Back to Top

Saturday, January 03, 2009

000webhost.com trying to install malware

I needed a quick, free webhost. Incidentally (it is funny how things come together sometimes) I remembered Andreas Gohr mentioning 000webhost.com, so I decided to give it a try.

Now, I knew that nothing is free, so I expected to need to insert some banner ads in the pages, however it seems that this hosting provider actively tries to trick users into running malware! Here is how the whole process works:

During signup or when you try to create the domain, you get message similar to the one shown in the image below (note: they may have changed their tactics recently or use some kind of filtering systems to target only Windows computers for example, because Andreas didn't get this message).

Now, my BS meter went right off the scale when I read this, since:

  • The site already knows my IP address, since I'm connecting to it (ok, I might use proxies or TOR, but why not use techniques like the Metasplot de-cloak project?)
  • Being on a DSL line, my IP address changes at each computer reboot, so it is by no means "more reliable" to confirm an identity as the text claims
  • The executable was linked off from a third party site! (goffhouseinn.com, which seems to have been the - legitimate - site of an Inn, however - probably because they've failed to renew their registration in time - it has been registered by an other party and now it serves up what seems to be an older mirror of the Joomla frontpage.

After confirming it with Virustotal that it is almost certainly malware, I decided to investigate further:

  • The ThreatExpert analysis confirms that it indeed pops up a window with a generated code, however it also downloads a second executable from goffhouseinn.com (from http://goffhouseinn.com/tmp/.images/ to be more exact - which is an other suspicious sign - containing misleading folder names - like tmp or images - and hidden folders - .images). This is a clear contradiction with what the instruction said (that it will only connect to members.000webhost.com).
  • The downloaded file is also quite well detected. Its ThreatExpert Analysis is also available. From there, one can clearly see that it contains at least two backup servers (sexygaby.com and nimbarka.com). At this point is is unclear to me if these servers have been hacked or not (what is the reason for them distributing the malware).
  • On the forum of the site there is a posting where people complain that the file is infected and the moderators try to assure them that it is not malware (here is a mirror of the page in case they decide to pull it). The most suspicious thing here is the fact that they give links to third party sites to download the file from, instead of linking to 000webhost.

    The files provided at the links fall in two categories (if we ignore the ones which are not available:

The conclusion: the site is knowingly distributing malware. I will complain to their upstream provider, maybe they can clear the situation up a little (or at least make them pull this malware download).

Update: here are some (not so nice) things I found on the 'net about 000webhost. This is of course hearsay, so I can't judge the accuracy of these claims:

Update 2: it seems that the "distribution selection" mechanism is IP based (rather than OS / browser based), as I tried the same steps from a Linux machine from a different netblock (but still from Romania) and it presented me with the link, while trying it trough TOR from a (virtualized) Windows machine didn't. The conclusion is: you might not see it, but it doesn't mean that it doesn't exist :-)

19 comments:

  1. Hi,

    I registered my site with 000webhost.com a few days ago (before 2009 starts) and I didn't get this message (000webhost IP address confirm screenshot)

    I'm using Windows by the way.

    However, today when I tried to register another domain with them, I got a message that 000webhost.com will now check and reply me within 24 hours.

    Do you have better recommendations? It would be good if it's free. :)

    I don't want my users to come to my site and get infected, even if it's not happening now. Currently, I'm not seeing any signs of that, but I don't want to take any chances.

    ReplyDelete
  2. I just updated my post to say that you seeing or not seeing the message probably depends on the IP your request are coming from (ie your public IP).

    The truth is that there is no such things as a free lunch. Everybody wants something. For most free hosting companies this means advertisement in the pages, some might use your signup data for various purposes, but this malware pushing is new for me :-(.

    How I do it: I tend to use specialized services from "big" companies for specialized tasks (for example blogger for hosting a blog). This has some level of assurance that (a) they won't go rogue and (b) they have a proper infrastructure. Sure, having your own machine in a data center would be nice (and is something I'm thinking about), but until then, blogger is also cool.

    Hope this helps.

    ReplyDelete
  3. Thank you very much. I will certainly consider that or move on to using a paid host.

