MVPS HOSTS File Update Sept-02-2009


The MVPS HOSTS file was recently updated [Sept-02-2009]
http://www.mvps.org/winhelp2002/hosts.htm


Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip


How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm


HOSTS File – Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm


Note: the “text” version makes a great resource for determining possible culprits …
http://www.mvps.org/winhelp2002/hosts.txt (600 kb)

Still more fake PornTube sites

On my weekly stroll thru various search engines for the term: “”PornTube: best movies collection.” I usually find 15-20 new malicious sites, all using the same page layout. However I found this one a little different in the bogus message that’s produced …



Notice the fake blurring in the background … and the fake Error message … “download a patch to fix a problem” …


blue-xxx-tube. com” redirects to “4-open-davinci. com” for the actual download. Both sites are hosted at Netplace … a well-known malware haven. A Google Diagnostic report confirms this … “354 site(s) served content that resulted in malicious software being downloaded and installed without user consent
We found 45 site(s) that infected 1672 other site(s)”


Internet pharmacies identified as acting illegally

The other day there was a disturbing report  that found that nearly 90 percent of all pharmacy ads appearing on Bing’s sponsored search engine results were illegal pharmacies … Yikes! … well most of us already know that “Sponsored Results” are not to be trusted …


I certainly don’t think Bing is the only one at fault here … since the FBI states – “More than 80,000 “portal” websites currently sell ad space for these medications and link to one of more than 1,400 “anchor” websites that allow customers to place orders through illegal pharmacies“.


The full report is here … (.pdf) and in that report “klikadvertising” is mentioned … these culprits are also involved in many of the Fraudware Antispyware scams currently on the Internet. Anyway LegitScript also released their Top 10 so I thought I’d check them out and possibly add those to the HOSTS file. Now I have no intension of adding all these illegal pharmacy sites as there are just too many, and nothing malicious happens when you visit these sites.


The best way I feel to protect users is to add their payment sites to the HOSTS file … at least that way it would protect users from making ill-advised purchases … or worse … just imagine what’s in those counterfeit drugs! I started visiting these sites and found my own disturbing trend which was not mentioned in any of the articles … (see below)



Image edited for display purposes


The above site is listed as one of the Top 10 (above) … when you click the “Next step” …



Image edited for display purposes


 As you can see you are redirected to “rx-secure.com” via a certain certificate … I’m not even going to comment.



 Visiting another of the above mentioned Top 10 which is described as “The website claims to sell drugs from Canada, but the authors submitted an order, and received counterfeit Cialis, without a prescription from India.” If you read the full report LegitScript put a lot of time and effort into their finding. Going so far as to actually purchase products and have them tested …



Image edited for display purposes


 Another certificate from the same source as above and a Truste icon … ouch!



Again we see a redirect from “expressdelivery.biz” to “secure.mymedcenter.net”


== Server Certificate ==========
[Subject]
  CN=secure.mymedcenter.net, OU=Comodo EV SGC SSL, O=RX Corp, STREET=3155 Hickory Hill Rd, L=Memphis, S=TN, PostalCode=38115, C=US, OID.2.5.4.15=”V1.0, Clause 5.(b)”, OID.1.3.6.1.4.1.311.60.2.1.2=Tennessee, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=0582044


[Issuer]
  CN=COMODO EV SGC CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB


[Serial Number]
  00FD665970D8D5E8D59EE06A23F621AAF5


Now to be fair I also found a Verisign certificate for “seal.buysafe.com” … so please don’t nag me about I’m picking on one vendor …


== Server Certificate ==========
[Subject]
  CN=seal.buysafe.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=buySAFE IT, O=buySAFE Inc, L=Arlington, S=Virginia, C=US


[Issuer]
  OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA – Class 3, OU=”VeriSign, Inc.”, O=VeriSign Trust Network


[Serial Number]
  2AAA3F4A7F8054FA9DD70D7AAA5650BF


You can view a very short video LegitScript posted on YouTube for expressdelivery.biz … there are several others as well … I also found another site that contains “illegal pharmacies identified by the FDA, HealthPricer and other official bodies”


First on their list was “allpills.net” which redirects to “canadian-drugshop.com” which redirects to … “rx-secure.com”


== Server Certificate ==========
[Subject]
  CN=rx-secure.com, OU=Comodo InstantSSL, O=Pharmos Limited, STREET=Leningradsky prospekt 143-26, L=MOSCOW, S=MSK, PostalCode=149501, C=RU


[Issuer]
  CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US


[Serial Number]
  00A84B9E3913DFC8BE5D7355B8EEFD59CE


Seems canadian-drugshop.com is hosted on the same IP block as several other scam sites … most using “rx-secure.com” as their “check out” payment service.


# [Moskvacom][AS2118][195.95.155.0 – 195.95.155.255] (Google Diagnostic report for AS2118)
127.0.0.1  canadian-drugs-shop.com
127.0.0.1  www.canadian-drugshop.com
127.0.0.1  canadian-healthcare-shop.com #[ScamFraudAlert.Pharmacy]
127.0.0.1  canadian-pharmacy-store.com
127.0.0.1  edmedsnow.com
127.0.0.1  hqedpills.com
127.0.0.1  mens-medication.com #[Spamdexing]
127.0.0.1  official-canadian.com
127.0.0.1  professional-meds-online.com #[ScamFraudAlert.Pharmacy]
127.0.0.1  rx-top.com
127.0.0.1  shopedmedsonline.com


Many of the other sites HealthPricer listed no longer exist …


Hopefully these certificate issuers and Truste will take a better look into the activities of the sites that were mentioned … after all illegal activities are illegal!

Oh how embarrassing

Imagine that! … from Google Diagnostic … I wonder what malicious software was being distributed on the 15th?



So let’s click on over to trustlogo.com from the Google Diagnostic report …



 The really embarrassing part is that the site mentioned sagunnyu.com appears to use a Comodo certificate … ouch!


== Server Certificate ==========
[Subject]
  CN=sslsecurity.kr, OU=Comodo InstantSSL, OU=Hosted by Jungbonet inc., OU=SSLSECURITY_TEAM, O=JUNGBONET, STREET=Nonhyeon-dong, L=Nonhyun-Dong, S=SEOUL, PostalCode=135-010, C=KR


[Issuer]
  CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US


[Serial Number]
  2677FD02915826F36B72BDC69DBA9BC9


 Maybe a certain CEO should spend a little more time making sure things like the above don’t happen rather than spewing out one-sided spin in an effort to deflect the real problem = failure to address an ongoing (since 2007) problem:


Criminals using Comodo to attempt legitimacy

Bombarded with Comment Spam

Update 07/29/09: I’ve heard from the powers-to-be and it seems the Spam Filters were set wrong after the latest blog update? Go figure … I’ll reset (allow) the Comments and see if I can restore them …


I guess I’ve been lucky that the Bot spammers have not been a serious issue … well until now … seems like the last few days I have been bombarded with “comment spam” … hundreds and hundreds a day [ugh!] So I’ve disabled the comments until things calm down …



 


 


 

MVPS HOSTS File Update July-27-2009


The MVPS HOSTS file was recently updated [July-27-2009]
http://www.mvps.org/winhelp2002/hosts.htm


Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip


How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm


HOSTS File – Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm


Note: the “text” version makes a great resource for determining possible culprits …
http://www.mvps.org/winhelp2002/hosts.txt (597 kb)

Comodo continues to ignore Malware warnings

Yet again we find the same group “ISystem Inc” scamming the public with their bogus products … with a little more help from Comodo. Now I ask you … how many times do I have to report the same group being issued a certificate from Comodo, before they take the necessary steps to prevent the general public from being ripped-off by these bad actors?



If the page looks familiar … it is … the same template as I previously reported … from the same people “ISystem Inc”



As you can see I pasted the certificate details into the Fiddler report … below you can see there is no doubt that “ISystem” is the owner … same as previously reported several times! …


 


It not hard to find the bad actors and the connection between “ISystem and SoftDialog” … hey Comodo ever heard of Google? …



“WindowsSecuritySuite” is hosted at the same location as before … just how many red flags does it take?



“pay-secure” is also hosted on a previously reported location


# [Netdirekt][95.168.163.0 – 95.168.164.255]
127.0.0.1  aquabilling.com
127.0.0.1  secure.aquabilling.com
127.0.0.1  secure.bestbillingpro.com
127.0.0.1  secure.payment-cc24.com
127.0.0.1  pay-secure.net #[ISystem]
127.0.0.1  safe-pay-vault.com
127.0.0.1  webexpressbill.com
127.0.0.1  secure.webexpressbill.com


Comodo – creating trust online” … makes you wonder doesn’t it … I’ve been reporting on Comodo’s lack of concern since
LimeLight Networks and connecting the dots (12-07-07) all we get is excuses and spin on how everyone else is doing it (issuing certificates) … what ever happened to being a responsible part of the Internet community?

Comodo continues to damage it’s reputation

Here again we find another bogus Antispyware program that does nothing but take your money … with a little help from Comodo



If the page looks familiar … it is … the same template as I previously reported … from the same people “ISystem Inc”



I pasted the Comodo certificate into the Fiddler output … seems Comodo still does not check out anyone prior to issuing a certificate … even if it comes from the same people it revoked previously … duh!


