I needed a quick, free webhost. Incidentally (it is funny how things come together sometimes) I remembered Andreas Gohr mentioning 000webhost.com, so I decided to give it a try.
Now, I knew that nothing is free, so I expected to need to insert some banner ads in the pages, however it seems that this hosting provider actively tries to trick users into running malware! Here is how the whole process works:
During signup or when you try to create the domain, you get message similar to the one shown in the image below (note: they may have changed their tactics recently or use some kind of filtering systems to target only Windows computers for example, because Andreas didn’t get this message).
Now, my BS meter went right off the scale when I read this, since:
- The site already knows my IP address, since I’m connecting to it (ok, I might use proxies or TOR, but why not use techniques like the Metasplot de-cloak project?)
- Being on a DSL line, my IP address changes at each computer reboot, so it is by no means “more reliable” to confirm an identity as the text claims
- The executable was linked off from a third party site! (goffhouseinn.com, which seems to have been the – legitimate – site of an Inn, however – probably because they’ve failed to renew their registration in time – it has been registered by an other party and now it serves up what seems to be an older mirror of the Joomla frontpage.
After confirming it with Virustotal that it is almost certainly malware, I decided to investigate further:
- The ThreatExpert analysis confirms that it indeed pops up a window with a generated code, however it also downloads a second executable from goffhouseinn.com (from http://goffhouseinn.com/tmp/.images/ to be more exact – which is an other suspicious sign – containing misleading folder names – like tmp or images – and hidden folders – .images). This is a clear contradiction with what the instruction said (that it will only connect to members.000webhost.com).
- The downloaded file is also quite well detected. Its ThreatExpert Analysis is also available. From there, one can clearly see that it contains at least two backup servers (sexygaby.com and nimbarka.com). At this point is is unclear to me if these servers have been hacked or not (what is the reason for them distributing the malware).
On the forum of the site there is a posting where people complain that the file is infected and the moderators try to assure them that it is not malware (here is a mirror of the page in case they decide to pull it). The most suspicious thing here is the fact that they give links to third party sites to download the file from, instead of linking to 000webhost.
The files provided at the links fall in two categories (if we ignore the ones which are not available:
The conclusion: the site is knowingly distributing malware. I will complain to their upstream provider, maybe they can clear the situation up a little (or at least make them pull this malware download).
Update: here are some (not so nice) things I found on the ‘net about 000webhost. This is of course hearsay, so I can’t judge the accuracy of these claims:
- Beware of this fake affiliate 000webhost
- 000webhost – this one is in Romanian and tells you how you need to specify your phone number for 000webhost to be able to send you an activation SMS – this means that they are constantly shifting to new techniques…
Update 2: it seems that the “distribution selection” mechanism is IP based (rather than OS / browser based), as I tried the same steps from a Linux machine from a different netblock (but still from Romania) and it presented me with the link, while trying it trough TOR from a (virtualized) Windows machine didn’t. The conclusion is: you might not see it, but it doesn’t mean that it doesn’t exist 🙂