Sponsored by..

Wednesday, 21 July 2010

Hotbar.com deceptive installation.. again.

Hotbar.com probably needs no introduction as an unpleasant piece of Slimeware, picked up from the ruins of Zango by a Washington State company calling itself Pinball Corporation. Traditionally, companies like Zango and Pinball work on a pay-per-install basis for their software, and recruit affiliates to get the software installed on end user's machines. Anyone who deals with affiliate marketing knows that the actions of your affiliates reflect on the company itself.. you don't want dodgy affiliates tarnishing your reputation.

This particular affiliate of Pinball Corporation does seem to be pretty deceptive though, targeting naive users who don't check what they are downloading properly.

Here is an example, coming up on a search for Google Earth:

The first result reads:
G.Earth Free Download
EarthI0-3D.com/GEarth-Download      New G.Earth. A True 3D Digital. Fly Anywhere On Earth. For Free!
Is earthi0-3d.com Google? Of course not! But it relies on users not to check before they click through..

Google's logo is displayed prominently on the landing page, the whole page really does look like it is from Google, but scrolling down reveals the truth.. in pale grey text on a white background to make it difficult to spot:



This website has no partnership whatsoever with the owner or manufacturer of this software program, and provides ONLY a link to the program.
New computer users should find our services valuable, and a time saver. If you are an advanced computer user, you probably don't need our services. 
Well, it doesn't just provide a link to download the program.. clicking "Free Download" reveals the payload of a mixture of HotBar, ShopperReports, Blinkx and QuestDNS adware.

..but you have the read the small(ish) print. The Google Earth logo is still prominently displayed, along with a great big "Start" button. Now, to be fair it is all spelled out in black and white with links to the EULA, but displayed in a much smaller and less prominent manner than the Google logo.

The download is pretty widely detected as adware by many AV programs. Some of the components are particularly insidious, including QuestDNS that installs all sorts of operating system hooks.

It's not just Google Earth that is targeted in this way, the server that hosts earthi0-3d.com, 174.121.90.107 [ThePlanet.com], also hosts a shedload of other domains that masquerade as well-known applications. (Sorry, it's a long list.. but there's more after it).


