badware

[JobcenterTycoon]

Prerequisites

• [x] This is not a support issue or a question
  • Support issues and questions are handled at /r/uBlockOrigin
• [x] I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
• [x] I tried to reproduce the issue when...
  • [x] uBlock Origin is the only extension
  • [x] uBlock Origin with default lists/settings
  • [x] using a new, unmodified browser profile
• [x] I am running the latest version of uBlock Origin

URL(s) where the issue occurs

http://mediazlez.pp.ua/d/nEDt2mkU17 click on the yellow button it redirects to badware crap

Describe the issue

badware. Virustotal scan: https://www.virustotal.com/gui/file/afa45ed317b277c3a16b4f47c48c20a370089b8187d9cdcadfcea1baf9933a03/detection

Screenshot(s)

Versions

• Browser/version: firefox developer
• uBlock Origin version: ublock origin

  Settings

default + uBlock Annoyances

Notes

possible fix:

||puzzceworkdistkebur.tk^$all

[JobcenterTycoon]

Same redirect: http://failsame.ru/file/7b289e

possible fix:
||suzamense.com^$all ||sevenonex.space^$all

[JobcenterTycoon]

Ok i see they change the domain really quickly ...

||recangedesna.ml^$all ||newfind.cloudns.cl^$all

is not persistent ... but regex or generic filter to hide the download button looks very risky but it looks like the domain mediazlez.pp.ua and walhalagame.fun and walhalagames.pw is a longer think so its possible to block this

[okiehsch]

So you want me to completely block walhalagame.fun? They use mediazlez.pp.ua and walhalagames.pw to download all of their scripts, hacks and cracks. Blocking all three seems like overkill to me. How about I add ||walhalagame.fun^$doc that way the user can decide if he wants to continue after the warning or not.

[JobcenterTycoon]

Im tried different downloads but every redirect to the same badware links listed above (mediazlez.pp.ua and walhalagames.pw redirect to it after clicking on download). mediazlez.pp.ua says the file is clean but when i check the file its not clean.

Cheating software for big games like fortnite are very expensive because they use a good anticheat so why so many cheats for so many games are free on this site?

||walhalagame.fun^$doc is a good filter when blocking all three is overkill

[okiehsch]

Malware free publicly downloadable cheats, hacks and cracks are rather rare imo. 😉

[JobcenterTycoon]

Already changed ... im underrated the amount of spam and the huge amount of domains

||caumammilodorf.cf^$all

[okiehsch]

Shouldn't the blocking/warning when visiting walhalagame.fun be good enough? Is there a way to get to caumammilodorf.cf without visiting walhalagame.fun first?

We will rival some dedicated malware lists in size if we start blocking every random domain.

[JobcenterTycoon]

Yes looks like the site mediazlez.pp.ua just redirect to these crap random domains. second example: http://mediazlez.pp.ua/d/azgxfgvA9b

Im searched but i can’t find any legitimate link (all links just redirect to the same). On the site no contact no data protection nothing is clickable except the download button. The site says "Without viruses" but its a lie ... hmmm better to block this?

But the site mediazlez.pp.ua is often linked so its effective to block this. I just saw these 3 Domains walhalagame.fun and walhalagames.pw and mediazlez.pp.ua so its not random.

[JobcenterTycoon]

I have more very suspect domains (stable - exist over multiply weeks).

https://zhirhacks.pro/fortnite or https://zhirhacks.pro/csgo or https://zhirhacks.pro/overwatch redirect to mega.nz sites with malware downloads. I already reportet many domains to mega.nz but they get nearly every day a new mega.nz domain. They protect the zip with a password to avoid antivirus detection and putting the password (simple passwords like 1234 or 1111) under the download link

https://nemosiau.icu/wCKsn5 same as above ... this site have no main site (just redirect to google) so its looks like they just use the domain to redirect to malware crap

https://fortniteswapper.fun link to malware downloads. First they used mega.nz but now they use another file hoster without fast malware file deletion

http://injectx.online/ redirector

https://app-inject.com/ just redirect to ads and scam (the complete spectrum ... fake captchas, fake giveaway, hundrets of redirects, ...)

[okiehsch]

http://injectx.online redirector

If it is ad related that can be added to EasyList. @ryanbr

Eh, I misunderstood it redirects to app-inject.com.

[JobcenterTycoon]

I have one more Domain http://www.supra.dns-cloud.net

[JobcenterTycoon]

I have one more domain: tophacks.pro example: https://tophacks.pro/fortnite

nemosiau.icu is dead and can be removed

[JobcenterTycoon]

Hello, i have new new Data:

puzzceworkdistkebur.tk is dead and can be removed loufile.ru is bad and stable and can be added (example coming from: https://bit-ly.ru/BvjvC)