Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 29 July 2012

hphosts: Updated 29-07-2012

I am happy to report, the hpHosts server is now back online, and I've just finished updating the server and mirrors (all except one, due to a technical error, currently being worked on), with the new files (were meant to be out earlier this week, but obviously had to be delayed).

The hpHOSTS Hosts file has been updated. There is now a total of 171,879 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 29/07/2012 22:00
  2. Last Verified: 28/07/2012 01:00
Download hpHosts now!

Thursday, 26 July 2012

Info: hpHosts downtime

For those wondering, hpHosts has been suffering a dDos attack for the past ~48 hours. Steps are being taken to mitigate it and identify those responsible. Once done, hphosts will be back online. Sorry for the inconvenience.

Wednesday, 25 July 2012

Called by 03339009119?

I recently handled a call my family received, from the following number;

0333 9009 119

The chap on the phone had an Indian accent (surprise surprise), and asked for my brother. When told he wasn't in, I asked who it was, and the chap immediately hung up.

I did a little digging, and it appears this number, has quite the history of cold-calling, and spamming on websites (dating back to 2009), including a site claiming to be for the Punjab Police, bit strange, but we also know the Indian police force don't seem to care about their citizens involvement in fraud (unfair? perhaps, but they don't appear to be doing anything about the cold-calling scammers in Kolkata ....).

If you've received a call from this number, or any number starting with 0333 900, then the company to report it to, would be the phone company that owns this number;

Windsor Telecom PLC

I'd also recommend reporting it to your phone provider (e.g. BT, Sky, Virgin Media).


OfCom: Unsolicited Telesales Calls

Telephony scams: Your machine told them it was infected? Really?

Malwarebytes: Telephony Scams: Can You Help?

Eset: The Tech Support Scammer’s Revenge

Monday, 23 July 2012

Alert: Olympics 2012 malware

Criminals are very predictable;

1. Disaster occurs
2. Serve malware by exploiting [1]

1. News occurs
2. Serve malware by exploiting [1]

1. Someone dies
2. Serve malware by exploiting [1]

As usual, they're also predictable in how they do it;

1. Drive-by's
2. Exploits
3. Phishing
4. Social engineering

In this case, it's all about the Olympics (don't see why everyone is so fussed about it personally, never have), and right on schedule, the criminals have rallied to exploit it;

The Opening Ceremony of the 2012 Olympic Games is exactly 1 week away and Websense Security Labs researchers are already seeing data-stealing malware that aims to capitalize on the Games. Malware piggybacks on the buzz surrounding current, high profile events like the Olympics in order to steal personal data. Olympics-themed content armed with malware is introduced mainly through social engineering-based attacks. The cyber criminals behind the themed attacks know that they have a better chance of enticing potential victims by appearing current and relevant to a hot topic. That gets clicks, and the chance to spread their data-stealing creations further.

We have been following with interest an advisory released by the Polish Computing Emerging Response Team (CERT) which analyzed an interesting sample of data-stealing malware. This malware, once executed, has the ability to interact with social channels like Facebook, Skype, and Microsoft Live Messenger. This particular variant spreads malicious URLs through those channels and the victim's contact list. To be precise, it employs a socially engineered attack accompanied by a malicious URL that ultimately leads to a malware file that is part of a bot network. Since the sample analyzed has tried to take advantage of the buzz around the start of this year's Olympic Games, we decided it was timely to write this blog post.

Read more

Tuesday, 10 July 2012

vURL server

Just an FYI folks, the servers are going through the routine Windows Updates, so will be down for a few mins or so. server has already been done, and the vURL server is going through its reboot as I write this.

Sunday, 1 July 2012

ICANN’ failure

One of the biggest issues facing those that fight cybercrime, and perhaps “fight” sounds wrong, but it’s what we do, is arguing with hosts, registrars and AS’s, to get domains and servers, taken offline, whether it’s a single IP/server/domain or hundreds of thousands of them, as was the case with a fake meds case last year.

Usually, all we have to do, is send a report with the evidence, to a host/registrar/AS, to get action taken, but in cases where those attempts fail, we first go to the upstream, and if that fails, we then go to the registries or in the case of domains, ICANN.

It’s ICANN I want to talk about today, and the reason for this, is because they have ultimate control over EVERY SINGLE DOMAIN, regardless of it’s TLD, and this is very important. In one fell swoop, they could taken down malicious domains, and I don’t mean compromised domains, those MUST be treat completely separately (i.e. in cases of compromise, you contact those in charge of the domain/server, to get those resolved, which is usually successful, though sometimes takes alot of emails/phone calls).

ICANN however, has other ideas. They want overall control, with none of the responsibilities that go with that control, and it’s that that I have a problem with.

I’m rubbish with the examples and euphemisms, so bear with me, but let’s look at parenting as it’s the only other thing I know about (and don’t get me wrong, I screwed up my first chance at that – still no idea how I screwed it up, but I’m guessing I did, anyway, I’m getting off track), but in the case of parenting, you have a child – you’re responsible for the actions of that child, it’s as simple as that, you buy a car, you’re responsible if the car knocks someone over.

In ICANN’ case, they don’t believe they should have to do anything if a domain is involved in malicious activity, whether it’s directly infecting/phishing, or involved in other malicious/criminal activity.

The question is, why? Why are they getting away with this? This is something I’ve always had problems figuring out. I’m guessing it’s to do with money or politics, it usually is, but it’s troubling all the same, and is something that needs to change if we’re to do so much as make a difference. I personally get domains/IPs/servers taken offline every single day, and I know I’m just one person doing it, there’s thousands of others doing the same thing. However, for every one of us, there’s likely hundreds of criminals involved in malicious activity. Whether it’s “skiddies”, opportunists, or dedicated gangs, which means, if we’re to actually make a difference, then the first thing that needs to change, is for those in control, to start taking responsibility and taking action (and this also applies to the registries, as all they tend to do in most cases, is tell you to reach out to the AS – which is what’s been tried already, and led to contacting the registry in the first place).

I know this blog isn’t going to be read by them. Hell, it’s not exactly well known, so what I’d like to see done, is for people to start either asking their MPs to do something, or write to ICANN and the various registries (in the case of IPs as ICANN has no control over IP addresses), to get their stance to change, and start getting action taken.

I suppose this begs the question, of whether this is ICANN' failure, or ours (for letting things get to this point in the first place)? Either way, in the case of domains at least, ICANN are the only ones with the power to make a real difference.

And if you've got this far, thank you. I'll end my rant now.