The MVPS HOSTS file was recently updated December 20-2014

Blocking Unwanted Connections with a Hosts File



The MVPS HOSTS file was recently updated [December 20-2014]

http://winhelp2002.mvps.org/hosts.htm

Download: hosts.zip (134 kb)

http://winhelp2002.mvps.org/hosts.zip

How To: Download and Extract the HOSTS file

http://winhelp2002.mvps.org/hosts2.htm

HOSTS File – Frequently Asked Questions

http://winhelp2002.mvps.org/hostsfaq.htm

Note: the “text” version (507 kb) makes a great resource for determining possible unwanted connections …

http://winhelp2002.mvps.org/hosts.txt

Get notified when the MVPS HOSTS file is updated

http://winhelp2002.mvps.org/updates.htm

If you find the MVPS HOSTS file useful … please consider a donation …

http://winhelp2002.mvps.org/hosts.htm#donation

MVPS HOSTS File Update Sept-02-2009


The MVPS HOSTS file was recently updated [Sept-02-2009]
http://www.mvps.org/winhelp2002/hosts.htm


Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip


How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm


HOSTS File – Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm


Note: the “text” version makes a great resource for determining possible culprits …
http://www.mvps.org/winhelp2002/hosts.txt (600 kb)

Still more fake PornTube sites

On my weekly stroll thru various search engines for the term: “”PornTube: best movies collection.” I usually find 15-20 new malicious sites, all using the same page layout. However I found this one a little different in the bogus message that’s produced …



Notice the fake blurring in the background … and the fake Error message … “download a patch to fix a problem” …


blue-xxx-tube. com” redirects to “4-open-davinci. com” for the actual download. Both sites are hosted at Netplace … a well-known malware haven. A Google Diagnostic report confirms this … “354 site(s) served content that resulted in malicious software being downloaded and installed without user consent
We found 45 site(s) that infected 1672 other site(s)”


Internet pharmacies identified as acting illegally

The other day there was a disturbing report  that found that nearly 90 percent of all pharmacy ads appearing on Bing’s sponsored search engine results were illegal pharmacies … Yikes! … well most of us already know that “Sponsored Results” are not to be trusted …


I certainly don’t think Bing is the only one at fault here … since the FBI states – “More than 80,000 “portal” websites currently sell ad space for these medications and link to one of more than 1,400 “anchor” websites that allow customers to place orders through illegal pharmacies“.


The full report is here … (.pdf) and in that report “klikadvertising” is mentioned … these culprits are also involved in many of the Fraudware Antispyware scams currently on the Internet. Anyway LegitScript also released their Top 10 so I thought I’d check them out and possibly add those to the HOSTS file. Now I have no intension of adding all these illegal pharmacy sites as there are just too many, and nothing malicious happens when you visit these sites.


The best way I feel to protect users is to add their payment sites to the HOSTS file … at least that way it would protect users from making ill-advised purchases … or worse … just imagine what’s in those counterfeit drugs! I started visiting these sites and found my own disturbing trend which was not mentioned in any of the articles … (see below)



Image edited for display purposes


The above site is listed as one of the Top 10 (above) … when you click the “Next step” …



Image edited for display purposes


 As you can see you are redirected to “rx-secure.com” via a certain certificate … I’m not even going to comment.



 Visiting another of the above mentioned Top 10 which is described as “The website claims to sell drugs from Canada, but the authors submitted an order, and received counterfeit Cialis, without a prescription from India.” If you read the full report LegitScript put a lot of time and effort into their finding. Going so far as to actually purchase products and have them tested …



Image edited for display purposes


 Another certificate from the same source as above and a Truste icon … ouch!



