Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WARNING: hosts-file.net HOSTS installation program adds malware


  • Please log in to reply
22 replies to this topic

#1 RevGAM

RevGAM

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:12:49 PM

Posted 13 September 2016 - 03:05 AM

HpHosts-Setup-Win32.exe on hosts-file.net appears to contain a very nasty malware.  I went there from the BC HOSTS tutorial and installed it on two computers.

 

On my HP, I also disabled DNS using that program.

 

On my HP, MBAM quarantined the resulting HOSTS file and there were two Hijack.hosts entries in quarantine - one was not restorable.  I downloaded and added the HOSTS file from the "hosts.zip" file (from the same site) and it did not get quarantined, so it appears this has to do with just the app.

 

On my Toshiba, I got a very nasty malware, possibly Symmi.  It does several wonderful things.  I have not yet figured out how to rid myself of it, and have sent a message to Malwarebytes asking for help.

 

It turns off the Internet, removes MBAM (paid) from startup, prevents opening MBAM, SAS free and avast! free (from the start menu, systray and desktop), disables right-click of those programs, causes Windows Explorer to hang if you right-click in it or the desktop, disables run as admin, removes MBAM from the start menu, prevents MB Chameleon from working and, if I actually get MBAM to open, MBAM's scan cannot get past "updating" because there is no Internet access.  It does NOT stop access to WinPatrol.  I even ran EEK from WinPE (flashdisk boot) and it only found one Symmi infection, but the system is still infected.

 

I just noticed that it also changed msconfig to selective startup.

This occurred at the same time as a renewal of avast with a trial of their IS.

 

I have reported this to Malwarebytes, since the program's author is supposedly their employee and the site says it's powered by Malwarebytes.

 

If anyone has a suggestion for a powerful commandline scanner that works in Windows PE (on a flashdisk), I'm all ears since EEK failed.  I tried running several stand-alone programs (JRT, ART, Minitoolbox, ZHP, AwdCleaner, Security Check, and adsfix), but couldn't get them to work, either.  Zemana requires Internet access, so I didn't try it.

 

For malware hunters - enjoy. :)

Edit: This is the log. It happened again today.

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 13/09/2016
Scan Time: 14:14
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.09.13.04
Rootkit Database: v2016.08.15.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Me
 
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 438745
Time Elapsed: 6 hr, 5 min, 14 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 2
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (127.0.0.1 comvirustotal.com), Replaced,[c7e17af7f1a9013550f1c8d0b450ba46]
Hijack.Host, C:\Windows\System32\drivers\etc\HOSTS, Good: (), Bad: (.0.0.1 ramina.biz
127.0.0.1 ra), Replaced,[594f08693b5f79bd4001f4a484805aa6]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Edited by RevGAM, 13 September 2016 - 08:38 AM.

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


BC AdBot (Login to Remove)

 


#2 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:12:49 PM

Posted 13 September 2016 - 09:17 PM

FYI, I thought the HPHosts program was a standalone (portable).  It turns out that it was installed on my system and reinfecting the HOSTS file.  I have uninstalled it and will run MBAM.  If it gets infected again, I'll advise..


Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 14 September 2016 - 09:56 AM

I doubt that hp-hosts is the culprit here to be honest. Are you able to upload your current hosts file somewhere and post the download URL for it here? I would like to take a look at it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:12:49 PM

Posted 14 September 2016 - 10:29 AM

I doubt that hp-hosts is the culprit here to be honest. Are you able to upload your current hosts file somewhere and post the download URL for it here? I would like to take a look at it.

I already got rid of HPHosts and the HOSTS file it created.    You could download the files from hosts-file.net yourself and check them out.  It's still in my garbage, but I'm not sure if it is pre- or post-quarantining.  I suppose I could paste that HOSTS in here, but it's rather big (14 MB).

I find it confusing since it's connected to Malwarebytes but it seems unusual two computers experienced problems immediately following using the program - separately downloaded, might I point out.

I have saved the log files from MBAM if you're interested.


Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 14 September 2016 - 10:32 AM

I'll download it and install it on a VM when I get home tonight and check. Though I think there might be something else on your system changing the hosts. Once done, I'll install and run Malwarebytes to see if it picks up the same detections as you (which looks like false positives to me).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:12:49 PM

Posted 14 September 2016 - 10:37 AM

I'll download it and install it on a VM when I get home tonight and check. Though I think there might be something else on your system changing the hosts. Once done, I'll install and run Malwarebytes to see if it picks up the same detections as you (which looks like false positives to me).

I look forward to hearing the results!


Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:49 PM

Posted 14 September 2016 - 02:21 PM

This is the link you used to download it?

 

https://hosts-file.net/?s=Download



#8 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:12:49 PM

Posted 14 September 2016 - 03:01 PM

Correct.

 

This is the link you used to download it?

 

https://hosts-file.net/?s=Download

HPHosts was downloaded from: https://hosts-file.net/download/hpHosts-Setup-Win32.exe

Hosts.zip from: https://hosts-file.net/download/hosts.zip

 

No further problems have occurred since deleting the HOSTS file with RstHosts and uninstalling HPHosts.  I'm now using the MVP HOSTS file.


Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#9 MysteryFCM

MysteryFCM

  • Security Colleague
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tyneside, UK
  • Local time:06:49 PM

Posted 14 September 2016 - 03:35 PM

Just to clarify, the hpHosts file and installer isn't adding malware to the system, it's a bog standard HOSTS file, and the detection is a false positive.

 

As an aside, I noticed the two domains mentioned, and both were malicious - NOT legit domains (comvirustotal.com != virustotal.com).


Regards

Steven Burn
I.T. Mate / hpHosts / Malwarebytes
it-mate.co.uk / hosts-file.net / malwarebytes.com


#10 MysteryFCM

MysteryFCM

  • Security Colleague
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tyneside, UK
  • Local time:06:49 PM

Posted 14 September 2016 - 04:27 PM

Just an update, I've spoken to a member of the Malwarebytes research team, and an update is being pushed out that should resolve this.

 

/edit

 

Worth noting, myself and others have been unable to reproduce this detection thus far. If you are able to reproduce it, please send us the MBAM log file, and a copy of the HOSTS file that was detected


Edited by MysteryFCM, 14 September 2016 - 04:31 PM.

Regards

Steven Burn
I.T. Mate / hpHosts / Malwarebytes
it-mate.co.uk / hosts-file.net / malwarebytes.com


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:49 PM

Posted 14 September 2016 - 04:34 PM

Steven, so there was a bad exec on the site? Can you give us more info? Or there was an issue with the defs?

 

Thanks



#12 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:12:49 PM

Posted 14 September 2016 - 04:34 PM

I have already sent the relevant logs to Maurice at MB. I no longer have the HOSTS file as I used RstHosts to get rid of it.


Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#13 MysteryFCM

MysteryFCM

  • Security Colleague
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tyneside, UK
  • Local time:06:49 PM

Posted 14 September 2016 - 04:39 PM

Steven, so there was a bad exec on the site? Can you give us more info? Or there was an issue with the defs?

 

Thanks

 

It's an issue with the MBAM defs. I'm working with Tammy as I write this, so it gets fixed (the second entry MBAM flags seems to be randomly selected, not sure why, but guessing based on the first).


I have already sent the relevant logs to Maurice at MB. I no longer have the HOSTS file as I used RstHosts to get rid of it.

 

No problem. I've finally been able to reproduce it.


Regards

Steven Burn
I.T. Mate / hpHosts / Malwarebytes
it-mate.co.uk / hosts-file.net / malwarebytes.com


#14 MysteryFCM

MysteryFCM

  • Security Colleague
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tyneside, UK
  • Local time:06:49 PM

Posted 14 September 2016 - 05:01 PM

Update (v2016.09.14.11) out and tested. The F/P has been corrected.


Regards

Steven Burn
I.T. Mate / hpHosts / Malwarebytes
it-mate.co.uk / hosts-file.net / malwarebytes.com


#15 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:12:49 PM

Posted 14 September 2016 - 06:40 PM

So, is it a combination of a false positive and programming error, combined with (on my end) a coincidental infection?

BTW, I'd like to suggest that, once this is done, that the discussion be deleted.  I'm not embarrassed, but I don't want it to be used by antagonists who want to say bad things about MB, Mr. Burns or hosts-file.net.


Edited by RevGAM, 14 September 2016 - 07:05 PM.

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users