Sponsored by..

Showing posts with label Adware. Show all posts
Showing posts with label Adware. Show all posts

Friday 21 August 2015

What the hell is event.swupdateservice.net?

So.. I saw some mysterious outbound traffic to event.swupdateservice.net/event (138.91.189.124 / Microsoft, US). Googling around for the domain came up with some references to malware, but nothing very conclusive.

The WHOIS details for the domain are anonymised (never a good sign), and the IP address is also used by event.ezwebservices.net which uses similarly hidden details. Team Cymru have an analysis of what is being phoned home to this mystery server, and I found an existing Malwr analysis referencing the alternate domain.

I eventually found the mystery executable in C:\Users\[username]\AppData\Local\SoftUpdate\SoftUpdate.exe on the afflicted machine. Various analysis tools confirm that it generates this traffic [1] [2] [3].

The binary itself does not identify its creator. I found various references (such as in this report) linking this software and the domains to Emaze.com (a "free" presentation tool) and a look at the users traffic logs indicates that they visited this site, referred to it by VisualBee.com which is some sort of https://www.hybrid-analysis.com/sample/f479a3779efb6591c96355a55e910f6a20586f3101cd923128c764810604092f?environmentId=1PowerPoint plugin.

Neither domain identifies itself through the WHOIS details, not can I find any contact details on either site. A look through the historical WHOIS for VisualBee.com gives:

   Administrative Contact:
      info, info  info@visualbee.com
      visual software systems LTD.
      6 Hanechoshet st.
      Tel-Aviv, Israel 69710
      Israel
      +972.775422537


And for Emaze.com:

   Administrative Contact:
      Rubenstein, Steven  rubenstein.steven@gmail.com
      504 224th PL SE
      Bothell, Washington 98021
      United States
      +1.4254862149


This Crunchbase profile for Shai Schwartz links the two companies.

I don't like sharing data with commercial operations who are not prepared to fully reveal their identity, and I personally recommend blocking traffic to:

visualbee.com
emaze.com
swupdateservice.net
ezwebservices.net


Thursday 19 February 2015

Some Superfish domains and IP addresses and ranges you might want to look for

In the light of the growing Lenovo / Superfish fuss, I set out to identify those Superfish domains and IPs that I could, for the purposes of blocking or monitoring.

The domains and IPs that I have been able to identify are here [csv].

Superfish appear to operate the following domains (and several subdomains thereof):

venn.me
best-deals-products.com
superfish.com
pin2buy.net
pintobuy.net
similarproducts.net
adowynel.com
govenn.com
group-albums.com
jewelryviewer.com
likethatapps.com
likethatdecor.com
likethatpet.com
likethatpets.com
testsdomain.info
superfish.mobi
vennit.net
superfish.us

These following IP addresses and ranges appear to be used exclusively by Superfish (some of their other domains are on shared infrastructure).

66.70.35.240/28
66.70.34.64/26
66.70.34.128/26
66.70.34.251
66.70.35.12
66.70.35.48

All of those IPs are allocated to Datapipe in the US. Superfish itself is based in Israel, which seems to be a popular place to develop adware.

Do with this data what you will, if you have any more IPs or domains then perhaps you might share them in the Comments.

Wednesday 31 December 2014

NetGuard Toolbar (ngcmp.com) spam

Sometimes a spam comes through and it isn't immediately obvious what they are trying to do:

From:    Brad Lorien [bclorien@ngcmp.com]
Date:    31 December 2014 at 01:12
Subject:    Real estate (12/30/2014)

Our company reaches an online community of almost 41 million people,
who are mostly US and Canadian based. We have the ability to present
our nearly 41 million strong network with a best, first choice when
they are looking online for what your company does.

We are seeking a preferred choice to send our people who are looking
for real estate in Abilene and surrounding markets.

I’m in the office weekdays from 9:00 AM to 5:00 PM Pacific time.

Best regards,

Brad Lorien
Network Specialist, SPS EServices
Phone: (877) 489.2929, ext. 64
There is no link or attachment in the email. So presumably the spammer is soliciting replies to the email address bclorien@ngcmp.com which is a valid address. The domain ngcmp.com uses a mail server mail.ngcmp.com to receive email messages, hosted on 38.71.66.127 (PSInet / Virtual Empire, US). A look at the spam headers are rather revealing..

Received: from [38.71.66.126] (port=60856 helo=ngcmp.net)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <bclorien@ngcmp.com>)
    id 1Y67tI-0006Ub-TC
    for [redacted]; Wed, 31 Dec 2014 01:16:17 +0000
Received: from mail.ngcmp.com (211.sub-75-215-49.myvzw.com [75.215.49.211])
    by ngcmp.net (Postfix) with ESMTPA id 0812E3E34E
    for <[redacted]>; Tue, 30 Dec 2014 19:18:13 -0600 (CST)
    (envelope-from bclorien@ngcmp.com)
We can see that the spam was sent via a relay at 38.71.66.126 which is one IP different from the server handling incoming mail, which pretty much firmly identifies that whoever controls the ngcmp.com domain is actually sending the spam. The mail headers also identify the originating IP as well as the relay, which is a Verizon Wireless customer at 75.215.49.211, possibly someone sending spam using throwaway cell phones to avoid being traced.

An examination of those two PSInet addresses shows the following domains are associated with them:

ncmp.co
ngmp.co
ngcmp.com
ng-portal.com
ngcmp.net
ng-central.net
luxebagscloset.com
reviewwordofmouth.com


All of these domains have anonymous WHOIS details, but you can see that there is a common pattern here. I don't recommend that you visit spam sites, but I did in this case to see what it was about.


