Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

mayoclinic.com hit by malicious banner advert?

January 30th 2008

This incident was reported via a comment on this blog.  We have not found the malicious advertisement yet, but we can tell you that victims who are caught by the hijack when visiting mayoclinic.com end up being redirected to:quinquecahue.com/swf/gnida.swf?campaign=fabulistor&u=1200910285 We can also tell you that this particular campaign (fabulistor) is coded to NOT trigger when the victim’s computer falls within […]

Read On 6 Comments

A couple more malicious banner advertisements…

January 29th 2008

The bad guys are certainly expanding their stable of advertisements. Both lead victims to malicious quinquecahue.com URLs.  More later…   

Read On 1 Comment

expedia.com hit by malicious banner advertisement?

January 28th 2008

Expedia.com has been infiltrated by a malicious banner advertisement – a new one that I have not seen before. Victim site Expedia.com (216.251.114.10) SWF host media.expedia.com SWF Source   Target fraudware domain scanner2.malware-scan.com Banned cities, countries and IPs 199.3.0.0-199.3.255.255216.251.0.0-216.251.255.255172.30.0.0-172.30.25.255 (note: expedia.com’s IP is banned)IN, IL, UK, AU, FR, IT, CN, JP, DE, ES, MX, AEcolorado, […]

Read On 7 Comments

rhapsody.com hit by malicious banner advertisement

January 28th 2008

rhapsody.com has been hit by a malicious banner advertisement – rhapsody.com is owned by RealNetworks.   Victim site rhapsody.com (207.188.21.32) SWF host RealOne / Doubleclick SWF Source   Target fraudware domain scanner2.malware-scan.com Banned cities, countries and IPs 207.188.0.0-207.188.255.255 (note this IP range captures rhapsody.com)newjersey, newyork, california, washington, virginiaparis, aarhus, velizycedex, jarrestr, amsterdam, rotterdam, zaanstad, koogaandezaan, […]

Read On 8 Comments

akamahi, newbieadguide, thetechnorati and vozemiliogaranon move on again

January 24th 2008

The malware domains we have been featuring have moved on again – they are no longer hosted by Denit Internet Services, Amsterdam. But it looks, this time, like the bad guys need a break from moving to host to host to host [H] akamahi.net (190.15.64.185) (securehost.com)newbieadguide.com (190.15.64.188) (securehost.com)thetechnorati.com (190.15.64.191) (securehost.com)vozemiliogaranon.com (190.15.64.192) (securehost.com) Now remember, there […]

Read On Comments Off

This is too easy…..

January 24th 2008

IP 83.149.75.50 detected as subscribing one of my email addresses to a mailing list without permission. Reduce it down to 83.149.75… do a Google search.. and what do we find?   Connections with malware…. “malwarewipe.com”???? http://board.protecus.de/t25767.htm “http://malwarewipe.com/images/blue-gray-stripe.gif – deletedhttp://83.149.75.51/count/l.php?pl=Win32&ce=true&id=rrd – deletedhttp://www.surveyswages.com/img/laptop9.gif – deleted http://dl.web-nexus.net/exclurls.php “83.149.75.” is a blocked IP. Coincidence?  What’s cool is that I have […]

Read On 1 Comment

Oooh, look, a IP address…..

January 24th 2008

Keep ‘em coming friend.  *Everything* is traceable eventually. 83.149.75.50 = LeaseWeb AS Amsterdam, Netherlands…. why am I not surprised?  The Netherlands has popped up several times in my recent articles about malware domains….

Read On Comments Off

Somebody is having fun…

January 24th 2008

I admit, when I saw the following emails come in I assumed it was the typical “infected computer spewing out emails using me as a reply to” that we are all used to, and delete as a matter of course, until I saw the one from rollins.edu. That seems to be the result of an […]

Read On Comments Off

Unable to uninstall IE7 if Service Pack 2 is installed later on Windows Server 2003

January 24th 2008

In order to uninstall Internet Explorer 7 from this system, you can follow the steps below: 1. Uninstall Service Pack 2 for Windows Server 2003 and restart the computer. 2. Uninstall Internet Explorer 7.0 and restart the computer. 3. Reinstall Service Pack 2 for Windows Server 2003. http://support.microsoft.com/default.aspx/kb/948093  

Read On Comments Off

Nice publicity for Spyware Sucks

January 24th 2008

Spyware Sucks was linked to by the MCPM (Microsoft Certified Professional Magazine and the “Redmond Security Watch” email newsletter: http://mcpmag.com/columns/columnist.asp?columnistsid=16 “ESPN Sports Bad Code ESPN’s Soccernet site hosted a malicious advertisement that, ultimately, led to PerformanceOptimizer.com, which in turn displayed numerous popups alleging problems with the victim’s system and offering a solution. Yep — ad networks […]

Read On Comments Off