May 2007 – Page 3 – The Legacy Sunbelt Software Blog

Some fake codec sites, with some interesting names

You can see a list of some fake codec sites here (Warning: extremely graphic names in the domain names).

All of these sites foist on Zlob Fake Codecs and DNSChanger trojans by requiring the user to install a “required” component (Video ActiveX Object, a “special” codec, etc.) to view a video (probably always porn). These components are actually very dangerous trojans with rootkits.

The majority are named after celebrities. However, a couple are of note: blockbuster-video-cxb(dot)org and yahoo-video-sdge(dot)org.

Obviously, stay well clear of all of these sites…

Alex Eckelberry
(Thanks Patrick Jordan)

The Amish Virus through Adwords

Drvebydownload1988
Remember the Amish Virus? It goes like this:

You have just received the Amish virus.

Since we have no electricity or computers, you are on the honor system.

Please delete all of your files on your hard drive. Then forward this message to everyone in your address book.

Great joke, but fellow blogger Didier Stevens did something similar using Adwords.

He created an adwords campaign in Google offering to infect users. And surprise — it worked.

Of course, one can surmise that people clicked on the sponsored link thinking they were going to get help with viruses. Or maybe they just clicked out of curiosity. At any rate, it’s a great blog entry and you can read his story here.

Alex Eckelberry

URL redirection services — safe to use?

In one word, yes, with a qualifier. WiseGeek has done a brief writeup on the subject of using redirection services like TinyURL and SnipURL.

If your link is intended to be used for a short period of time, then redirection services are fine. If, however, you have a more permanent link that you want to post on a website, then you should realize that you are giving away valuable control to an external entity. If you want to use redirects for a more permanent or important application, make sure you trust the redirection service thoroughly.

Link here.

Services like TinyURL and SnipURL have a solid track record and it’s not something to be overly concerned with. However, the writer does make some good points.

Alex Eckelberry
(thanks Lindsay)

That’s a rather nasty trojan

Symantec has more here.

Alex Eckelberry
(Thanks Tammy)

New blog: Dr. Identity

There’s a relatively new blog by Martin Bosworth (you may know him from consumeraffairs.com). It focuses on identity theft and related issues.

The blog is Dr. Identity, and you can find it at dridentity.com.

Alex Eckelberry

The “hidden” clickfraud

I think there’s a lot of “unintentional” clickfraud that occurs when sponsored links are put at the top of the page — for the target search itself.

For example, I’ve noticed some members of my family don’t bother to type in a URL in the address bar. Instead, they merely enter their target URL into Google (or whatever other search engine they’re using). Then, they click on the sponsored link for where they want to go.

So if you search for Delta Airlines on Google, you get this result:

Where would someone click? On the sponsored link, as opposed to the next link down, which costs Delta for every click (I don’t know the number, but if someone knows more, please comment).

When I pointed this out to one family member, the result was complete surprise. “Oh, that really costs them money when I click on it?”

Maybe Delta wants it this way, to make sure that people will go to their site instead of somewhere else. But you have to wonder — there must be an absolutely epic number of people who don’t know how to enter a URL (or don’t bother) and simply use their search portal to do the work for them. And there must be a similarly epic number of people who don’t realize that a sponsored link costs the advertiser money.

I’m no SEO expert, so those out there who know more than me, please feel free to comment.

Alex Eckelberry

Seen in the wild: “insidesecondlife”

Second Life: Perceived by some as the second coming, etc. (and Sunbelt has a big presence there). Others as a pile of hogwash. Whatever, but there’s a site called “insidesecondlife” with the different TLDs — .com, .net., .org. All are owned by a “P2P Inside”.

Registered under the notorious Esthost, an ISP that has a history of being friendly to malware vendors.

Well, the .com and .net are “splogs” — spam blogs which have a look like Digg.

Insidesecondlife dot com:

Insidesecondlife dot net:

But then here’s something of mild interset — the .org brings up a page for an antispyware application, ContraVirus:

Nothing unduly alarming here, more of a curiosity (Contravirus is on the rogue list, but is not in the class of WinFixer/SpySheriff/etc.).

Alex Eckelberry