It appears to be some crappy toolbar called NetGuard and indeed the ngcmp.com pulls down many resources from the netguardtoolbar.com website. The site claims to be from a company called "NG Systems" but gives no other identification. netguardtoolbar.com has also had anonymous WHOIS details since it was registered in 2008.

If we look at the "Privacy" page of the site, we can see what this is all about.

NetGuard does not ask you for any personally identifiable information such as an email address, phone number, your name, or any such data. We do track IP addresses only of those who choose to download our App. We also track downloads of the NetGuard App, as well as uninstalls of the NetGuard App, so that we may have accurate data on those two items only in dealing with our Advertisers. Our Advertisers assist us in maintaining our NetGuard App Community, which allows us to provide the public with even more features as time and innovation allows. NetGuard does, as part of our advertising process, allow Advertisers who maintain an active Advertiser Account, to present their websites when an end user of the NetGuard does a search on any of the major search engines. This in no way changes the search results contained on the native pages of the major search engines, but does allow NetGuard to continue to present the general public with more options as time and innovation allows. 
This is basically adware. Going back to the original spam message, these "41 million people" are presumably suckers who have downloaded this crap, and NG Systems are busy spamming out to find more low-life advertisers to fill up their network. Or am I just sounding annoyed?

Predictably, there seems to be no such corporation as "NG Systems", but if you download the Toolbar it turns out it is digitally signed by a company called "IP Marketing Concepts, Inc." 

If we drill down into the certificate details we can find out  more about this mystery corporation.
CN = IP Marketing Concepts, Inc.
OU = SECURE APPLICATION DEVELOPMENT
O = IP Marketing Concepts, Inc.
L = Lewes
S = Delaware
C = US


Some Googling around finds a Delware corporation number 4099908 founded in 2006, but as Delware is a "go to" place for corporation trying to hide their identities, it is hard to find out more information without paying.

The executable itself is tagged by only one AV engine as malicious, but VirusTotal does note that it looks like a PUA. Malwr notes that individual components appear to be Russian in origin.

So all in all, this spam is being sent out by a company that goes a very, very long way to disguise its origins. Would you really want to either install their product or advertise on their network?


Friday 25 July 2014

adminsecret.monster.com abused by spammers

I noticed a whole load of queries in URLquery about adminsecret.monster.com (such as this one) which I thought to be kind of odd..


"Adminsecret" sounds really interesting from a security perspective, but really it's a site aimed at executive assistants and people with similar roles.


The pages being queries are "articles" that look like this:


This doesn't look very much like a tip on how to be a better admin. There also appears to be a webspam campaign active to drive traffic to these sites:

So a mix of payday loans and movie downloads. So let's go back to this "Blended Movie Online" page with the prominent "Watch Now" button. This actually takes you to a site livingfilms.net that tantalisingly waves another "download" button at you.


Clicking "Download Now" leads you into a cesspit of adware. Instead of getting a move, you are directed to dowload a file Blended.exe from allbestnew.com. Of course, this isn't a move file at all, but some piece of crappy adware with a VirusTotal detection rate of 17/51 (mostly detected as InstallRex).

Various analysis tools [1] [2] [3] piece together what this adware does, but from a network point of view it makes a connection to the following domains:

r2.homebestmy.info
r1.homebestmy.info
c1.setepicnew.info
i1.superstoragemy.com
getdottamy.info
getyouraddon.co.il


This last one is the clue as to who is making this adware, registered to:

descr:        Justplug.it LTD
descr:        Harbel 10
descr:        Oranit Israel
descr:        4481300
descr:        Israel
phone:        +972 72 2124145
fax-no:       +972 72 2124145
e-mail:       admin AT justplug.it


Justplug.it allows you to make your own browser extensions. Hmm. Looks like a good candidate to block if you don't want unauthorised BHOs and the like.


So, for this particular issue I would recommend the following blocklist:

livingfilms.net
allbestnew.com
homebestmy.info
setepicnew.info
superstoragemy.com
getdottamy.info
getyouraddon.co.il

justplug.it

Back to the livingfilms.net site, if you want to watch the movie online instead of downloading it you get redirected to www.themovienation.com/signup?sf=blue_newjs&ref=82937 which is some sort of movie subscription service based in the British Virgin Islands. Frankly you'd be better off with Netflix, Amazon, Google or some other reputable service.


Oh yes.. and there's payday loan crap too:


So right now I would say that adminsecret.monster.com is horribly compromised and is probably a good candidate for blocking until they get the issues sorted out.

UPDATE: emails to info -at- adminsecret.com bounce, so far I have not been able to contact them.

Tuesday 14 January 2014

"Uncensored download" spam leads to adware

I've been plagued with these over the past few days, emails coming in with the following subjects:

Underground XXX files
Free porno torrents
Uncensored download


The body text contains just a link to [donotclick]goinst.com/download/getfile/1205000/0/?q=Uncensored%20download

In turn this downloads a file Uncensored download__3516_i263089565_il6090765.exe and of course that's about as trustworthy as a van with "FREE CANDY" scrawled on the side. In blood.

A quick look at the EXE in VirusTotal indicates that it's some sort of Adware, probably pay-per-install. An examination of the binary shows a digital signature for Shetef Solutions & Consulting (1998) Ltd who are probably not behind the spam run, but are probably inadvertently paying the spammers for installations.

A Malwr analysis of the file can be found here.

Avoid.