0perai0.com
7zip2010.com
Adaware10-uk.com
Adaware10-us.com
Adawarepro10.com
Adobereader10-pro.com
Adobereader2010.com
Adobe-readeruk.com
Adobe-reader-uk.com
Adobe-readerus.com
Adobe-reader-us.com
Ares10.com
Ar-proversion.com
Audacityi0.com
Babelfish10-uk.com
Babelfish10-us.com
Bearshare10-prodownloads.com
Bearsharefast.com
Bit10-cometpro.com
Bitcometfast.com
Bitcometi0.com
Bitcometpro.com
Biti0-latest-comet.com
Bitlordfast.com
Bitlordi0.com
Bitnewcomet.com
Bit-new-comet.com
Bitnewlord.com
Bit-new-lord.com
Century21games.com
C-new-cleaneri0.com
Convertxtodvdpro.com
Corelpaint2010.com
Descarga-activex.com
Divx10-uk.com
Divx10-us.com
Div-xi0.com
Downsoftloads.com
Earth-20i0.com
Earthi0-3d.com
Emulenouveau-fr.com
Eplig.com
Fastnewlime.com
F-frostwirei0-pro.com
Flash-playerdownloads.com
Flashplayernew2010.com
Flashplayernew-uk.com
Flashplayerpro10.com
Flashplayeruk.com
Flashplayer-us.com
Freezonlinetvpro.com
F-reviewfrostwirei0.com
Frost10-prowire.com
Frost10-wire.com
Frostfreewire.com
Frost-profrostwire.com
Frostpro-wire.com
Frost-pro-wire10.com
Frost-prowire-2010.com
Frost-review.com
Frost-us-prowire.com
Frost-us-wire.com
Frostwire10-frostdownloads.com
Frost-wire10-pro.com
Frost-wirei0-frostpro.com
Gamescentury.com
G-earthi0.com
Getactivex.com
Getdirectx.com
Getnetframework.com
Girlstar-fun.com
Googleearth10.com
Internetdownmanagerpro.com
Irfanviewpro.com
Itunespro10.com
Jetaudiopro.com
Justfree-screensavers.com
Kidstoys-fun.com
Latestopenoffice.com
Limewireeasy.com
Live-messenger-windows.com
Live-msn10-messenger.com
Live-newmessenger-promsn.com
Liveprodownloads.com
Liveprotube.com
Live-torrents.com
Livetube-pro.com
Livetvnowpro.com
Messenger10-livepro-newmsn.com
Messenger-msni0-live.com
Messenger-msn-live.com
Messengerplus-live-msn10.com
Messengerpro-live-msn2010.com
Monfirefoxonline.com
Msn10-live-messenger.com
Msn-live10-messenger.com
Msn-messenger-new.com
Msn-messenger-windows.com
Myfrostwire10.com
Myfrost-wire10-pro.com
Mylimewire10.com
Mylimewirepro10.com
Mylivelimewire10.com
Mymariobrosfree.com
Mymessenger-live-promsn.com
Mymsn-live-newmessenger10.com
Myworldlime.com
Ner0-burni0.com
Newadobe-proreader.com
Newadobe-readerpro.com
Newadreaderpro.com
Newbit-comet-2010.com
Newbitcometi0.com
Newbittornado10.com
Newbit-torrent10.com
Newcoreldraw2010.com
Newdivxpro10.com
Newfastlime10.com
Newflash-playepro.com
Newflash-proplayer.com
Newlimefast.com
Newlimefree.com
Newlimeworld.com
Newmessenger-live-promsn.com
Newoffice10.com
Newopenoffice2010.com
Newopen-proofficeuk.com
Newopen-proofficeus.com
Newovernet10.com
Newphotoscape2010.com
Newpicasapro.com
Newshareaza10.com
Newsoulseek10.com
Newutorrent-free.com
Of-suite3-officei0.com
Openi0-latest-office.com
Openoffice10-officedownloads.com
Openofficenew2010.com
Openofficenewuk.com
Openofficenew-uk.com
Openofficenewus.com
Openofficenew-us.com
Playlegends.com
Play-mario-free.com
Play-mario-now.com
Proadobe10.com
Proadobereader10.com
Proadvancedsystemcare.com
Proaudacity10.com
Probitcomet.com
Probitcomet10.com
Probitlord10.com
Procamfrog10.com
Proccleaner10.com
Proflvplayer.com
Progommediaplayer.com
Proicq2010.com
Pro-lime-wire.com
Prolivetvnow.com
Promirc2010.com
Promocion-aba.com
Pro-nero-10.com
Pro-newutorrent.com
Proopenoffice10.com
Proorbit10.com
Propowerdvd.com
Proquicktime10.com
Prosopcast10.com
Prospybot2010.com
Pro-utorrent10.com
Pro-web-solutions.com
Prowinrar10.com
Prowinzip2010.com
Proytdownloader.com
Quicknewtime.com
Quicktime10-uk.com
Quicktime10-us.com
Rankdriven.com
Schnellfirefox10.com
Seo-sem-worldwide.com
Skype10.com
Smartdefragpro.com
Speedylime10.com
Suite3-office.com
Suite-office3.com
Suite-office3.net
Suiteprooffice-2010.com
Superlime10.com
Teamviewerpro2010.com
Trilliani0.com
Ufreetorrent.com
Uklimefree.com
Uprotorrent-2010.com
U-reviewbitcomet.com
U-reviewfrostwire.com
U-reviewsuiteoffice3.com
U-reviewtorrent.com
U-review-torrent.com
Uslimewire10.com
Utorrent10-udownloads.com
Utorrent-free.com
Utorrenti0.com
Vafdrivers.com
Vafscanner.com
Vaftv.com
Virtualdjpro-uk.com
Virtualdjpro-us.com
Virtualnewdj.com
Virtual-new-dj.com
Virtualnewdj.info
Virtual-newdj-2010.com
Virtuals-dj2010.com
Vlcmediaplayerpro.com
Vlcpro-vdownloads.com
Vlc-videolan-fr.com
V-virtual-prodj.com
Winamp10-uk.com
Winamp10-us.com
Winmediaplayer-fr.com
Winmoviemaker.com
Winrar10-uk.com
Winrar10-us.com
Winzip10-uk.com
Winzip10-us.com
W-media-player.com
Wmedia-playerdownloads.com
W-media-playerpro.com
Worldlime10.com
Youfreetube-loader.com
Youlive-tube.com
You-pro-tube.com
Ytdownloader-uk.com
Ytdownloader-us.com


