOy4TBW8fSg5LS24ME.rbXvvcVNjs-4dH1K.gVukMbZkwfb35NnkV3cTuUd7F5r-3cY9gceJXn3kTTnrM1EmPhdyHUepdJLAxR5lIdtaOTp9zn.el2-qWojxKggokBfVnVlheC.TJsFu9CeUV5o1dDLZLwO8yJnX4ihX7Zks7RG9J2C.IL-iGVkCvIKqkBTyhu.rxIBMEMMpHdjleDDZfVMhCzb-AMcNHmH,
--> hxxp://network.adsmarket.com/click/imNwlo2ff5S3YZiVjaJ7mZFjapaNpIGcjGKYmGGcepW3ZG-YZaF7?dp=RMX_A6103404_P5280544_V161810259_RSanta Rosa_S3633894_C10309915_B93712&dp2=UwelCeZyNwAbUZ0AAAAAAJpcRwAAAAAAAgAAAAIAAAAAAP8AAAAGDyCTUAAAAAAAbCFdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIWRYAAAAAAAIAAgAAgD8ABGXwbz0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJwL9awqi.SNzM51z810DU9NyXI0q3Qq93SrKKrMCowq9QIAwR0LwQ==&dp3=Usource_url_hidden
---> hxxp://www.xvidupdate.com/tube/?pub_id=2271&ce_cid=20dJX94msVBiUYqE0UM73Z1ugC6T000.

hxxp://ad.yieldmanager.com/clk?3,eJytjV1vgjAUhn8Nd2jaUlkJ2UXBj7Do4hRmuhuDtIWifEy7Kf76Fee2P7A3TXOe5.T0QMfHLpQYIozBiAAPcB863JVSCCI9G.i-j7DnAUgeRtBOzuIQJvlyeQ4jsE4C2iekT6sz.U5OJ.QnS9Lfs7GnXpK7kiTI6L8kjDYrdq-jyOyl-ZhQNJCD3RUEv89mCWbXCLDNBM.jYs.KXC.i6WGhYMHK13IeZ.gt5vtFzDoWB-Xz34JH2y60bi2HWmhqTnYUqVafYnjRouaV4CodZk1lOlWqm6ozhU7zYaGrg-VMU77VXSssZ9w2rYVcwyd17RlcgOGTyLRqasMYOsglvduldS341gzcZk-miRzjb0JVNwHvLI.i.UPUWdf.-AWkYYZS,
-> hxxp://network.adsmarket.com/click/imNwlo2ff5S3YZiVjZx9m4xpbJlfyoObkGVqxGadfZmJkG-VXqN-lQ?dp=RMX_A6078591_P5279960_V161810259_RSanta Rosa_S4132680_C19255688_B93712&dp2=UwelCUgPPwCI0SUBAAAAACAJRwAAAAAAAgAEAAAAAAAAAP8AAAAGD9iQUAAAAAAAf8BcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIWRYAAAAAAAIIAgAAgD8AEtAMcD0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJwL9awqi.SNzM51z810DU9NyXI0q3Qq93SrKKrMCowq9QIAwR0LwQ==&dp3=Usource_url_hidden
--> hxxp://cp.tuguu.com/pasarela/affp/769/ce_cid=20kWRn19.Jj2IJoY0UM73Z1ugCAV000.&pub_id=2271?ce_cid=20kWRn19.Jj2IJoY0UM73Z1ugCAV000.
---> hxxp://cp.tuguu.com/pasarela/download.php?p=769&_so=1&_bw=1&_sv=5.1&_bv=9.0&_ip=838941715&_cc=US&asdd=1&_qs=ce_cid%3D20kWRn19.Jj2IJoY0UM73Z1ugCAV000.%26pub_id%3D2271%3Fce_cid%3D20kWRn19.Jj2IJoY0UM73Z1ugCAV000.
----> hxxp://cp.nicdls.com/pasarela/doma/dls.nicdls.com/p/151/FlashPlayer/79/418/769.4.92.016f731e
-----> hxxp://dls.nicdls.com/p/151/FlashPlayer/79/418/V.24081182a

Monday, 4 March 2013

[INFO] vURL server offline

Just a note folks, the vURL server will be offline for another hour or two, to allow for essential maintenance.

Sites affected:

vurldissect.co.uk
apk.it-mate.co.uk
avant.it-mate.co.uk
bartware.it-mate.co.uk
bughunter.it-mate.co.uk
dnsbh.it-mate.co.uk
hostsman.it-mate.co.uk
naomi.it-mate.co.uk
support.it-mate.co.uk
temp.it-mate.co.uk
helenbenoist.co.uk
ashsofdev.tk
8gc.com

Sorry for the inconvenience.

/edit

All done.

Thursday, 28 February 2013

ALERT: Yet another Java 0day

Java is at the center of yet another security storm after Polish security researchers found not one, but two new separate zero-day flaws in the Web plug-in software.

Web users are once again warned to disable Java immediately to prevent any infection on production machines or networks. Read this

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Security firm Security Explorations submitted information about the bugs to Oracle, the developer of the Java 7 software, including proof-of-concept exploits that prove the bugs exist. However, in one of the cases, Oracle believes this is "allowed behavior," suggesting an apathy on the company's part to fix the alleged flaw.

The two zero-day flaws are the latest in a number of problems affecting the Java plug-in, forcing Oracle to patch the software twice with emergency patches this year alone.


Read more
http://www.zdnet.com/oracle-investigating-after-two-more-java-7-zero-day-flaws-found-7000011965/

If you've not already ripped Java out of your system, I'd suggest you do it asap;

JavaRA
http://singularlabs.com/software/javara/

JavaRA Download page
http://singularlabs.com/software/javara/javara-download/

Direct download
http://download.thewebatom.net/50f69935741f0/JavaRa-2.1.zip

Tuesday, 26 February 2013

Release: hpObserver v0.6.11

Changes:

Modified: IP allocation spec as per RFC
Modified: Slight error in the about dialog

Download:
http://support.it-mate.co.uk/?mode=Products&p=hpobserver

Wednesday, 13 February 2013

hpHosts: Updated 13-02-2013

The hpHOSTS Hosts file has been updated. There is now a total of 185,378 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 13/02/2013 23:00
  2. Last Verified: 13/02/2013 18:00
Download hpHosts now!
http://hosts-file.net/?s=Download