Thursday 5 December 2013

Something unpleasant on 89.248.164.219 and 217.23.2.233

The IPs 89.248.164.219 (Ecatel, Netherlands) and 217.23.2.233 and (Worldstream, Netherlands) appear to be hosting some sort of bogus Firefox and Media Player downloads. (You can see the VirusTotal reports here and here).

All the domains in use appear at first glance to be genuine but are basically some sort of typosquatting. A full list of all the subdomains I can find are at the end of the blog, but in the meantime I recommend using the following blocklist:
89.248.164.219
217.23.2.233
antivirous.co.uk
archictecture.com
bacharat.com
bankrupcyloans.com
beadedjewlry.com
blog-skin.com
buisinessplan.com
camgirslive.com
catalag.com
cheatscoads.com
cheepplaneticket.com
deadbeatmom.com
detroitresturants.com
diabeticreciepies.com
dictionairy.co.uk
dieselgeneraters.com
florenceaccomodation.com
forclosedhomelistings.com
franshising.com
freemagzine.com
freerngtones.com
freesudukogames.com
freexxxvideodownloads.com
genology.co.uk
gitaretab.com
guatars.com
itallianfood.com
ladyring.com
lesons.com
magneticjewlry.com
medicalpaymentsolutions.com
milffiles.com
monstercooks.com
mygirly.com
noebook.com
olineauction.com
pacmangames.co.uk
photogallary.co.uk
pokerstatergy.com
proverts.com
rentalaccomodation.com
songlyrices.com
swappingwifes.com
timehare.com
violn.com
wwwmotorcycleparts.com
wwwqwikster.com

