Hotbar.com probably needs no introduction as an unpleasant piece of
Slimeware, picked up from the ruins of
Zango by a Washington State company calling itself
Pinball Corporation. Traditionally, companies like Zango and Pinball work on a pay-per-install basis for their software, and recruit affiliates to get the software installed on end user's machines. Anyone who deals with affiliate marketing knows that the actions of your affiliates reflect on the company itself.. you don't want dodgy affiliates tarnishing your reputation.
This particular affiliate of Pinball Corporation does seem to be pretty deceptive though, targeting naive users who don't check what they are downloading properly.
Here is an example, coming up on a search for
Google Earth:
The first result reads:
G.Earth Free Download
EarthI0-3D.com/GEarth-Download New G.Earth. A True 3D Digital. Fly Anywhere On Earth. For Free!
Is
earthi0-3d.com Google? Of course not! But it relies on users not to check before they click through..
Google's logo is displayed prominently on the landing page, the whole page really does look like it is from Google, but scrolling down reveals the truth.. in pale grey text on a white background to make it difficult to spot:
This website has no partnership whatsoever with the owner or manufacturer of this software program, and provides ONLY a link to the program.
New computer users should find our services valuable, and a time saver. If you are an advanced computer user, you probably don't need our services.
Well, it doesn't just provide a link to download the program.. clicking "Free Download" reveals the payload of a mixture of HotBar, ShopperReports, Blinkx and QuestDNS adware.
..but you have the read the small(ish) print. The Google Earth logo is still prominently displayed, along with a great big "Start" button. Now, to be fair it is all spelled out in black and white with links to the EULA, but displayed in a much smaller and less prominent manner than the Google logo.
The download is
pretty widely detected as adware by many AV programs. Some of the components are particularly insidious, including QuestDNS that installs
all sorts of operating system hooks.
It's not just Google Earth that is targeted in this way, the server that hosts earthi0-3d.com,
174.121.90.107 [ThePlanet.com], also hosts a shedload of other domains that masquerade as well-known applications.
(Sorry, it's a long list.. but there's more after it).
0perai0.com7zip2010.comAdaware10-uk.comAdaware10-us.comAdawarepro10.comAdobereader10-pro.comAdobereader2010.comAdobe-readeruk.comAdobe-reader-uk.comAdobe-readerus.comAdobe-reader-us.comAres10.comAr-proversion.comAudacityi0.comBabelfish10-uk.comBabelfish10-us.comBearshare10-prodownloads.comBearsharefast.comBit10-cometpro.comBitcometfast.comBitcometi0.comBitcometpro.comBiti0-latest-comet.comBitlordfast.comBitlordi0.comBitnewcomet.comBit-new-comet.comBitnewlord.comBit-new-lord.comCentury21games.comC-new-cleaneri0.comConvertxtodvdpro.comCorelpaint2010.comDescarga-activex.comDivx10-uk.comDivx10-us.comDiv-xi0.comDownsoftloads.comEarth-20i0.comEarthi0-3d.comEmulenouveau-fr.comEplig.comFastnewlime.comF-frostwirei0-pro.comFlash-playerdownloads.comFlashplayernew2010.comFlashplayernew-uk.comFlashplayerpro10.comFlashplayeruk.comFlashplayer-us.comFreezonlinetvpro.comF-reviewfrostwirei0.comFrost10-prowire.comFrost10-wire