DATE: 2011-07-23 ======================================================================= ANTI-VIRUS REPORTS The following are reports of the three FakeAV products in the list below. I also downloaded them two months ago but other than giving them a scan I just deleted them. I downloaded them fresh for the following tests. The owners of ClickBank.net have had TWO MONTHS to do something about this. Nothing was done during the interim except to put a lot of spam in at the WOT about how it was good. I leave it to the reader of this to make up their own minds. I noticed that the WOT has blacklisted my comments for now. If they don't show my comments to others then I will put a note up on my blog. I am sorry, but I don't want a little TWEET about the problem. It is better to show it in excruciating detail so that it isn't just a "he said" type of thing. THIS IS THE PROOF FOR WHY I ELEVATED THEIR STATUS FROM JUST "Tracker" TO "REDIR". setup.exe (renamed adwarealertplus.exe.BAD): ============================================= MD5: 0fe9193f20941796aebb4be688f5e11b SHA1: 6e7345d05e181f344c12077acdf4258ac11b0d5d Date: 2011-07-23 04:05 (6290088) From: adwarealertplus.com Prob: ClamAV: OK Kaspersky: not-a-virus:FraudTool.Win32.AdwareAlert.bz Symantec: MalwareBot VBA32: OK VIPRE: Trojan.Win32.Generic!BT Jotti Scan: http://preview.tinyurl.com/3mxur7x (7/19) AVG failed to scan it, Avast here did not detect VirusTotal: http://preview.tinyurl.com/445amdv (25/41) setup.exe (renamed avpro.exe.BAD): =================================== MD5: 27b002ee170c751d14e030dacbb52b9f SHA1: 59061250d2e3f7674c926bc8a82a367edc47bf36 Date: 2011-07-23 04:24 (2496912) From: anti-virus-professional.com Prob: ClamAV: Trojan.FakeAV-3299 Kaspersky: Trojan.Win32.FraudPack.ayhp Symantec: OK VBA32: Trojan.Win32.FakeAV.bang.ev VIPRE: Trojan.Win32.Generic!BT Jotti Scan: http://preview.tinyurl.com/42jnw45 (13/19) VirusTotal: http://preview.tinyurl.com/43f2nwa (31/43) (Microsoft and Symantec do not detect it) setup.exe (renamed spywarestoppro.exe.BAD): ============================================ MD5: c0c8b0c6025f2811f923447a03ab46dd SHA1: 84d545a4bb6c64b9ec2f0c3944ba0ada63ba8fc8 Date: 2011-07-23 05:14 (6212075) From: spywarestoppro.com Prob: ClamAV: OK Kaspersky: OK Symantec: MalwareBot VBA32: OK VIPRE: Trojan.Win32.Generic!BT Jotti Scan: http://preview.tinyurl.com/42ylgzr (5/19) VirusTotal: http://preview.tinyurl.com/3pzqtmu (20/42) If you ask me I should put in a block of setup.exe in the PAC filter. The people will have to deactivate the PAC filter before they can do the download / install. That little bit of extra time will allow them to think about it before they install stuff like this. But at least now you know why I have blocked the domain. ======================================================================= Merged list of all hosts below and results with tests run on 2011-07-22 (WARNING - THEY DO NOT ALWAYS REDIRECT TO THE SAME HOST OVER TIME!): adwpro.adwareprof.hop.clickbank.net VALID - redirected to adwareprofessional.com which I, MVPHosts, Airelle, hpHosts, & Cameleon block adwpro.virusprof.hop.clickbank.net VALID - redirected to anti-virus-professional.com which I block with a PAC filter rule but will add. MVPHosts does not block it, but hpHosts and Airelle do block it. I will add it as a double insurance. bareshare.netmp3.hop.clickbank.net UNKNOWN - redirected to amazing-livetv.com which Airelle and hpHosts block. I get a block of ndparking.com in the browser and when I do a wget there is a www.searchnut.com that I also block. Let me check the IP address to see if amazing-livetv.com is in my park or pseudo-park IP list. It is at IP address 69.170.135.92 which indicates for now that it is parked (parker IP addresses change and hosts come back to life) at NDParking.com. However, remember that they can start redirecting some place else. REMOVING. Let the PAC filter handle it. cd274vi-bwgkcu0fqhfag8tl9v.hop.clickbank.net VALID - redirected to a different pill pusher when I got it as spam but now it redirects to www.truthaboutabs.com which only Airelle has. I will add it as spam since it came through HotMail Spam. THIS PROVES MY STATEMENT THAT THE REDIRECTION IS NOT STATIC. IT CHANGES NOT ONLY OVER THE LONG TERM BUT IN THE SHORT TERM AS WELL. clickbell.4idiots.hop.clickbank.net VALID - redirected to fatloss4idiots.com. Airelle blocks it and I will add the host it redirects to for now. WOULD YOU REALLY WANT TO PURCHASE A PRODUCT FROM A WEB-SITE NAMED fatloss4idiots.com? Don't laugh. The reason we have so much spam is because people do crazy things! drs54612.spywarebot.hop.clickbank.net VALID - redirects to spywarestoppro.com which is blocked by hpHosts and Airelle. I will add it. I block the prime redirector / tracker via a soft block (PAC