I can see these following subdomains in use, although it is probably easier just to block the main domains:
exclusiverewards.antivirous.co.uk
exclusiverewards.genology.co.uk
ny4zz.exclusiverewards.itallianfood.com
xo9zz.exclusiverewards.itallianfood.com
jsazz.exclusiverewards.itallianfood.com
xabzz.exclusiverewards.itallianfood.com
tfdzz.exclusiverewards.itallianfood.com
vkizz.exclusiverewards.itallianfood.com
ibmzz.exclusiverewards.itallianfood.com
jtozz.exclusiverewards.itallianfood.com
ntvzz.exclusiverewards.itallianfood.com
ytyzz.exclusiverewards.itallianfood.com
porn-tube.ladyring.com
popularprizes.florenceaccomodation.com
portube.freexxxvideodownloads.com
2h2zz.exclusiverewards.songlyrices.com
hnezz.exclusiverewards.songlyrices.com
kwizz.exclusiverewards.songlyrices.com
o6mzz.exclusiverewards.songlyrices.com
6ppzz.exclusiverewards.songlyrices.com
wrqzz.exclusiverewards.songlyrices.com
3xszz.exclusiverewards.songlyrices.com
tnyzz.exclusiverewards.songlyrices.com
7yyzz.exclusiverewards.songlyrices.com
tszzz.exclusiverewards.songlyrices.com
md2zz.popularprizes.songlyrices.com
4f2zz.popularprizes.songlyrices.com
t43zz.popularprizes.songlyrices.com
rbazz.popularprizes.songlyrices.com
eqazz.popularprizes.songlyrices.com
iwazz.popularprizes.songlyrices.com
vdfzz.popularprizes.songlyrices.com
6kfzz.popularprizes.songlyrices.com
gfhzz.popularprizes.songlyrices.com
zyhzz.popularprizes.songlyrices.com
ukrzz.popularprizes.songlyrices.com
dorzz.popularprizes.songlyrices.com
2aszz.popularprizes.songlyrices.com
6hszz.popularprizes.songlyrices.com
qgtzz.popularprizes.songlyrices.com
3lwzz.popularprizes.songlyrices.com
bfzzz.popularprizes.songlyrices.com
5hzzz.popularprizes.songlyrices.com
bjzzz.popularprizes.songlyrices.com
aqzzz.popularprizes.songlyrices.com
txt-hotties.swappingwifes.com
rewardzone.monstercooks.com
exclusiverewards.guatars.com
popularprizes.dieselgeneraters.com
popularprizes.bacharat.com
popularprizes.beadedjewlry.com
www.exclusiverewards.dictionairy.co.uk
www1.exclusiverewards.dictionairy.co.uk
prizecentral.noebook.com
www.popularprizes.bacharat.com
ecig.timehare.com
cloud.timehare.com
popularprizes.blog-skin.com
pornvids.milffiles.com
porn-tube.camgirslive.com
rewardzone.cheatscoads.com
agentix.deadbeatmom.com
cleanse.deadbeatmom.com
442zz.popularprizes.songlyrices.com
4btzz.popularprizes.songlyrices.com
7yhzz.popularprizes.songlyrices.com
cfzzz.popularprizes.songlyrices.com
hmdzz.popularprizes.songlyrices.com
mpazz.popularprizes.songlyrices.com
nokzz.popularprizes.songlyrices.com
povzz.popularprizes.songlyrices.com
psmzz.popularprizes.songlyrices.com
u4wzz.popularprizes.songlyrices.com
vufzz.popularprizes.songlyrices.com
xehzz.popularprizes.songlyrices.com
rauzz.exclusiverewards.songlyrices.com
sywzz.exclusiverewards.songlyrices.com
wwbzz.exclusiverewards.songlyrices.com
download.wwwqwikster.com
www.download.wwwqwikster.com
www1.download.wwwqwikster.com
watchnow.freerngtones.com
watch-now.freerngtones.com
playingnow.freerngtones.com
watching-now.freerngtones.com
0ozzz.exclusiverewards.itallianfood.com
3o9zz.exclusiverewards.itallianfood.com
bcvzz.exclusiverewards.itallianfood.com
n9vzz.exclusiverewards.itallianfood.com
oxwzz.exclusiverewards.itallianfood.com
yt5zz.exclusiverewards.itallianfood.com
www1.rewardzone.monstercooks.com
exclusive-rewards.dieselgeneraters.com
weightloss.diabeticreciepies.com
popularprizes.wwwmotorcycleparts.com
exclusiverewards.florenceaccomodation.com
www.securessl.forclosedhomelistings.com
congratulations.medicalpaymentsolutions.com
0eizz.exclusiverewards.songlyrices.com
3dxzz.exclusiverewards.songlyrices.com
6lzzz.exclusiverewards.songlyrices.com
7nrzz.exclusiverewards.songlyrices.com
watch-now.magneticjewlry.com
rewardzone.dieselgeneraters.com
popularprizes.pacmangames.co.uk
rewardzone.genology.co.uk
popularprizes.photogallary.co.uk
uh5zz.exclusiverewards.itallianfood.com
jd7zz.exclusiverewards.itallianfood.com
fe7zz.exclusiverewards.itallianfood.com
xxazz.exclusiverewards.itallianfood.com
tqdzz.exclusiverewards.itallianfood.com
mudzz.exclusiverewards.itallianfood.com
p8hzz.exclusiverewards.itallianfood.com
soizz.exclusiverewards.itallianfood.com
2hkzz.exclusiverewards.itallianfood.com
qpvzz.exclusiverewards.itallianfood.com
rewardzone.archictecture.com
rewardzone.florenceaccomodation.com
rewardzone.rentalaccomodation.com
uj8zz.exclusiverewards.songlyrices.com
usdzz.exclusiverewards.songlyrices.com
ashzz.exclusiverewards.songlyrices.com
cmkzz.exclusiverewards.songlyrices.com
6omzz.exclusiverewards.songlyrices.com
agqzz.exclusiverewards.songlyrices.com
vjszz.exclusiverewards.songlyrices.com
42wzz.exclusiverewards.songlyrices.com
sbxzz.exclusiverewards.songlyrices.com
ouxzz.exclusiverewards.songlyrices.com
gh0zz.popularprizes.songlyrices.com
oh3zz.popularprizes.songlyrices.com
vy3zz.popularprizes.songlyrices.com
nd4zz.popularprizes.songlyrices.com
zj8zz.popularprizes.songlyrices.com
jf9zz.popularprizes.songlyrices.com
knbzz.popularprizes.songlyrices.com
dtczz.popularprizes.songlyrices.com
ffdzz.popularprizes.songlyrices.com
xjezz.popularprizes.songlyrices.com
fofzz.popularprizes.songlyrices.com
dljzz.popularprizes.songlyrices.com
5wkzz.popularprizes.songlyrices.com
9zlzz.popularprizes.songlyrices.com
dxmzz.popularprizes.songlyrices.com
plnzz.popularprizes.songlyrices.com
xsozz.popularprizes.songlyrices.com
zwozz.popularprizes.songlyrices.com
gzozz.popularprizes.songlyrices.com
vrszz.popularprizes.songlyrices.com
t4tzz.popularprizes.songlyrices.com
99wzz.popularprizes.songlyrices.com
9swzz.popularprizes.songlyrices.com
ycxzz.popularprizes.songlyrices.com
securessl.forclosedhomelistings.com
news-alert.bankrupcyloans.com
exclusiverewards.medicalpaymentsolutions.com
popularprizes.medicalpaymentsolutions.com
surveycentral.pokerstatergy.com
popularprizes.genology.co.uk
exclusiverewards.dictionairy.co.uk
exclusiverewards.pacmangames.co.uk
rewardzone.violn.com
playgames.lesons.com
nowplay.catalag.com
txtpussy.mygirly.com
fucknow.proverts.com
xxxtube.proverts.com
win.timehare.com
agentixs.timehare.com
mensfitness.timehare.com
rewardzone.blog-skin.com
globalrewards.blog-skin.com
exclusive-rewards.blog-skin.com
exclusive-rewards.gitaretab.com
www.rewardzone.cheatscoads.com
download.franshising.com
nowplay.freemagzine.com
4cpzz.rewardzone.songlyrices.com
ehrzz.rewardzone.songlyrices.com
43uzz.popularprizes.songlyrices.com
a73zz.popularprizes.songlyrices.com
bnkzz.popularprizes.songlyrices.com
kvxzz.popularprizes.songlyrices.com
n5zzz.popularprizes.songlyrices.com
ntlzz.popularprizes.songlyrices.com
nx9zz.popularprizes.songlyrices.com
nzazz.popularprizes.songlyrices.com
obzzz.popularprizes.songlyrices.com
oyxzz.popularprizes.songlyrices.com
somzz.popularprizes.songlyrices.com
teizz.popularprizes.songlyrices.com
xjnzz.popularprizes.songlyrices.com
yt3zz.popularprizes.songlyrices.com
3z4zz.exclusiverewards.songlyrices.com
855zz.exclusiverewards.songlyrices.com
cqfzz.exclusiverewards.songlyrices.com
phjzz.exclusiverewards.songlyrices.com
q7gzz.exclusiverewards.songlyrices.com
tyvzz.exclusiverewards.songlyrices.com
z3nzz.exclusiverewards.songlyrices.com
hotmail.download.wwwqwikster.com
www1.watch-now.freerngtones.com
a5vzz.exclusiverewards.itallianfood.com
c7rzz.exclusiverewards.itallianfood.com
gnszz.exclusiverewards.itallianfood.com
hbjzz.exclusiverewards.itallianfood.com
i6jzz.exclusiverewards.itallianfood.com
okbzz.exclusiverewards.itallianfood.com
owozz.exclusiverewards.itallianfood.com
ucqzz.exclusiverewards.itallianfood.com
popularprizes.olineauction.com
rewardzone.buisinessplan.com
www1.surveycentral.pokerstatergy.com
globalpromotions.pokerstatergy.com
www1.news-alert.bankrupcyloans.com
www1.watch-now.magneticjewlry.com
congratulations.freesudukogames.com
exclusiverewards.freesudukogames.com
exclusive-rewards.cheepplaneticket.com
www1.rewardzone.dieselgeneraters.com
globalrewards.dieselgeneraters.com
exclusiverewards.dieselgeneraters.com
rewardzone.detroitresturants.com
www1.securessl.forclosedhomelistings.com
axizz.exclusiverewards.songlyrices.com
cqdzz.exclusiverewards.songlyrices.com