Again we see a redirect from “expressdelivery.biz” to “secure.mymedcenter.net”


== Server Certificate ==========
[Subject]
  CN=secure.mymedcenter.net, OU=Comodo EV SGC SSL, O=RX Corp, STREET=3155 Hickory Hill Rd, L=Memphis, S=TN, PostalCode=38115, C=US, OID.2.5.4.15=”V1.0, Clause 5.(b)”, OID.1.3.6.1.4.1.311.60.2.1.2=Tennessee, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=0582044


[Issuer]
  CN=COMODO EV SGC CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB


[Serial Number]
  00FD665970D8D5E8D59EE06A23F621AAF5


Now to be fair I also found a Verisign certificate for “seal.buysafe.com” … so please don’t nag me about I’m picking on one vendor …


== Server Certificate ==========
[Subject]
  CN=seal.buysafe.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=buySAFE IT, O=buySAFE Inc, L=Arlington, S=Virginia, C=US


[Issuer]
  OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA – Class 3, OU=”VeriSign, Inc.”, O=VeriSign Trust Network


[Serial Number]
  2AAA3F4A7F8054FA9DD70D7AAA5650BF


You can view a very short video LegitScript posted on YouTube for expressdelivery.biz … there are several others as well … I also found another site that contains “illegal pharmacies identified by the FDA, HealthPricer and other official bodies”


First on their list was “allpills.net” which redirects to “canadian-drugshop.com” which redirects to … “rx-secure.com”


== Server Certificate ==========
[Subject]
  CN=rx-secure.com, OU=Comodo InstantSSL, O=Pharmos Limited, STREET=Leningradsky prospekt 143-26, L=MOSCOW, S=MSK, PostalCode=149501, C=RU


[Issuer]
  CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US


[Serial Number]
  00A84B9E3913DFC8BE5D7355B8EEFD59CE


Seems canadian-drugshop.com is hosted on the same IP block as several other scam sites … most using “rx-secure.com” as their “check out” payment service.


# [Moskvacom][AS2118][195.95.155.0 – 195.95.155.255] (Google Diagnostic report for AS2118)
127.0.0.1  canadian-drugs-shop.com
127.0.0.1  www.canadian-drugshop.com
127.0.0.1  canadian-healthcare-shop.com #[ScamFraudAlert.Pharmacy]
127.0.0.1  canadian-pharmacy-store.com
127.0.0.1  edmedsnow.com
127.0.0.1  hqedpills.com
127.0.0.1  mens-medication.com #[Spamdexing]
127.0.0.1  official-canadian.com
127.0.0.1  professional-meds-online.com #[ScamFraudAlert.Pharmacy]
127.0.0.1  rx-top.com
127.0.0.1  shopedmedsonline.com


Many of the other sites HealthPricer listed no longer exist …


Hopefully these certificate issuers and Truste will take a better look into the activities of the sites that were mentioned … after all illegal activities are illegal!

Oh how embarrassing

Imagine that! … from Google Diagnostic … I wonder what malicious software was being distributed on the 15th?



So let’s click on over to trustlogo.com from the Google Diagnostic report …



 The really embarrassing part is that the site mentioned sagunnyu.com appears to use a Comodo certificate … ouch!


== Server Certificate ==========
[Subject]
  CN=sslsecurity.kr, OU=Comodo InstantSSL, OU=Hosted by Jungbonet inc., OU=SSLSECURITY_TEAM, O=JUNGBONET, STREET=Nonhyeon-dong, L=Nonhyun-Dong, S=SEOUL, PostalCode=135-010, C=KR


[Issuer]
  CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US


[Serial Number]
  2677FD02915826F36B72BDC69DBA9BC9


 Maybe a certain CEO should spend a little more time making sure things like the above don’t happen rather than spewing out one-sided spin in an effort to deflect the real problem = failure to address an ongoing (since 2007) problem:


Criminals using Comodo to attempt legitimacy

Bombarded with Comment Spam

Update 07/29/09: I’ve heard from the powers-to-be and it seems the Spam Filters were set wrong after the latest blog update? Go figure … I’ll reset (allow) the Comments and see if I can restore them …


I guess I’ve been lucky that the Bot spammers have not been a serious issue … well until now … seems like the last few days I have been bombarded with “comment spam” … hundreds and hundreds a day [ugh!] So I’ve disabled the comments until things calm down …



