Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat the domain statisticsishere.com and measurehits.com with extreme caution

March 8th 2009 in Uncategorized

I received this email a short while ago:

We have been getting a lot of ads accessing scripts from this domain statisticsishere.com. So far there is no malware redirect or download but this domain looks suspicious having been created less than a week.

I have to agree that the domain is suspicious. 

Before we get started, it is important that I remind you that the fact that there is no suspicious behavior *at the moment* is of no comfort.  The crooks behind malvertizing have been known to establish a relationship with potential victims by running one or more “clean” campaigns, thereby building a level of trust between them and their victims, before hitting their victims with malvertizing.

 

Let’s look at the WHOIS information for statisticsishere.com:

ICANN Registrar: YESNIC CO. LTD.
Created: 5 March 2009
NS1.STATISTICSISHERE.COM – IP 116.50.15.1 (HostFresh)
NS2.STATISTICSISHERE.COM – IP 116.50.15.1 (HostFresh)
NS3.STATISTICSISHERE.COM – IP 89.149.226.121 (Netdirekt)

IP: 195.62.37.14 – Sardegna, Olbia, Geonic.net Ltd

Registrant:
Gabriel Jenks (gabrielcjenks17@mail.com)
3515 Cooks Mine Road
88101
US
Tel: 1 505-763-5453

First of all, HostFresh and Netdirekt have both been problematic in the past but, more importantly, the postcode (88101) and phone number (505-763-5453) map to Clovis, New Mexico.  I cannot find a "Cooks Mine Road" in Clovis.  Not only that, the phone number listed in the WHOIS is apparently owned by a Brian A Jones and Delinda K Jones, not a Gabriel Jenks.

image

 

Now, let’s look at the NS for the domain statisticsishere.com:

IP of NS1.STATISTICSISHERE.COM – 116.50.15.1
IP of NS2.STATISTICSISHERE.COM – 116.50.15.1

Hostnames sharing IP with A Records – you will see some very familiar domains….

mail.xxx-online.in
ns2.02sta.com
ns2.admediastats.com
ns2.onlinestatsmanager.com
ns2.promorotation.com
ns2.securityclick.net
ns2.st-athome.net
ns2.st-aticglobalsources.com
ns2.statisticsishere.com
ns2.themonitoring.net
ns2.traffic-analytics.com
ns2.waytotheprofit.com
www.xxx-online.in

Domains using NS1.STATISTICSISHERE.COM as nameserver: statisticsishere.com

Domains using NS1.STATISTICSISHERE.COM as nameserver under another name (again, you’re going to see some familiar names):

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Nameservers missing in zone:

ns1.statisticsishere.com
ns2.statisticsishere.com
ns3.statisticsishere.com

Used as nameserver but missing in zone: statisticsishere.com

*****

IP of NS3.STATISTICSISHERE.COM – 89.149.226.121

PTRS of IP numbers: 89-149-226-121.internetserviceteam.com

Hostnames sharing IP with A Records (again, lots of familiar names):

89-149-226-121.internetserviceteam.com
ns3.02sta.com
ns3.admediastats.com
ns3.promorotation.com
ns3.securityclick.net
ns3.st-athome.net
ns3.st-aticglobalsources.com
ns3.themonitoring.net
ns3.traffic-analytics.com
ns3.waytotheprofit.com

Domains using this as nameserver:  statisticsishere.com

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Nameservers missing in zone:

ns1.statisticsishere.com
ns2.statisticsishere.com
ns3.statisticsishere.com

Used as nameserver but missing in zone: statisticsishere.com

*****

According to a Registrant search, “Gabriel Jenks” owns another domain, being measurehits.com, which should also be treated with extreme caution.

ICANN Registrar: YESNIC CO. LTD.
Created: 26 February 2009

NS1.MEASUREHITS.COM (116.50.15.1)
NS2.MEASUREHITS.COM (89.149.226.121

IP: 212.117.165.128 – Luxembourg, Root Esolutions

Registrant:
Gabriel Jenks (gabrielcjenks17@mail.com)
3515 Cooks Mine Road
88101
US
Tel: 1 505-763-5453

Shares IP address with the following domains, all of which should be treated with extreme caution.

advertpanda.com, clickanalytic.com, extrabigad.com, greatad.net, securityclick.net, waytotheprofit.com, whoisadvert.com

 

NS1.MEASUREHITS.COM

Hostnames sharing IP with A-Records:

mail.xxx-online.in
ns1.statisticsishere.com
ns2.02sta.com
ns2.admediastats.com
ns2.onlinestatsmanager.com
ns2.promorotation.com
ns2.securityclick.net
ns2.st-athome.net
ns2.st-aticglobalsources.com
ns2.statisticsishere.com
ns2.themonitoring.net
ns2.traffic-analytics.com
ns2.waytotheprofit.com
www.xxx-online.in

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

 

NS2.MEASUREHITS.COM

PTRS of IP numbers – 89-149-226-121.internetserviceteam.com

Hostnames sharing IP with A-Records:

89-149-226-121.internetserviceteam.com
ns3.02sta.com
ns3.admediastats.com
ns3.promorotation.com
ns3.securityclick.net
ns3.st-athome.net
ns3.st-aticglobalsources.com
ns3.statisticsishere.com
ns3.themonitoring.net
ns3.traffic-analytics.com
ns3.waytotheprofit.com

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com


Comments are closed.

I didn’t … http://www.iia.net.au/index.php/zombieweek.html  

Previous Entry

  I have seen multiple, visually identical, versions of the malvertizement shown above, one of which has revealed a new name and domains.  Please be on the look-out.   One sample that I received today is effectively neutralized because the malvertizement hits the domains of-ficialstat.com and securityclick.net, both of […]

Next Entry