Monday 11 November 2013

"Consumer Benefit Ltd" adware sites to block

A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report) and GFilterSvc.exe (report) both in C:\WINDOWS\SYSTEM32.

The blocks are 212.19.36.192/27 and 82.98.97.192/28 and are allocated to:

netname:        Consumer-Benefit-AV-NET
descr:          Consumer Benefit LTD
descr:          Suite F 1st floor, New City Chambers
descr:          36 Wood Street
descr:          WF1 2HB Wakefield
country:        GB
admin-c:        KH2166-RIPE
tech-c:         PLN
status:         ASSIGNED PA
mnt-by:         PLUSLINE-MNT
source:         RIPE # Filtered


The problem is that there is no active company in the UK called Consumer Benefit Ltd.. there was a short-lived Manchester company number 06505446 which was dissolved in 2011, but I can't find any evidence that they are connected other than the similar name.

Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature (e.g. awsmazon.com, tradesdoubler.com, ebayrt.com, zanox-afiliate.com) and these use pseudo-anonymous WHOIS details also using the Wakefield address:

Registry Registrant ID:
Registrant Name: whois Protect Service
Registrant Organization:
Registrant Street: Suite F 1st floor, New City,
Registrant Street: Chambers, 36 Wood Street
Registrant City: Wakefield
Registrant State/Province: GB
Registrant Postal Code: WF1 2HB
Registrant Country: GB
Registrant Phone: +44.7077087721
Registrant Phone Ext:
Registrant Fax: +44.7077087502
Registrant Fax Ext:
Registrant Email: whois@sl.to


One .com using services in this range with apparently genuine details is ns-lookups.com:

Registry Registrant ID:
Registrant Name: Andrea Bégerová
Registrant Organization: BA Market Slovakia s. r. o.
Registrant Street: Klincová 37/B
Registrant City: Bratislava
Registrant State/Province: Slovenská Republika
Registrant Postal Code: 821 08
Registrant Country: SK
Registrant Phone: +421.259348122
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@bam-sk.com


Also hosted are some .to domains with anonymous registration, plus some German domains the only one of which with reliable WHOIS details seems to be gutscheinfilter.de registered to:

Type: PERSON
Name: Frank Dümpelmann
Organisation: Domport GmbH & Co KG
Address: Markt 32
PostalCode: 18273
City: Güstrow
CountryCode: DE
Phone: +49-9001-118840
Fax: +49-9001-118860
Email: adminc@domport.de


Domport seem to be invovled in domain parking and they have their own range of 212.19.39.192/28 that they use for this.

The adware in question attempted to call home to the following URLs:
f05e0362515f5125.srv.gutscheinfilter.de
dce645501bc1af9f.srv.ns-lookups.com
a.ns-lookups.com/updatecheck

Anyway, the following domains and IPs are all part of these "Consumer Benefit Ltd ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28
awsmazon.com
beelboon.com
htmladserver.com
tradesdoubler.com
ad-googlelinks.com
zanox-afiliate.com
linktrackingnet.com
googlesyntication.com
ns-lookups.com
download-web-shield.com
linkvista.de
adcall.de
gutscheinfilter.de
ebayrt.com
score.to
uses.to
vill.to
howto.to
setup.to
thats.to
trans.to
public.to
public-load.com
goal.to
vree.to
64-up.to
feeds.to
stopp.to
64-bit.to
hunter.to
trends.to
win-64.to
maps-24.to

Tuesday 2 July 2013

Babylon and the 3954 Trojans, or the Whore of Babylon.com

"Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild. Perhaps "The Whore of Babylon.com" is more apt though.

At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons. You know, the sort of thing that Google Translate does, except that the Babylon.com whores itself out and installs a load of crapware onto your computer when it does so.

According to Google's Safe Browsing Diagnostics, the site somehow squeezes in nearly 4000 trojans (viruses) into the site. No, we don't know how that is possible, but this is what Google says:

Safe Browsing

Diagnostic page for babylon.com

What is the current listing status for babylon.com?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 1546 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-07-02, and the last time suspicious content was found on this site was on 2013-07-02.Malicious software includes 3954 trojan(s).
This site was hosted on 13 network(s) including AS32475 (SINGLEHOP), AS2914 (NTT), AS28666 (HOSTLOCATION).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, babylon.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 0 domain(s), including .

Quite why Google hasn't blacklisted it is a mystery. VirusTotal's prognosis is pretty horrible, with malware detected by most products.. but the way the checksums keep changing does make it look like Babylon.com keep changing the binaries, perhaps to avoid detection. The latest version of the software has a much lower detection rate.