 


 


 

MVPS HOSTS File Update July-27-2009


The MVPS HOSTS file was recently updated [July-27-2009]
http://www.mvps.org/winhelp2002/hosts.htm


Download: hosts.zip (144 kb)
http://www.mvps.org/winhelp2002/hosts.zip


How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm


HOSTS File – Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm


Note: the “text” version makes a great resource for determining possible culprits …
http://www.mvps.org/winhelp2002/hosts.txt (597 kb)

Comodo continues to ignore Malware warnings

Yet again we find the same group “ISystem Inc” scamming the public with their bogus products … with a little more help from Comodo. Now I ask you … how many times do I have to report the same group being issued a certificate from Comodo, before they take the necessary steps to prevent the general public from being ripped-off by these bad actors?



If the page looks familiar … it is … the same template as I previously reported … from the same people “ISystem Inc”



As you can see I pasted the certificate details into the Fiddler report … below you can see there is no doubt that “ISystem” is the owner … same as previously reported several times! …


 


It not hard to find the bad actors and the connection between “ISystem and SoftDialog” … hey Comodo ever heard of Google? …



“WindowsSecuritySuite” is hosted at the same location as before … just how many red flags does it take?



“pay-secure” is also hosted on a previously reported location


# [Netdirekt][95.168.163.0 – 95.168.164.255]
127.0.0.1  aquabilling.com
127.0.0.1  secure.aquabilling.com
127.0.0.1  secure.bestbillingpro.com
127.0.0.1  secure.payment-cc24.com
127.0.0.1  pay-secure.net #[ISystem]
127.0.0.1  safe-pay-vault.com
127.0.0.1  webexpressbill.com
127.0.0.1  secure.webexpressbill.com


Comodo – creating trust online” … makes you wonder doesn’t it … I’ve been reporting on Comodo’s lack of concern since
LimeLight Networks and connecting the dots (12-07-07) all we get is excuses and spin on how everyone else is doing it (issuing certificates) … what ever happened to being a responsible part of the Internet community?

Comodo continues to damage it’s reputation

Here again we find another bogus Antispyware program that does nothing but take your money … with a little help from Comodo



If the page looks familiar … it is … the same template as I previously reported … from the same people “ISystem Inc”



I pasted the Comodo certificate into the Fiddler output … seems Comodo still does not check out anyone prior to issuing a certificate … even if it comes from the same people it revoked previously … duh!


Comodo continues to issue certificates to known Malware
Anyway … I went back and checked the sites I last reported and it seems Comodo has decided to ignore my report …


rapid-antivir-2009. com
rapid-antivir2009. com
rapid-antivirus2009. com = all redirect to:
secure.xsoftstore. com


 [Google link here]


Even a simple Google search as I suggested previously would have revealed the connection to ISystem …



malwaresdestructor. com” is hosted at Rcp.net along with quite a few other related Fraudware programs



safe-pay-vault. com” is hosted at Netdirek – a known malware haven


# [Netdirekt][95.168.163.0 – 95.168.164.255]
127.0.0.1  aquabilling.com
127.0.0.1  secure.aquabilling.com
127.0.0.1  secure.bestbillingpro.com
127.0.0.1  safe-pay-vault.com
127.0.0.1  webexpressbill.com
127.0.0.1  secure.webexpressbill.com


Surely you would think Comodo with all it’s resources can keep a lid on dealing with these malware frauds … especially when they have already dealt with the same culprits before … is anybody awake over there!! Trust is everything in the security business … seems Comodo can no longer be trusted, as these type reports keep surfacing … time after time …

MVPS HOSTS File Update June-21-2009

The MVPS HOSTS file was recently updated [June-21-2009]
http://www.mvps.org/winhelp2002/hosts.htm


Download: hosts.zip (146 kb)
http://www.mvps.org/winhelp2002/hosts.zip


How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm


HOSTS File – Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm


Note: the “text” version makes a great resource for determining possible culprits …
http://www.mvps.org/winhelp2002/hosts.txt (599 kb)