Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 22 October 2013

ALERT: 7install - Yet more fake Flash badness

Here we have yet another crapware company, this time US based, 7install, using highly deceptive and outright malicious methods to peddle their rubbish.


The IPs in this case, is;

209.126.131.87
ASN: 10439 209.126.128.0/17 CARINET - CariNet, Inc.

7install.com - marianog61@gmail.com GODADDY.COM, LLC
7install.info - marianog61@gmail.com GODADDY.COM, LLC
7searchbox.com - marianog61@gmail.com GODADDY.COM, LLC
analytic-login.com - marianog61@gmail.com GODADDY.COM, LLC
cerberav.us - marianog61@gmail.com GODADDY.COM, LLC
freedownlodenow.com - marianog61@gmail.com GODADDY.COM, LLC
incomeinstall.net - marianog61@gmail.com GODADDY.COM, LLC
installmonster.com - marianog61@gmail.com GODADDY.COM, LLC
megafreedownload.com - marianog61@gmail.com GODADDY.COM, LLC


91.214.201.126
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM

unsecuredconnection.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updatedflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC


91.214.201.148
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM

brosertie.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
fenretosit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
forotesit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jaterisok.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
moguleroc.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
mongolero.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
brosertie.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
fenretosit.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
forotesit.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
mongolero.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
brosertie.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
fenretosit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forotesit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
jaterisok.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
moguleroc.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
mongolero.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
ventupri.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
brosertie.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
fenretosit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forotesit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jaterisok.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jerenkoli.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
moguleroc.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
mongolero.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
ventupri.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry


198.199.65.137
ASN: 46652 198.199.64.0/20 SERVERSTACK-ASN - ServerStack, Inc.

alwaysdownloads.com - Admin / 14E08F8D78D1412A945F67F34DC204D5.PROTECT@WHOISGUARD.COM ENOM, INC.


8.29.133.130
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC

freegiveawayoffers.com - Admin / ADMIN@SLHOST.COM ENOM, INC.


8.29.133.189
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC

javainstalls.com - Admin / ADMIN@SLHOST.COM ENOM, INC.


184.105.178.69
ASN: 6939 184.104.0.0/15 HURRICANE - Hurricane Electric, Inc

yesdownloads.com - Admin / support@383media.com GODADDY.COM, LLC
dl.yesdownloads.com
adobeflashfreedownload.com - Admin / support@383media.com GODADDY.COM, LLC
avgantivirusforfree.com - Admin / support@383media.com GODADDY.COM, LLC
downloadmessengerfree.com - Admin / DOWNLOADMESSENGERFREE.COM@domainsbyproxy.com GODADDY.COM, LLC
installjavafree.com - Admin / support@383media.com GODADDY.COM, LLC
yahoomessengerforfree.com - Domain Administrator / domainadmin@yahoo-inc.com Markmonitor.com


141.101.125.155
ASN: 13335 141.101.125.0/24 CLOUDFLARENET - CloudFlare, Inc.

getsoftfree.com Admin / 806AB1DA379142F7A89D556D1FB6E33E.PROTECT@WHOISGUARD.COM ENOM, INC.


If you have a gander through the domains, you'll no doubt notice the likes of "AVG" being impersonated, but there's also another one - cerberav.us, impersonating cerberav.com (Spanish AV company).

Funny thing is, the companies involved in the use of the fake Flash/Java etc deception, are still trying to convince me that they're not doing anything wrong. On that subject, iLivid, are STILL not responding, and still using things like this;


As you've no doubt already guessed, AirInstaller, who I wrote about previously, are still using the very same tactics. For example;

hxxp://trkur.com/trk?o=7945&p=71676 -> hxxp://globalpromotions.kidsclothingstore.org/?sov=226078602&hid=fvjnhjjfnffphfhr&noflu=noflu&id=XNSX.71676%3A%3APEERFLY%3A%3AUK%3A%3A29%3A%3A7945 --> hxxp://globalpromotions.kidsclothingstore.org/AIRAdobeRS2filenameGB.html


globalpromotions.kidsclothingstore.org in case you're wondering, is housed at;

208.87.34.151 - 208-87-34-151.securehost.com - 15146 - 15146 208.87.32.0/21 CABLEBAHAMAS - Cable Bahamas
23.20.106.130 - ec2-23-20-106-130.compute-1.amazonaws.com - 14618 - 14618 23.20.0.0/15 AMAZON-AES - Amazon.com, Inc.
5.199.171.205 - hst-171-205.digital-forex.net - 16125 - 16125 5.199.168.0/22 DC-AS UAB Duomenu Centras
75.101.216.99 - ec2-75-101-216-99.compute-1.amazonaws.com - 14618 - 14618 75.101.128.0/17 AMAZON-AES - Amazon.com, Inc.




Not surprisingly, some of the companies have resorted to trying to block me seeing the sites on their IPs (they're about as successful at this, as the skiddies, and a few hosts/ASNs have been - not realising I've got far more than one or two IPs at my disposal - woops!).

If you see any more fake Flash, Java, Chrome, Firefox, Windows, Skype etc etc etc sites, please do feel free to either drop me an email, or drop by the hpHosts forums.

6 comments:

Marsha said...
This comment has been removed by the author.
Marsha said...

Uch, I can't believe I left my last name on my previous comment.
It was the automatic pilot, in the modus that I was writing a personal message.
Could you please remove it? :)

MysteryFCM said...

Marsha,
Happy to help, thanks for stopping by.

Given the way it works, it's likely you've got it loading with the browser itself.

You can use the following to get rid of it;

http://malwarebytes.org

You'll find me there as well if you need assistance (username: MysteryFCM)

MysteryFCM said...

I can remove the entire comment, but unfortunately, Blogger doesn't allow us to edit user comments.

Marsha said...

Thanks for your fast response :)

I hope you don't mind I deleted the comment, since it wasn't editable.

I have scanned with Malwarebytes, but it hasn't found anything either.

I did find something interesting though.
I thought it was a response only in the instant key, but what happens is that instant key reforms the URL to http://https://icloud.com, probably because you can't bind secure sites to it.

When I open this exact address in any browser (IE,Chrome) on different computers here (Win7/Win8), even on old ones that haven't been used since last year, AND my iPhone, this URL redirects to the mentioned website.
These computers/iPhone are not all on the same DNS.
This makes me think that the infection might not be on my particular system, but this is some 'hijack' online..

It shows a partially dutch website so I'm not sure if you would have the same results on that URL (but maybe you do if it's altered based on where you come from), but I am gonna ask around on local forums if they experience the same.

Thanks again and keep up the good work!

MysteryFCM said...

Thanks for letting me know.

Please also consider dropping by the helpdesk (tell them I sent you), and they'll identify and assist in removal;

support AT malwarebytes DOT co DOT uk