To be fair, Babylon do mention in their terms of use that they will fill your computer with crap and pass your data on to others.

Babylon does not give, sell, rent, share, or trade any identifiable personal information regarding our Users to any third party, with the exception of third-party contractors and service providers who work with Babylon to provide the Service and who are strictly prohibited from later use of the information to which they may have access. Babylon may share non-personal aggregate or summary information regarding its Users with partners or other third parties. We can - and you authorize us to - disclose personal information to local, state, or federal law enforcement officials when required to do so by public authorities or when we believe in good faith that the law requires such disclosure. Please read Babylon's Privacy Policy, available here, for a detailed description of Babylon's privacy policy.

You acknowledge and agree that Babylon may process information gathered from different Users visiting the Website or using or downloading material from the Service for the purpose of building a profile of User interests and activities. Based on this profile, Babylon may send you advertisements, offers and content, and provide you with the full benefits of the Service. Additionally, you further acknowledge and agree that Babylon, through its affiliated third party's component named Wizebar (the name of such component may change from time to time) embodied within Babylon Toolbar (the "Component"), may trace, process and trade workstation's visiting websites data with its affiliated third party contractors and/or service providers, which may, following the receipt of such workstation's visiting websites data, store such information in their data base; and thereafter send each workstation relevant advertisements and/or offers from third parties; all according to each workstation's visiting websites data profile. During the downloading process of the Component, which is bundled within the Babylon Toolbar, User shall be notified that following the downloading of the Babylon Toolbar, his/her workstation may receive relevant advertisements and offers of services in accordance with his/her workstation's visiting websites date profile. User is free, at all times, to opt-out from his/her workstation receiving such advertisements and offers of services by taking the following alternative steps:

1. Uncheck the box of receipt of such advertisements and offers; or
2. Remove the Babylon toolbar from the Add/remove dialog on the operating system; or
3. Disable receipt of such services by following the "Disable Page" on the Babylon toolbar.  
Did you read all of that? No, probably neither does anybody else. Which explains why system administrators keep finding the damned product installed on their machines, adware and all. This piece of software even has its own Wikipedia entry covering malware issues. Do you really want your users to go anywhere near this site?

As far as I can tell, at the moment the Babylon software is downloaded from the following IPs which you may want to block (all operated by Singlehop):
69.175.87.109
81.93.185.144
81.93.185.145
173.236.48.139
173.236.91.147
184.154.40.59
184.154.151.19
198.143.175.67
216.104.42.91

The following domains are also related to Babylon and its associated adware, again you may want to block these:
babylon.com
babylon-services.com
dl.babylon.com
dl.babylon-services.com
dl.cdn-services.com
buenosearch.com
claro-search.com
dalesearch.com
delta-search.com
golsearch.com
holasearch.com
myfreegame.net
search-goal.com
searchgol.com
soft-downloads.net
software-files.net
tera-search.com
uno-search.com

There's nothing wrong with companies wanting to make some money out of products that are useful to people. That's the way commerce works. But filling your customers' PCs full of crap is not the way to do it..

Adware sites to block 2/7/13

Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details. Those marked in yellow are flagged by Google for distributing some malware, the links go to the Google Safebrowsing diagnostic page. Given the amount of adware on this server, I would recommend blocking it.

netloader.cc
cdnloader.com
gamesformore.com
load-net.com
loadasset.info
loadernet.info
secureasset.info
cdnload.net
starscontent.net
cdn-network.org
contentsolution.org
loadfree.org
loadshop.org
softcdn.org
software-net.org

Monday 1 July 2013

Adware sites to block 1/7/13

Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs. If you have any experiences with these domains turning up unexpected on your site then please leave a comment.. thanks!

cdnsrv.com
tracksrv.com
cdnloader.com
secure-content-delivery.com
mydatasrv.com


Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address.

Wednesday 21 July 2010

Hotbar.com deceptive installation.. again.

Hotbar.com probably needs no introduction as an unpleasant piece of Slimeware, picked up from the ruins of Zango by a Washington State company calling itself Pinball Corporation. Traditionally, companies like Zango and Pinball work on a pay-per-install basis for their software, and recruit affiliates to get the software installed on end user's machines. Anyone who deals with affiliate marketing knows that the actions of your affiliates reflect on the company itself.. you don't want dodgy affiliates tarnishing your reputation.

This particular affiliate of Pinball Corporation does seem to be pretty deceptive though, targeting naive users who don't check what they are downloading properly.

Here is an example, coming up on a search for Google Earth:

The first result reads:
G.Earth Free Download
EarthI0-3D.com/GEarth-Download      New G.Earth. A True 3D Digital. Fly Anywhere On Earth. For Free!
Is earthi0-3d.com Google? Of course not! But it relies on users not to check before they click through..

Google's logo is displayed prominently on the landing page, the whole page really does look like it is from Google, but scrolling down reveals the truth.. in pale grey text on a white background to make it difficult to spot:



This website has no partnership whatsoever with the owner or manufacturer of this software program, and provides ONLY a link to the program.
New computer users should find our services valuable, and a time saver. If you are an advanced computer user, you probably don't need our services. 
Well, it doesn't just provide a link to download the program.. clicking "Free Download" reveals the payload of a mixture of HotBar, ShopperReports, Blinkx and QuestDNS adware.

..but you have the read the small(ish) print. The Google Earth logo is still prominently displayed, along with a great big "Start" button. Now, to be fair it is all spelled out in black and white with links to the EULA, but displayed in a much smaller and less prominent manner than the Google logo.