Most domains have some sort of anonymous registration, but not all.. and one points the finger at a company in the Canary Islands:

Company: Payments interactive S.L.U
Name: fuentes martins de souza vicente alan
Address: camino de la fallera 1
City: santa cruz de tenerife
Country: CANARY ISLANDS
Postal Code: 38789
Phone: +34669061555
Fax:
Email: daniel.hylander@paymentsint.com
We can track down paymentsint.com to a server at 67.19.106.170 [ThePlanet.com] and there are a whole load of other domains you might want to avoid too.. (another long list, sorry)

Apuestadeporte.es
Audiobooks21.com
Bestfarmvilleapp.com
Bestfarmvilletoolbar.com
Bestfarmvilletricks.com
Bestwebhostingtop.com
Casinosypoker.es
Conocer-gente.es
Debelleza.es
Deseguros.es
Easyfarmvilleapp.com
Easyfarmvilletips.com
Easyfarmvilletoolbar.com
Easyfarmvilletricks.com
Economiayfinanzas.es
Emule10-italy.com
Emule10.com
Emule2010site.com
Emulenow.com
Evonynow.com
Farmappextreme.com
Farmtipsrextreme.com
Farmtoolbarextreme.com
Farmtricksrextreme.com
Fastestbrowsers.com
Fastfirefox10.com
Firefox-us.com
Flashgames2010.com
Flashplayernew.com
Flaviocoiro.com
Freenewares.com
Freenewutorrent.com
Freeopenoffice10.com
Freewinrar10.com
Fungamesgirls.com
Generar-ingresos-extra.com
Getfarmville.com
Haiti-foundation.org
Idolnew.com
Isoftware.es
Lastopenoffice.com
Latestnewinternetexplorer.com
Megauploadpro.com
Melollevo.net
Melosllevo.com
Melosllevo.es
Mininovaonline.com
Morpheusnow.com
Msnmessenger-fr.com
Mybitcomet10.com
Mybitlord10.com
Myedonkey10.com
Myexploreronline.com
Myfirefox10.com
Myfirefoxfast.com
Myfirefoxworld.com
Myfrostwirepro.com
Mygnutella10.com
Mymorpheus10.com
Napsternow.com
Neuenfirefoxonline.com
Newadobepro.com
Newadobereader.com
Newadobereaderpro.com
Newares10.com
Newbabelfish.com
Newbearsharepro.com
Newbitcomet.com
Newbitlord.com
Newbittorrent.com
Newedonkeypro.com
Newfarmville.com
Newfarmvilleapp.com
Newfarmvilletips.com
Newfarmvilletoolbar.com
Newfarmvilletricks.com
Newfirefoxpro.com
Newfirefoxworld.com
Newgnutellapro.com
Newgoogleearth10.com
Newrapidsharepro.com
Newreaderpro.com
Newskype2010.com
Newtvidol.com
Newutorrent10.com
Newvcdplayer.com
Newvirtualdj.com
Newwindowsmediaplayerpro.com
Ofertaturismo.es
Outlet-foto.com
Outlet-sport.com
Paymentsint.com
Photofiltrenew.com
Proadobeflashplayer.com
Proadobereader.com
Prolimewirenow.com
Prowirelime.com
Qualityblogs.es
Quecompras.es
Registryscanner-pc.com
Reviews21.com
Revistatv.es
Solococina.es
Solosalud.es
Speedyfirefox10.com
Theluckyhoroscope.com
Thunderbirdnow.com
Todoinfantil.es
Topconsolas.es
Topillsreviews.com
Tuguu.com
Tvtopchannel.com
Uklimefast.com
Usfirefoxbrowser.com
Utorrentfast.com
Vafdriver.com
Virtualdjnow.com
Virtualgirlfree.com
Web-uk-hosting.com
Web-us-hosting.com
Wmediaplayernow.com

You can probably safely block these IPs and all of these sites, there doesn't seem to be anything of value here.

This is definitely a somewhat deceptive approach to installation, but it does rely on a fair degree of user stupidity too. However, any IT person will probably tell you that there are a hard core of users who really are daft enough to fall for something like this, and really the best thing that you can do it pre-emptively block the whole lot.

There is a very questionable use of trademarks here, and perhaps some of those trademark owners might like to take some action of their own...

No comments: