DATE: 2012-02-28 --------------------------------------------------------------- *.cc (PRIVUS VOTRE CHOIX Maliciels) (actually not a redirector - the end of the trail) *.clickbank.net (DNSWCD REDIR) I have now elevated their status to Redirector due to the high amount of spam at: http://www.mywot.com/en/scorecard/clickbank.net *.go2jump.org *.hopfeed.com (DNSWCD Traqueur) *.hopto.org (DNSWCD Malware & Porn) *.r.msn.com (Redirector / Traqueuer) BadDomains[i++] = "r.msn.com"; So far, no FPs, but weather.msn.com should trigger so I am altering it to have leading ".". *.no-ip.biz (DNSWCD Malware & Porn) (They do not have anti-Porn policy but are handling the malware hosts below.) *.redirectme.net *.sendori.com *.tk (VOTRE CHOIX Maliciels) *.zapto.org (WILL ADD PAC FILTER RULE) --------------------------------------------------------------- IP: 064.111.196.117 IP: 206.161.121.000 ... 255 IP: 213.174.149.064 ... 127 GoDaddy-IP: 64.202.189.170 GoDaddy-IP: 68.178.232.99 GoDaddy-IP: 68.178.232.100 GoDaddy's IP addresses are Pseudo-Parkers. Many if not most of them just stay there. Others redirect semi-legitimately by showing you where you end up: http://www.SecureMecca.biz http://www.SecureMecca.info http://www.SecureMecca.org http://www.SecureMecca.us The way it goes down for the ones that were bad is. 1. They get parked and stay that way for 4-10 weeks 2.a They start redirecting to a new malware site 2.b They randomly redirect a new malware site OR they continue to show themselves as parked. This is done pseudo-randomly where the most of the time it shows as being parked to fool you into believing they are now okay. 3. Some of the time they redirect to another parker! One more note of warning is in order. I finally had to comment these hosts out because people are so dumb that even a San Francisco newspaper reports that the sites doing the infecting are AT GoDaddy. They made that statement because of the comments of a supposed security expert. Jimminy Crickets! But how do you explain to people that the threat is NOT at GoDaddy but where they redirect to? The threat from GoDaddy is that it is a redirector. But given how screwy some other parkers have become they are no better or worse than these other parkers. How strange can it get? A PARKED HOST WAS ADVERTISED ON TV! --------------------------------------------------------------- 0.r.msn.com 2008eg.hopfeed.com adserve.rewards-confirmation.com adwpro.adwareprof.hop.clickbank.net adwpro.virusprof.hop.clickbank.net affiliatecashpile.go2jump.org affiliatecashpile.net affiliatecashpile.net (WWW) areasnap.com atl.mv.bidsystem.com atl.my.bidsystem.com awfulps.hopfeed.com bareshare.netmp3.hop.clickbank.net beiputalak.hopto.org browngas.hopfeed.com caybloomearge.hopto.org cd274vi-bwgkcu0fqhfag8tl9v.hop.clickbank.net centsubsgesqua.hopto.org clickbank.net clickbank.net (WWW) clickpayz4.1.get-search-results.com clicksotrk.com clicksotrk.com (WWW) clicktraffic2jump.com clicktraffic2jump.com (WWW) compblahicpai.hopto.org dclicksit.com dclicksit.com (WWW) deotarlpemer.hopto.org directredirection.com (went to n-sex.net with no parameters) directtrafficlink.com dissicomsurp.hopto.org dpbolvw.net dpbolvw.net (WWW) duppcontvomag.hopto.org edwideskni.hopto.org egoldzone.hopfeed.com eretywven.no-ip.biz ertelmulud.no-ip.biz feedx.bidsystem.com fling.com foaribaro.hopto.org freewslink.adalert.hop.clickbank.net fwdservice.com gogofree.adalert.hop.clickbank.net guard1.hopfeed.com hentaiclicks.com hentaiclicks.com (WWW) hide.sg hide.sg (WWW) hop.clickbank.net hopster.com hopster.com (WWW) ibnopecut.hopto.org igenorri.hopto.org jerlitincho.no-ip.biz joefriday1.hopfeed.com jmp2click.com kc.mv.bidsystem.com kc.xmlsearch.miva.com lopatanwey.hopto.org lovelybook.hopfeed.com lptracking.com lptracking.com (WWW) maemiltiri.hopto.org neyroifiti.hopto.org noordnabliocul.hopto.org oni1master.hopfeed.com pda.mv.bidsystem.com pixel.serviceleverage.com quiturotif.hopto.org r.turn.com rengapechas.hopto.org rewescanthgher.hopto.org robtex.hopfeed.com search.look.com secredir.com soracha.hopfeed.com ssl.clickbank.net tiimarentio.hopto.org tracking.dandingo.com trasportoclub.com trupassion.downlod.hop.clickbank.net trupassion.hopfeed.com wieblatrino.hopto.org www1.belboon.de zzz.clickbank.net --------------------------------------------------------------- NOTE: The FanBoy-Tracking filter list blocks bidsystem.com. The EasyPrivacy filter OTOH does NOT block them. I don't know why. So if you use EasyList+EasyPrivacy & Liste-FR like I do then make sure you also use the PAC filter in Firefox. Technically speaking, the ".cc" domain is the end of the tunnel where the malware is actually at. I have never saw redirecting FROM there. The redirectors redirect TO that domain. The reason it is such a big problem is because you have to manually verify whether there is a problem. I have inched closer to blocking that domain completely in the PAC filter: // BadDomains[i++] = ".cc"; // YOUR CHOICE Malware - 2011-06-17 BadDomains[i++] = ".cx.cc"; // Malware - 2011-07-18 BadDomains[i++] = ".cz.cc"; // Malware - 2011-07-18 Are there valid domains in this pseudo domain? Just like the tk domain, yes. But unlike the tk domain which redirects these are pegged there. I have handled the tk domain so that if you do get something that you know is okay all you have to do is make a rule in the GoodDomains section and the cc domain should also be handled similarly: GoodDomains[i++] = "thisisagooddomain.tk"; GoodDomains[i++] = "imustgohere.cc"; The reason the main cc domain is being handle this way is so I can continue to probe for the hosts in the domain that most people may need and white-list them and handle their trackers and ad-servers as best as I can in the hosts file. If you ask me that is a much better choice than getting an infected machine. IOW, do I block this domain for myself? OUI! See more on this below. I just made sure all of the hopfeed.com hosts and clickbank.net hosts are in their proper section. I had some of them misclassified. (2011-07-22 - as of today I am going to test all of my clickbank.net hosts and remove the ones I don't need to because I am going to depend on the PAC filter from now on. There is an even bigger reason I stopped this. The majority of the redirectors are just transient web-servers that have been hacked. But an even newer threat is associated with Google images. You can read about it here: http://isc.sans.org/diary.html?storyid=10759 One thing is that many of the URL minimizers are being taken through Google which started a park service and they are using them as rite of passage for the younger / newer hackers. What happens is that they pseudo park them there, then start redirecting from them, and finally have their hosts outside of Google. URL MINIMIZERS All of these are considered to be redirectors because that is what they do. Rather than listing them here, just consult the end of the add.Header file. They are from the comment "URL minimizers" to the end of the file. I had to comment out the block of the bit.ly and www.bit.ly redirection service because the install for AdBlock for the Chrome browser uses it. What the authors didn't recognize is that this tracking domain has been extensively used to shove malware down people's throats. I would advise using the PAC filter with Chrome, Internet Explorer, Opera, and Safari instead but there is a problem with that: http://securemecca.blogspot.com/2012/02/chrome-windows-problems-ii.html I fear that will never be resolved. I have ascertained though that it is something from the past that Google keeps putting back rather than it marching through every file in the folder though. This problem exists ONLY with the combination of the PAC filter and Chrome. With the other three browsers that pop-up goes away. So Chrome is very likely downloading past settings from Google which means they thought they would be helpful. IT IS NOT HELPFUL. CLEAN STATE, CLEAN STATE, CLEAN STATE!