Author Topic: Phoenix hosts  (Read 3305 times)

0 Members and 1 Guest are viewing this topic.

June 03, 2009, 12:01:06 pm
Read 3305 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I was beginning to remove some of the hosts you removed about a week ago from my file (SecureMecca.com / HostsFile.org).  They may have became harmless but now they are back in business.  Here are some of them (there are probably more) for this particular exploit (a flash file pretending to be a scan but they don't lock you into place with JavaScript):

ourcheckpoisonpro.cn
yourguard4you.cn
yourguardforyou.cn

They may be doing it a little bit differently now than they were doing it.  Now they use a host named   onlinescanweb.com  which is dead host causing HUNDREDS of DNS queries on the part of Firefox which slows the machine down to a crawl so that they can slip your machine the mickey, a file named installer_1.exe with the following characteristics:

installer_1.exe  (renamed installer_1.exe.BAD):
===============================================
MD5:    d1f4cd0a7a4af84a095d562cc3824f61
SHA1:   cef78210f369f6f7b590d5a50b7d9bce5ef9a2de
Date:   02 Jun 2009   (764928)
From:   yourcheckpoisonpro.cn, yourguard4you.cn, yourguardforyou.cn
Prob:   ClamAV:         OK
        Avast:          OK
        AVG:            SHeur2.AJCC
VirusTotal Scan:        http://preview.tinyurl.com/qav87q

This is why you need to put these hosts you remove in a list and from time to time come back and look at them.  They frequently come back to life once they know the heat is off.  It seems like some of these dumped themselves at those IP addresses that had no web server but were not parkers.  I don't have the entire IP address space that they were using over time so I have no way to know for sure.  I do know that they are back in business now and I am still blocking them.  So, if you have enough people, have some of them check these removals over several weeks and / or months time.  It would be a simple matter to put them at these goofy IP addresses, or substitute a different index.html.  Then once the heat is off and you have stopped blocking them, they can put them back the way they were.  Even going to a park service is no assurance that they won't rise from the ashes again.  I have especially had problems with GoDaddy but there are other park services that don't check enough. Some don't even move the host that is coming off of park status and activate them at the park IP address with the very same exploit and sometimes even distributing malware so you have to check for that as well.  I mentioned that to GoDaddy and got no place.  I also told the Mozilla / Firefox to stop doing DNS requests forever.  If the DNS server won't return an IP address after five queries, they should just assume it is dead.  These malware pushers are using these weaknesses of the browser doing hundreds of DNS queries to bog the machine down so they can infect it.  If this was fixed with 3.0 (I am still using 2.x) I have no way to check for that either.  If you ask me, a db for some bookmarks was dumb.  Before I could easily copy the bookmarks from Linux to OpenBSD and Windows.  Now?

I guess that means I now have to check all of the current crop of removals for their IP address and if they are not parked or dead look at each one of them individually.  I will give you the list of what I have retained when I am done.  I even had to go back and recheck some of them to put them back in.  :)

Au Revoir

June 03, 2009, 02:31:33 pm
Reply #1

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Preliminary results hosts list of hosts that have the pseudo anti-virus program with name installer_1.exe:

yourcheckpoisonpro.cn
yourfriskdisease.cn
yourfriskviruspro.cn
yourguard4you.cn
yourguardforyou.cn
yourguardonline.cn
yourguardpro.cn
yourguardstore.cn

I usualy block both the domain and www.DOMAIN, but that is just a precaution in this case.  They aren't using www.yourguardpro.cn for example. This kind of activity of coming back to life was what prompted Airelle to just keep them for what seems like forever to me.  I don't have a problem with dead hosts as long as you have some kind of list of last good dates or at least a last check dead date and remove them after several months of being dead or still at a park IP.  MVPHosts author Mike Burgess adds comments "#[server down?]" to some of them.  Even he is loathe to instantly remove them because they can and do come back to life.  Frequently the only problem was that their DNS server went down as the comment notes.  In this case though, these hosts moved from one IP address to another one.  If I find any more I will report them.  If nothing more is added within the next 3-4 days, this is it.  Add these back in ...

Au Revoir

Henry Hertz Hobbit
http://www.securemecca.com
http://www.hostsfile.org

June 09, 2009, 06:56:49 pm
Reply #2

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Okay, sue me.  I ran into problems helping somebody with the PAC filter that are having problems Iike I have never observed before and it is driving me crazy.  It duplicates the behavior of DNS caching not being turned off with a blocking hosts file to a T. Here are some more:

bestexaminedisease.cn
www.bestexaminedisease.cn
bestfriskviruslive.cn
www.bestfriskviruslive.cn
mycheckdiseasepro.cn          (not verified yet)
www.mycheckdiseasepro.cn  (not verified yet)

Unlike before, both the ${DOMAIN} and the www.${DOMAIN} are active but I assume the others I gave you earlier are now that way as well.  What I would do is look at the hosts with the patterns frisk or disease or both in them.  I believe I have given you all of them.They all do a pseudo-scan (swf) and inject a file named installer_1.exe that is being changed to avoid detection and only has about 1/2 of the AVs detecting them.

Au Revoir
Finisez