filter) elite122.adalert.hop.clickbank.net VALID - redirects to adwarealertplus.com which is blocked by hpHosts and Airelle. I am adding aadwarealertplus.com. freewslink.adalert.hop.clickbank.net VALID - redirects to adwarealertplus.com which is blocked by hpHosts and Airelle. I am adding aadwarealertplus.com. getappnow.avadvance.hop.clickbank.net INVALID - redirects to http://?hop=getappnow I do not block this host. gogofree.adalert.hop.clickbank.net VALID - redirects to adwarealertplus.com which is blocked by hpHosts and Airelle. I am adding aadwarealertplus.com. hunkydory.errorsmart.hop.clickbank.net VALID - redirects to www.errorsmart.com which MVPHosts blocks not only the domain but also download.errorsmart.com. So do I, Airelle, hpHosts, and Cameleon. I do not block this host - I depend on the PAC filter. jhacking1.movies01.hop.clickbank.net UNKNOWN - redirects to online-tvpc.com which hpHosts and Airelle block. It takes me to what looks like a parker but I need to do some investigating first. The privacy policy shows NA Media in the Cayman Islands. I don't know how to classify them YET. I suspect that 208.87.32.75 and quite a few other IPv4 addresses are theirs. list2007.spywarebot.hop.clickbank.net www.list2007.spywarebot.hop.clickbank.net spywarebot.hop.clickbank.net www.spywarebot.hop.clickbank.net subtle1.spywarebot.hop.clickbank.net tonyadam.spywarebot.hop.clickbank.net VALID - the redirect to spywarestoppro.com which is blocked by hpHosts and Airelle. I will add it. I block the prime redirector / tracker via a soft block (PAC filter) smithy9367.fullsoft.hop.clickbank.net INVALID - redirects to www.fullsoftwaredownload.com. This host is now dead. trupassion.downlod.hop.clickbank.net UNKNOWN - redirects to cbtopsites.com/affiliates/?hop=trupassion which gives a 403 access error. Do not misinterpret this. I gave wget just the host name and most likely you need the correct hash after it to get in. I am deleting this host and counting on a soft block but adding hard blocks for cbtopsites.com, www.cbtopsites.com, and forum.cbtopsites.com. I will remove this host though since for now it redirects to nothing I cannot handle and the PAC filter stops it anyway. zzz.clickbank.net NO TESTS WILL BE DONE. This is an internal host used by clickbank.net itself that basically does only tracking unless you give it the proper hash strings. I don't have any right now. The reason I gave these results is to prove that the people over this domain in addition to putting a lot of messages that it is good at the WOT that it sells product (all it sells is a redirect / tracking service) is to find which ones I can delete. If everybody uses either FanBoy-Tracking in ABP or the PAC filter then I could delete all of the hosts since you are using a pattern matching rule which is much more powerful. Here is the count of hpHosts for this domain which was current about one week ago (current as of 2011-07-14): $ grep -c clickbank.net ../hpHosts/hosts 529 I forgot to include Steven Burn's hosts in the domain. How long do these stay active? A long time but not forever. I have tested it with a dummy domain and it does return their blurb about the services that they provide. So it should be possible for them to deactivate a hop.clickbank.net host that leads to something undesirable. ======================================================================= Here is my list of your hosts that are not in the main section (where trackers, ad servers, and low order spy-ware go). I have SIX email accounts. For a while there I was getting spam in my Comcast.net email address but is slowed to an almost dead stop. I do keep track of where all spam hosts were used by email account and the date that they entered my filter. cd274vi-bwgkcu0fqhfag8tl9v.hop.clickbank.net (in add.Spam) # HotMail - 2011-05-04 freewslink.adalert.hop.clickbank.net (in add.Risk - also see MDL list and Airelle's list) gogofree.adalert.hop.clickbank.net (in add.Risk - also see MDL list and Airelle's list) trupassion.downlod.hop.clickbank.net (in add.Porn - even though they just track - it is a porn service) (using it. I think Airelle also classifies many more of your links) (into hosts.pub, (hosts.trc and hosts.sex) ======================================================================= Airelle's clickbank.net hosts in hosts.rsk: ------------------------------------------- clickbell.4idiots.hop.clickbank.net drs54612.spywarebot.hop.clickbank.net elite122.adalert.hop.clickbank.net freewslink.adalert.hop.clickbank.net getappnow.avadvance.hop.clickbank.net gogofree.adalert.hop.clickbank.net hunkydory.errorsmart.hop.clickbank.net jhacking1.movies01.hop.clickbank.net list2007.spywarebot.hop.clickbank.net www.list2007.spywarebot.hop.clickbank.net smithy9367.fullsoft.hop.clickbank.net