Little Snitch just caught Parallels attempting to connect to ftp1.parallelz.com. I've manually verified that it is indeed Parallels' update feature by forcing an update check and having Little Snitch catch the event again. I did both a forward and reverse host for both domains, as well as a dig at their nameservers. I also checked both whois records of parallels.com and parallelz.com, and although the registrant address is different (one in Russia, one in Virginia), everything else matches, My question is: Why would you set your update host to be one of your domain aliases, rather than a duplicate of your online presence? While useful for redirecting people to the proper spelling online—indeed, this is exactly what typing parallelz.com in a browser does—use of it in an official update capacity engenders wariness and the sense that somehow, someone is trying to fool you, like your Parallels machine has been infected or has a backdoor. It's like getting a software update popup that says appel.com instead of apple.com
The connection uses http protocol and is a request for updater.ini. It contains basic information in standard ini file format: [UpdatesList] NameList=UpdMac01,UpdWin01,UpdLin01 [UpdMac01] Platform=mac FileName=http://download.parallels.com/GA/Parallels-Desktop-1970-Mac-en.dmg InfoShort=Parallels Desktop for Mac Official Update (build 1970) InfoLong=The Official Update for Parallels Desktop for Mac. Do not forget to reinstall Parallels Tools in your guest Windows OS after upgrading. Version=2.2.1970 Size=30.0 MB The server is in the US and is hosted by Carpathiahost.com in Virginia. Carpathiahost has a lot of big name customers. Parallels is owned by SWSoft and there's no shortage of Russians involved and I also don't think that matters at all. They are located in the Seattle area and Seattle has a large Russian population. They have been grinding out code here for years and years. Great people, hard workers, a bit on the quiet side, and they have strange tales of the Russian Far East . At one time I worked with so many I decided to learn the Russian language just to make things easier on everyone - I don't know that I succeeded, but it was a fun exercise. Parallels have a great product and are working hard to win this market so I doubt they'd do anything with this connection that is so obvious and that that would totally screw up their reputation. I will admit it would be nice if they were a bit stronger in documenting their product.
That's not quite the point, as I don't actually care about who writes my software, merely that Parallels makes a connection that would be interpreted by novice users as a spoof attempt. My concern is minor, to be sure, but a new user might not be getting the updates they need because they hit "block" on their firewall when they encounter a similar-to-parallels.com-but-not-quite-so-it-seems-fishy website pop-up request. Without the know-how to check the hosts, compare the whois records, and pull up the reverse host info from a third-party name server, a novice could easily think there's a backdoor or trojan within their Windows install, or within Parallels itself.
I agree - and suggested the documentation could be a bit better. The rest was just background for other readers of this thread.