The download is pretty widely detected as adware by many AV programs. Some of the components are particularly insidious, including QuestDNS that installs all sorts of operating system hooks.

It's not just Google Earth that is targeted in this way, the server that hosts earthi0-3d.com, 174.121.90.107 [ThePlanet.com], also hosts a shedload of other domains that masquerade as well-known applications. (Sorry, it's a long list.. but there's more after it).


0perai0.com
7zip2010.com
Adaware10-uk.com
Adaware10-us.com
Adawarepro10.com
Adobereader10-pro.com
Adobereader2010.com
Adobe-readeruk.com
Adobe-reader-uk.com
Adobe-readerus.com
Adobe-reader-us.com
Ares10.com
Ar-proversion.com
Audacityi0.com
Babelfish10-uk.com
Babelfish10-us.com
Bearshare10-prodownloads.com
Bearsharefast.com
Bit10-cometpro.com
Bitcometfast.com
Bitcometi0.com
Bitcometpro.com
Biti0-latest-comet.com
Bitlordfast.com
Bitlordi0.com
Bitnewcomet.com
Bit-new-comet.com
Bitnewlord.com
Bit-new-lord.com
Century21games.com
C-new-cleaneri0.com
Convertxtodvdpro.com
Corelpaint2010.com
Descarga-activex.com
Divx10-uk.com
Divx10-us.com
Div-xi0.com
Downsoftloads.com
Earth-20i0.com
Earthi0-3d.com
Emulenouveau-fr.com
Eplig.com
Fastnewlime.com
F-frostwirei0-pro.com
Flash-playerdownloads.com
Flashplayernew2010.com
Flashplayernew-uk.com
Flashplayerpro10.com
Flashplayeruk.com
Flashplayer-us.com
Freezonlinetvpro.com
F-reviewfrostwirei0.com
Frost10-prowire.com
Frost10-wire.com
Frostfreewire.com
Frost-profrostwire.com
Frostpro-wire.com
Frost-pro-wire10.com
Frost-prowire-2010.com
Frost-review.com
Frost-us-prowire.com
Frost-us-wire.com
Frostwire10-frostdownloads.com
Frost-wire10-pro.com
Frost-wirei0-frostpro.com
Gamescentury.com
G-earthi0.com
Getactivex.com
Getdirectx.com
Getnetframework.com
Girlstar-fun.com
Googleearth10.com
Internetdownmanagerpro.com
Irfanviewpro.com
Itunespro10.com
Jetaudiopro.com
Justfree-screensavers.com
Kidstoys-fun.com
Latestopenoffice.com
Limewireeasy.com
Live-messenger-windows.com
Live-msn10-messenger.com
Live-newmessenger-promsn.com
Liveprodownloads.com
Liveprotube.com
Live-torrents.com
Livetube-pro.com
Livetvnowpro.com
Messenger10-livepro-newmsn.com
Messenger-msni0-live.com
Messenger-msn-live.com
Messengerplus-live-msn10.com
Messengerpro-live-msn2010.com
Monfirefoxonline.com
Msn10-live-messenger.com
Msn-live10-messenger.com
Msn-messenger-new.com
Msn-messenger-windows.com
Myfrostwire10.com
Myfrost-wire10-pro.com
Mylimewire10.com
Mylimewirepro10.com
Mylivelimewire10.com
Mymariobrosfree.com
Mymessenger-live-promsn.com
Mymsn-live-newmessenger10.com
Myworldlime.com
Ner0-burni0.com
Newadobe-proreader.com
Newadobe-readerpro.com
Newadreaderpro.com
Newbit-comet-2010.com
Newbitcometi0.com
Newbittornado10.com
Newbit-torrent10.com
Newcoreldraw2010.com
Newdivxpro10.com
Newfastlime10.com
Newflash-playepro.com
Newflash-proplayer.com
Newlimefast.com
Newlimefree.com
Newlimeworld.com
Newmessenger-live-promsn.com
Newoffice10.com
Newopenoffice2010.com
Newopen-proofficeuk.com
Newopen-proofficeus.com
Newovernet10.com
Newphotoscape2010.com
Newpicasapro.com
Newshareaza10.com
Newsoulseek10.com
Newutorrent-free.com
Of-suite3-officei0.com
Openi0-latest-office.com
Openoffice10-officedownloads.com
Openofficenew2010.com
Openofficenewuk.com
Openofficenew-uk.com
Openofficenewus.com
Openofficenew-us.com
Playlegends.com
Play-mario-free.com
Play-mario-now.com
Proadobe10.com
Proadobereader10.com
Proadvancedsystemcare.com
Proaudacity10.com
Probitcomet.com
Probitcomet10.com
Probitlord10.com
Procamfrog10.com
Proccleaner10.com
Proflvplayer.com
Progommediaplayer.com
Proicq2010.com
Pro-lime-wire.com
Prolivetvnow.com
Promirc2010.com
Promocion-aba.com
Pro-nero-10.com
Pro-newutorrent.com
Proopenoffice10.com
Proorbit10.com
Propowerdvd.com
Proquicktime10.com
Prosopcast10.com
Prospybot2010.com
Pro-utorrent10.com
Pro-web-solutions.com
Prowinrar10.com
Prowinzip2010.com
Proytdownloader.com
Quicknewtime.com
Quicktime10-uk.com
Quicktime10-us.com
Rankdriven.com
Schnellfirefox10.com
Seo-sem-worldwide.com
Skype10.com
Smartdefragpro.com
Speedylime10.com
Suite3-office.com
Suite-office3.com
Suite-office3.net
Suiteprooffice-2010.com
Superlime10.com
Teamviewerpro2010.com
Trilliani0.com
Ufreetorrent.com
Uklimefree.com
Uprotorrent-2010.com
U-reviewbitcomet.com
U-reviewfrostwire.com
U-reviewsuiteoffice3.com
U-reviewtorrent.com
U-review-torrent.com
Uslimewire10.com
Utorrent10-udownloads.com
Utorrent-free.com
Utorrenti0.com
Vafdrivers.com
Vafscanner.com
Vaftv.com
Virtualdjpro-uk.com
Virtualdjpro-us.com
Virtualnewdj.com
Virtual-new-dj.com
Virtualnewdj.info
Virtual-newdj-2010.com
Virtuals-dj2010.com
Vlcmediaplayerpro.com
Vlcpro-vdownloads.com
Vlc-videolan-fr.com
V-virtual-prodj.com
Winamp10-uk.com
Winamp10-us.com
Winmediaplayer-fr.com
Winmoviemaker.com
Winrar10-uk.com
Winrar10-us.com
Winzip10-uk.com
Winzip10-us.com
W-media-player.com
Wmedia-playerdownloads.com
W-media-playerpro.com
Worldlime10.com
Youfreetube-loader.com
Youlive-tube.com
You-pro-tube.com
Ytdownloader-uk.com
Ytdownloader-us.com