.comFrostfreewire.comFrost-profrostwire.comFrostpro-wire.comFrost-pro-wire10.comFrost-prowire-2010.comFrost-review.comFrost-us-prowire.comFrost-us-wire.comFrostwire10-frostdownloads.comFrost-wire10-pro.comFrost-wirei0-frostpro.comGamescentury.comG-earthi0.comGetactivex.comGetdirectx.comGetnetframework.comGirlstar-fun.comGoogleearth10.comInternetdownmanagerpro.comIrfanviewpro.comItunespro10.comJetaudiopro.comJustfree-screensavers.comKidstoys-fun.comLatestopenoffice.comLimewireeasy.comLive-messenger-windows.comLive-msn10-messenger.comLive-newmessenger-promsn.comLiveprodownloads.comLiveprotube.comLive-torrents.comLivetube-pro.comLivetvnowpro.comMessenger10-livepro-newmsn.comMessenger-msni0-live.comMessenger-msn-live.comMessengerplus-live-msn10.comMessengerpro-live-msn2010.comMonfirefoxonline.comMsn10-live-messenger.comMsn-live10-messenger.comMsn-messenger-new.comMsn-messenger-windows.comMyfrostwire10.comMyfrost-wire10-pro.comMylimewire10.comMylimewirepro10.comMylivelimewire10.comMymariobrosfree.comMymessenger-live-promsn.comMymsn-live-newmessenger10.comMyworldlime.comNer0-burni0.comNewadobe-proreader.comNewadobe-readerpro.comNewadreaderpro.comNewbit-comet-2010.comNewbitcometi0.comNewbittornado10.comNewbit-torrent10.comNewcoreldraw2010.comNewdivxpro10.comNewfastlime10.comNewflash-playepro.comNewflash-proplayer.comNewlimefast.comNewlimefree.comNewlimeworld.comNewmessenger-live-promsn.comNewoffice10.comNewopenoffice2010.comNewopen-proofficeuk.comNewopen-proofficeus.comNewovernet10.comNewphotoscape2010.comNewpicasapro.comNewshareaza10.comNewsoulseek10.comNewutorrent-free.comOf-suite3-officei0.comOpeni0-latest-office.comOpenoffice10-officedownloads.comOpenofficenew2010.comOpenofficenewuk.comOpenofficenew-uk.comOpenofficenewus.comOpenofficenew-us.comPlaylegends.comPlay-mario-free.comPlay-mario-now.comProadobe10.comProadobereader10.comProadvancedsystemcare.comProaudacity10.comProbitcomet.comProbitcomet10.comProbitlord10.comProcamfrog10.comProccleaner10.comProflvplayer.comProgommediaplayer.comProicq2010.comPro-lime-wire.comProlivetvnow.comPromirc2010.comPromocion-aba.comPro-nero-10.comPro-newutorrent.comProopenoffice10.comProorbit10.comPropowerdvd.comProquicktime10.comProsopcast10.comProspybot2010.comPro-utorrent10.comPro-web-solutions.comProwinrar10.comProwinzip2010.comProytdownloader.comQuicknewtime.comQuicktime10-uk.comQuicktime10-us.comRankdriven.comSchnellfirefox10.comSeo-sem-worldwide.comSkype10.comSmartdefragpro.comSpeedylime10.comSuite3-office.comSuite-office3.comSuite-office3.netSuiteprooffice-2010.comSuperlime10.comTeamviewerpro2010.comTrilliani0.comUfreetorrent.comUklimefree.comUprotorrent-2010.comU-reviewbitcomet.comU-reviewfrostwire.comU-reviewsuiteoffice3.comU-reviewtorrent.comU-review-torrent.comUslimewire10.comUtorrent10-udownloads.comUtorrent-free.comUtorrenti0.comVafdrivers.comVafscanner.comVaftv.comVirtualdjpro-uk.comVirtualdjpro-us.comVirtualnewdj.comVirtual-new-dj.comVirtualnewdj.infoVirtual-newdj-2010.comVirtuals-dj2010.comVlcmediaplayerpro.comVlcpro-vdownloads.comVlc-videolan-fr.comV-virtual-prodj.comWinamp10-uk.comWinamp10-us.comWinmediaplayer-fr.comWinmoviemaker.comWinrar10-uk.comWinrar10-us.comWinzip10-uk.comWinzip10-us.comW-media-player.comWmedia-playerdownloads.comW-media-playerpro.comWorldlime10.comYoufreetube-loader.comYoulive-tube.comYou-pro-tube.comYtdownloader-uk.comYtdownloader-us.com