spywarebot.hop.clickbank.net www.spywarebot.hop.clickbank.net subtle1.spywarebot.hop.clickbank.net tonyadam.spywarebot.hop.clickbank.net zzz.clickbank.net ======================================================================= MalwareDomainList.com's list: ----------------------------- freewslink.adalert.hop.clickbank.net gogofree.adalert.hop.clickbank.net This was in what I downloaded on 2011-05-25. They are still current in their database query. However they will remove them if they no longer get malware. You can interactively query for your problem hosts by just entering clickbank.net here: http://www.malwaredomainlist.com/mdl.php ======================================================================= Let me know if there is something you don't understand. To me you are primarily a tracker. But like any redirection service, there is bound to be some malware or spam uses creeping in there. If you ever need to see where your hosts are in my files, just download the snap updates: http://www.securemecca.com/Downloads/AutoHosts.msw.7z http://www.securemecca.com/Downloads/AutoHosts.unx.7z The first is for Windows (CRLF format). The second is for Unix type systems (LF format). I have the following sub-portions and they will all the have hosts as I show them here on the next update (note I just moved some of the hosts from one file to another but most will be in main): add.2o7Net add.Casino add.Header (URL minimizers are here) add.Porn add.Risk add.Spam main I gave you the reference for the Redirectors.txt file which was meant only for Airelle. Actually some of the really bad ones aren't in it yet. I am thinking primarily of kc.mv.bidsystem.com and kc.xmlsearch.miva.com and some other hosts like that. I have ZERO influence over what the WOT people do but after subsequent events here is how I rate this domain: Trustworthiness: 1 to 4 (spam and malware) Vendor Reliabiltiy 1 or 2 Privacy: 1 Child Safety: 1 or 2 (Note that this revised rating is because a ton of spam was deposited at the WOT to bury my remarks and because the domain owners never responded to my email except to just spam the WOT or have their clients do it for them.) The problem is you do have people using your service to redirect to malware and my spam host if my memory serves me correct was the second in a series of four hosts that started with a URL minimizer and ended up at a fake pharmacy. By "redirect to malware I mean YOUR CLIENTS are doing it, not you. That is a small consolation to some poor PC user who just got infected because one of your clients used you to do the job. What do I tell them when that happens and I knew it is a possibility? I will say this over, and over and over again. Redirectors and even worse, URL minimizers pose a risk especially if you don't know in advance where you are going. Now you know why I use preview.tinyurl.com. Only one other one gives the destination URL as well: http://clop.in/FssnXr I wrote to them and reported it was in my unsolicited email (spam). That was four days ago. Now I am funneled into error404.000webhost.com by wpdev.net78.net, not clop in. SEE, I TOLD YOU THEY DON'T REPLY! But because it gives a preview of the URL that they go to, when clop.in enter my hosts file they will be commented out. But I will never again expect them to do anything about a reported spam URL. Ditto for any that may lead to malware. PEOPLE JUST DON'T WANT TO DO ANYTHING ABOUT IT ANY MORE. BTW, a turn around of 4-5 days for wpdev.net78.net to stop redirecting down the chain and instead go to error404.000webhost.com (which, I, MVPHosts, and Airelle block) is the norm for this 3-4 hosts in sequence scheme that dumps you out at the end to a fake pharmacy when it first comes into my email box. Admittedly, I only look at HotMail only about twice a week. But why do they pull the plug so fast? I don't know. They don't always use you either. A lot of the new redirectors are pouring in because of them. I think they are doing tests for some other much larger scheme they have in mind. How can you have ROI for a fake pharmacy if they pull the plug within less than two weeks? YES, PEOPLE BUY FROM THESE FAKE PHARMACIES! If they didn't I wouldn't have that unwanted email message in my email box. You also have to realize we probably only know about 10% of the hop.clickbank.net hosts that redirect to malware. That makes you responsible for the other 90% that redirect to malware that we don't know about. Where I see them a lot of the time is at those fake search sites. 97% of the time you just chase around but about 3$ of the time they finally lead to malware. So now you know where I get your host names from. I finally gave up on that whack a mole approach and just use the PAC filter. The ABP people actually got the idea for their rules from me.