Most domains have some sort of anonymous registration, but not all.. and one points the finger at a company in the Canary Islands:

Company: Payments interactive S.L.U
Name: fuentes martins de souza vicente alan
Address: camino de la fallera 1
City: santa cruz de tenerife
Country: CANARY ISLANDS
Postal Code: 38789
Phone: +34669061555
Fax:
Email: daniel.hylander@paymentsint.com
We can track down paymentsint.com to a server at 67.19.106.170 [ThePlanet.com] and there are a whole load of other domains you might want to avoid too.. (another long list, sorry)

Apuestadeporte.es
Audiobooks21.com
Bestfarmvilleapp.com
Bestfarmvilletoolbar.com
Bestfarmvilletricks.com
Bestwebhostingtop.com
Casinosypoker.es
Conocer-gente.es
Debelleza.es
Deseguros.es
Easyfarmvilleapp.com
Easyfarmvilletips.com
Easyfarmvilletoolbar.com
Easyfarmvilletricks.com
Economiayfinanzas.es
Emule10-italy.com
Emule10.com
Emule2010site.com
Emulenow.com
Evonynow.com
Farmappextreme.com
Farmtipsrextreme.com
Farmtoolbarextreme.com
Farmtricksrextreme.com
Fastestbrowsers.com
Fastfirefox10.com
Firefox-us.com
Flashgames2010.com
Flashplayernew.com
Flaviocoiro.com
Freenewares.com
Freenewutorrent.com
Freeopenoffice10.com
Freewinrar10.com
Fungamesgirls.com
Generar-ingresos-extra.com
Getfarmville.com
Haiti-foundation.org
Idolnew.com
Isoftware.es
Lastopenoffice.com
Latestnewinternetexplorer.com
Megauploadpro.com
Melollevo.net
Melosllevo.com
Melosllevo.es
Mininovaonline.com
Morpheusnow.com
Msnmessenger-fr.com
Mybitcomet10.com
Mybitlord10.com
Myedonkey10.com
Myexploreronline.com
Myfirefox10.com
Myfirefoxfast.com
Myfirefoxworld.com
Myfrostwirepro.com
Mygnutella10.com
Mymorpheus10.com
Napsternow.com
Neuenfirefoxonline.com
Newadobepro.com
Newadobereader.com
Newadobereaderpro.com
Newares10.com
Newbabelfish.com
Newbearsharepro.com
Newbitcomet.com
Newbitlord.com
Newbittorrent.com
Newedonkeypro.com
Newfarmville.com
Newfarmvilleapp.com
Newfarmvilletips.com
Newfarmvilletoolbar.com
Newfarmvilletricks.com
Newfirefoxpro.com
Newfirefoxworld.com
Newgnutellapro.com
Newgoogleearth10.com
Newrapidsharepro.com
Newreaderpro.com
Newskype2010.com
Newtvidol.com
Newutorrent10.com
Newvcdplayer.com
Newvirtualdj.com
Newwindowsmediaplayerpro.com
Ofertaturismo.es
Outlet-foto.com
Outlet-sport.com
Paymentsint.com
Photofiltrenew.com
Proadobeflashplayer.com
Proadobereader.com
Prolimewirenow.com
Prowirelime.com
Qualityblogs.es
Quecompras.es
Registryscanner-pc.com
Reviews21.com
Revistatv.es
Solococina.es
Solosalud.es
Speedyfirefox10.com
Theluckyhoroscope.com
Thunderbirdnow.com
Todoinfantil.es
Topconsolas.es
Topillsreviews.com
Tuguu.com
Tvtopchannel.com
Uklimefast.com
Usfirefoxbrowser.com
Utorrentfast.com
Vafdriver.com
Virtualdjnow.com
Virtualgirlfree.com
Web-uk-hosting.com
Web-us-hosting.com
Wmediaplayernow.com

You can probably safely block these IPs and all of these sites, there doesn't seem to be anything of value here.

This is definitely a somewhat deceptive approach to installation, but it does rely on a fair degree of user stupidity too. However, any IT person will probably tell you that there are a hard core of users who really are daft enough to fall for something like this, and really the best thing that you can do it pre-emptively block the whole lot.

There is a very questionable use of trademarks here, and perhaps some of those trademark owners might like to take some action of their own...