Most domains have some sort of anonymous registration, but not all.. and one points the finger at a company in the Canary Islands:
Company: Payments interactive S.L.U
Name: fuentes martins de souza vicente alan
Address: camino de la fallera 1
City: santa cruz de tenerife
Country: CANARY ISLANDS
Postal Code: 38789
Phone: +34669061555
Fax:
Email: daniel.hylander@paymentsint.com
We can track down
paymentsint.com to a server at
67.19.106.170 [ThePlanet.com] and there are a whole load of other domains you might want to avoid too.. (another long list, sorry)
Apuestadeporte.es
Audiobooks21.com
Bestfarmvilleapp.com
Bestfarmvilletoolbar.com
Bestfarmvilletricks.com
Bestwebhostingtop.com
Casinosypoker.es
Conocer-gente.es
Debelleza.es
Deseguros.es
Easyfarmvilleapp.com
Easyfarmvilletips.com
Easyfarmvilletoolbar.com
Easyfarmvilletricks.com
Economiayfinanzas.es
Emule10-italy.com
Emule10.com
Emule2010site.com
Emulenow.com
Evonynow.com
Farmappextreme.com
Farmtipsrextreme.com
Farmtoolbarextreme.com
Farmtricksrextreme.com
Fastestbrowsers.com
Fastfirefox10.com
Firefox-us.com
Flashgames2010.com
Flashplayernew.com
Flaviocoiro.com
Freenewares.com
Freenewutorrent.com
Freeopenoffice10.com
Freewinrar10.com
Fungamesgirls.com
Generar-ingresos-extra.com
Getfarmville.com
Haiti-foundation.org
Idolnew.com
Isoftware.es
Lastopenoffice.com
Latestnewinternetexplorer.com
Megauploadpro.com
Melollevo.net
Melosllevo.com
Melosllevo.es
Mininovaonline.com
Morpheusnow.com
Msnmessenger-fr.com
Mybitcomet10.com
Mybitlord10.com
Myedonkey10.com
Myexploreronline.com
Myfirefox10.com
Myfirefoxfast.com
Myfirefoxworld.com
Myfrostwirepro.com
Mygnutella10.com
Mymorpheus10.com
Napsternow.com
Neuenfirefoxonline.com
Newadobepro.com
Newadobereader.com
Newadobereaderpro.com
Newares10.com
Newbabelfish.com
Newbearsharepro.com
Newbitcomet.com
Newbitlord.com
Newbittorrent.com
Newedonkeypro.com
Newfarmville.com
Newfarmvilleapp.com
Newfarmvilletips.com
Newfarmvilletoolbar.com
Newfarmvilletricks.com
Newfirefoxpro.com
Newfirefoxworld.com
Newgnutellapro.com
Newgoogleearth10.com
Newrapidsharepro.com
Newreaderpro.com
Newskype2010.com
Newtvidol.com
Newutorrent10.com
Newvcdplayer.com
Newvirtualdj.com
Newwindowsmediaplayerpro.com
Ofertaturismo.es
Outlet-foto.com
Outlet-sport.com
Paymentsint.com
Photofiltrenew.com
Proadobeflashplayer.com
Proadobereader.com
Prolimewirenow.com
Prowirelime.com
Qualityblogs.es
Quecompras.es
Registryscanner-pc.com
Reviews21.com
Revistatv.es
Solococina.es
Solosalud.es
Speedyfirefox10.com
Theluckyhoroscope.com
Thunderbirdnow.com
Todoinfantil.es
Topconsolas.es
Topillsreviews.com
Tuguu.com
Tvtopchannel.com
Uklimefast.com
Usfirefoxbrowser.com
Utorrentfast.com
Vafdriver.com
Virtualdjnow.com
Virtualgirlfree.com
Web-uk-hosting.com
Web-us-hosting.com
Wmediaplayernow.com
You can probably safely block these IPs and all of these sites, there doesn't seem to be anything of value here.
This is definitely a somewhat deceptive approach to installation, but it does rely on a fair degree of user stupidity too. However, any IT person will probably tell you that there are a hard core of users who really are daft enough to fall for something like this, and really the best thing that you can do it pre-emptively block the whole lot.
There
is a very questionable use of trademarks here, and perhaps some of those trademark owners might like to take some action of their own...