Comodo continues to issue certificates to known Malware
Anyway … I went back and checked the sites I last reported and it seems Comodo has decided to ignore my report …


rapid-antivir-2009. com
rapid-antivir2009. com
rapid-antivirus2009. com = all redirect to:
secure.xsoftstore. com


 [Google link here]


Even a simple Google search as I suggested previously would have revealed the connection to ISystem …



malwaresdestructor. com” is hosted at Rcp.net along with quite a few other related Fraudware programs



safe-pay-vault. com” is hosted at Netdirek – a known malware haven


# [Netdirekt][95.168.163.0 – 95.168.164.255]
127.0.0.1  aquabilling.com
127.0.0.1  secure.aquabilling.com
127.0.0.1  secure.bestbillingpro.com
127.0.0.1  safe-pay-vault.com
127.0.0.1  webexpressbill.com
127.0.0.1  secure.webexpressbill.com


Surely you would think Comodo with all it’s resources can keep a lid on dealing with these malware frauds … especially when they have already dealt with the same culprits before … is anybody awake over there!! Trust is everything in the security business … seems Comodo can no longer be trusted, as these type reports keep surfacing … time after time …

MVPS HOSTS File Update June-21-2009

The MVPS HOSTS file was recently updated [June-21-2009]
http://www.mvps.org/winhelp2002/hosts.htm


Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip


How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm


HOSTS File – Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm


Note: the “text” version makes a great resource for determining possible culprits …
http://www.mvps.org/winhelp2002/hosts.txt (599 kb)

A disturbing new report on your Internet Privacy

A UC Berkeley report provides an in-depth look into the Internet Privacy issue and to what amount you are really being tracked … several media outlets have reported on this issue. Register | NyTimes | BizJournals  All with their own take on the report … a few key excerpts from their study …


Dominance of Google
“From our analysis, it is apparent that Google is the dominant player in the tracking market. Among the top 100 websites this project focused on, Google Analytics appeared on 81 of them. When combined with the other trackers it operates, such as DoubleClick, Google can track 92 of the top 100 websites. Furthermore, a Google-operated tracker appeared on 348,059 of 393,829 distinct domains tracked by Ghostery in March 2009 (over 88%).”


This is one of the main reasons why the majority of these “trackers” are included in the MVPS HOSTS file


Among the top 100 websites” this was obtained from Quantcast … however the “Top 100″ are not really individual sites since many are owned by the same company … so you can see how these big companies can compile quite a lot of info …


[Example of the Big 3 – ranking]
microsoft.com (7), live.com (3), msn.com (4), windows.com (19)
Not counting their ad servers: Atlas DMT (atdmt.com) aQuantive (adbureau.net)


google.com (1), youtube.com (6), blogspot.com (14), blogger.com (40)
Not counting DoubleClick which ranks #37 at Alexa


yahoo.com (2), flickr.com (30), geocities.com (47)
Not counting their ad servers: Overture, RightMedia, BlueLithium
———————————————————


SHARING
“Websites make distinctions between sharing with affiliates, contractors, and third parties. Of the top 50 sites, 29 stated that they do NOT share user data with unrelated third parties. However, 45 affirmatively state that they share data with affiliates, and 36 affirmatively state that they allow third-party tracking. The average consumer might assume an affiliate or tracker to be a third party, but given the actual usage of these terms in privacy policies, that assumption would be mistaken.  Of the top 50 sites, 43 state affirmatively that they share data with third-party contractors, including all 29 of the sites who state that they do not share with unrelated parties.”


This is why I recommend turning off Cookies and “whitelist” (allow) only those that are needed …


NO ACCOUNTABILITY FOR THIRD-PARTY TRACKING
“In our analysis of privacy policies, 36 of the websites affirmatively acknowledged the presence of third-party tracking. However, each of these policies also stated that the data collection practices of these third parties were outside the coverage of the privacy policy. This appears to be a critical loophole in privacy protection.”


This appears to be a critical loophole” … and they sure do word their Privacy Policy pages to take advantage of this loophole.


In the Register article they state: “Omniture and Quantcast cookies appeared on 57 per cent of the top 100 and less than 6 per cent of the 400,000” … I would offer that this figure is actually much higher, since Omniture (112.2o7.net) also makes extensive use of clones to disguise their 3rd party trackers …
[Example]
om.symantec.com is actually symanteccom.112.2o7.net
std.o.webmd.com is actually webmdglobal.122.2o7.net
stats.adobe.com is actually adobe.com.112.2o7.net


Using the Register as an example you can see the extent of tracking from third parties that goes on …



All the entries in red above are blocked by the HOSTS file … but the above is just from visiting one page on that site. However I must give them kudos for the Privacy Policy … which they explain in very plain language of what they are doing and from who. Compare that to the BizJournal’s statement:


“Adobe’s privacy policy, for example, when analyzed for readability, was written at an equivalent grade level of 17.29. The average privacy policy in the study was written at a grade level of 13.83.”


I’m not sure what grade level 17.29 is … but I’m sure I didn’t go to school that long! …