    ReplyDelete
  4. THanks for information as these bull shit nonsence business is running all over

    ReplyDelete
  5. hi, i have been a victim of 000webhost affiliate scam and i hope that the people behind this scam will be given enough disciplinary action by the government so that things like what they do will not happen any more

    ReplyDelete
  6. i m also suffered. got an e-mail for earning more money by making free site wid 000webhost & Google adsense. ip-checker is detected as trojan by norton internet security.

    ReplyDelete
  7. Anonymous4:36 PM

    avira have seen as a trojan too.

    ReplyDelete
  8. i can't run ip_confirm.exe

    "No registered application for this extension."

    can u help me please?!

    ReplyDelete
  9. @agnes: I can't really decide if this is a cleverly generated spam comment or a sincere one... But having faith in humanity, I'll go with the assumption that it is a sincere one: you do not want to run it.

    ReplyDelete
  10. So, where's the safe one to get free hosting?

    ReplyDelete
  11. One credible source seems to be the following: http://www.phpclasses.org/hosting/

    Unfortunately they don't have any free plans listed, but they have some very low cost plans (starting from 0.90 USD/month).

    ReplyDelete
  12. Anonymous7:45 PM

    thx for the info, it is really help a lot...

    ReplyDelete
  13. Anonymous4:00 AM

    I decided to try 000webhost.com out just to see if I could save a couple of bucks. What a total waste of time!

    Slow ftp, slow or incomplete page loads, mysql unresponsive, etc, etc, etc. Does anyone's email work via this service, or is it just mine that won't work?

    I've tried to get support, but that was also a waste of time. And, when I continued to seek assistance my account and files were deleted.

    Total waste of time.

    ReplyDelete
  14. I think they took down the ip confirm things now.

    ReplyDelete
  15. Anonymous10:29 PM

    Seems like I'm way behind on this, but just to keep the warnings coming-they are still in business and still running all of the same crap. Also, I signed up just to use Fantastico, which they claim they offer on their site. I have a paid site elsewhere, but they won't let me install Wordpress, so I thought I'd save $$ and do it on this 00webhost...Well once I signed up and tried to use Fantastico they informed me that the "autoinstaller" was being "upgraded". I then told them they were FOS, that Fantastico was 3rd party software and THEY CAN'T upgrade it. They just replied again that it was broken-so I told them to cancel my account. I am reporting them to Google-hope you all did the same.

    ReplyDelete
  16. Anonymous6:14 PM

    000webhost are awful, they cancelled my account and just told me i didnt adhear to the T&C when I did.

    ReplyDelete
  17. steve4:40 PM

    000webhost no longer make you run ip_confirm.exe

    BUT i can confirm that their affiliate scheme is a scam, ie, you never get paid.

    pity they persist with these deceptive ways, as otherwise the webhost is good, particularly considering the price!

    ReplyDelete
  18. I was burned by 000webhost too.
    I have posted a detailed description of my experience with them: here
    This people are unbelievable. If you read their ads, they make themselves look like the best host around, feature-wise at least. But as soon as you subscribe, you realize, that it is all a lie. Nothing they promise you works as adertised, and if you try to complain, they will just say oh well, what did you expect for free...
    Backups do not work, even ftp does not. So, you cannot get anything out of the website. If it is collecting any kind of data from the users, you will never be able to get it.
    If your traffic is too low, they cancel your account for inactivity. If it is too high (well, "high" being like 100 hits per day), they'll claim that it strains their servers, and still cancel it.
    And when they cancel it, they will right away destroy all the data, even in the backups (which I doubt they even make actually), and you won't be able to get anything back from them. And if you ask them, you get the standard reply: "well ... what did you expect for free?".

    ReplyDelete
  19. 000webhost.com seems to have lowed down on the malware. BUT their 404 error site (error.000webhost.com) contains banner ads, which one day i accidentally clicked and downloaded malware!!
    Lucky I yanked out my network connection before any harm was done and got Symantec to remove it.
    I contacted them to remove the ads. Then they changed the address to err.000webhost.com but the ads didnt stop!! So i urge everyone to stay away from them at all costs.
    If you want to take the plunge and use them anyway do so on a pc with good anti virus, Windows 7 or Vista and update your virus scanner every morning.

    ReplyDelete