Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: New malvertizement featuring Bausch & Lomb Softlens contact lenses

March 11th 2009 in Uncategorized

image

 

I have seen multiple, visually identical, versions of the malvertizement shown above, one of which has revealed a new name and domains.  Please be on the look-out.

 

One sample that I received today is effectively neutralized because the malvertizement hits the domains of-ficialstat.com and securityclick.net, both of which are not resolving.

securityclick.net is a "Serg Moons" domain, which is currently "on hold" (aka locked) :o)  The domain is no longer resolving, but its last IP address was 212.117.165.128. 

212.117.165.128 currently hosts two well known domains, measurehits.com and waytotheprofit.com.  waytotheprofit.com has been mentioned more times on this blog than I care to remember.  measurehits.com (listed as owned by a Gabriel Jenks) was mentioned on this blog just the other day, here:
http://msmvps.com/blogs/spywaresucks/archive/2009/03/09/1676761.aspx

of-ficialstat.com is also "on hold", and is listed as owned by a "Sergey Belonozhko (sergbelo@gmail.com).  The domain is no longer resolving, but its last IP was 79.135.187.73

*********************************************************************************************

 

The next sample I examined hits the following domains – cosmotraf.net and pleaselinkmeto.com – two domains that I have not encountered before.   This campaign is live.

Once the redirect is triggered we hit a URL at traff-direct.com.  We are then redirected to go-uniq.com before we hit the fraudware domains removespywarethreats.com or desktoprepairpage.com or pcantimalwaresolution.com.

cosmotraf.net
ICANN Registrar: Communigal Communications Ltd
Created 5 March 2009
IP: 88.198.8.15 – Bayern – Gunzenhausen – Hetzner-rz-nbg-net

Hostnames sharing IP with A Records:

download.pcprivacycleaner.com
download.powerfulvirusremover2008.com
static.88-198-8-15.clients.your-server.de
sw.effectiveload.com
ydmstats.com

WHOIS information – how unhelpful of Communigal:

Domain Contact is Private
Address is private
Private
00000
972 9999999
972 9999999

pleaselinkmeto.com
ICANN Registrar: Communigal Communications Ltd
Created 5 March 2009
IP: 58.65.237.43 – Hong Kong (sar) – Hostfresh

WHOIS information – how unhelpful of Communigal:

Domain Contact is Private
Address is private
Private
00000
972 9999999
972 9999999

 

traff-direct.com
ICANN Registrar: YESNIC CO. LTD.
Created 16 February 2009

NS1.TRAFF-DIRECT.COM
NS2.TRAFF-DIRECT.COM
NS3.COMONDNS.COM
NS4.COMONDNS.COM

IP: 78.129.158.69 – United Kingdom – Eukhost Ltd

Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950

Note: "Preston Wasson" is also the Registrant of comondns.com above.  "Preston Wasson" owns about 19 domains.

The address apparently does not exist, and the phone number is associated with an address in White Plains, NY.


Just out of interest, let’s take a look at the NS*.COMONDNS.COM – all discovered domains should, of course, be treated with extreme caution.

NS1.COMONDNS.COM – hostnames sharing IP with A records:

a.dnstut.com
ns1.go-uniq.com
ns1.removespywarethreats.com
ns1.thesurfdigest.com
ns2.comondns.com
ns2.dnstut.com
ns2.go-uniq.com
ns2.removespywarethreats.com

 

Domains using this name server under another name:

comondns.com
desktoprepairpackage.com
dnserror.org
fuckteencunt.com
go-uniq.com
mainfeedhere.com
pcantimalwaresolution.com
removespywarethreats.com
search-lasslorn.com
search-unassuetude.com

 

NS1.COMONDNS.COM – hostnames sharing IP with A records:

a.dnstut.com
ns1.comondns.com
ns1.go-uniq.com
ns1.removespywarethreats.com
ns1.thesurfdigest.com
ns2.dnstut.com
ns2.go-uniq.com
ns2.removespywarethreats.com

Domains using this nameserver under another name:

comondns.com
desktoprepairpackage.com
dnserror.org
find-allnot.com
fuckteencunt.com
mainfeedhere.com
pcantimalwaresolution.com
removespywarethreats.com
search-lasslorn.com
search-unassuetude.com

 

NS3.COMONDNS.COM – domains using this as a name server:

comondns.com
desktoprepairpackage.com
go-uniq.com
pcantimalwaresolution.com
comondns.com
desktoprepairpackage.com
go-uniq.com
pcantimalwaresolution.com
comondns.com
desktoprepairpackage.com
go-uniq.com
pcantimalwaresolution.com

 

NS4.COMONDNS.COM – domains using this as name server:

comondns.com
desktoprepairpackage.com
go-uniq.com
pcantimalwaresolution.com

 

go-uniq.com
ICANN Registrar: YESNIC CO. LTD.
Created 16 February 2009

NS1.GO-UNIQ.COM
NS2.GO-UNIQ.COM
NS3.COMONDNS.COM
NS4.COMONDNS.COM

IP: 72.55.153.155 – Quebec – Iweb Dedicated Cl

Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950

 

removespywarethreats.com
ICANN Registrar: YESNIC CO. LTD
Created 24 February 2009

NS1.COMONDNS.COM
NS2.COMONDNS.COM
NS3.COMONDNS.C0M
NS4.COMONDNS.COM

IP: 78.46.90.230 – Bayern – Gunzenhausen – Hetzner

Shares IP with billgroups.com, cleanerpcsolution.com, desktoprepairpackage.com pcantimalwaresolution.com, pcsolutionshelp.com and removespywarethreats.com

Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950

 

desktoprepairpage.com
ICANN Registrar: YESNIC CO. LTD.
Created 24 February 2009

NS1.COMONDNS.COM
NS2.COMONDNS.COM
NS3.COMONDNS.C0M
NS4.COMONDNS.COM

IP: 78.46.90.230 – Bayern – Gunzenhausen – Hetzner

Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950

 

pcantimalwaresolution.com
ICANN Registrar: YESNIC CO. LTD.
Created 24 February 2009

NS1.COMONDNS.COM
NS2.COMONDNS.COM
NS3.COMONDNS.C0M
NS4.COMONDNS.COM

IP: 78.46.90.230 – Bayern – Gunzenhausen – Hetzner

Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950

*********************************************************************************************

 

A third sample hits the following domains – googlesearchingweb.net and clickanalytic.com.

googlesearchingweb.net
ICANN Registrar: DIRECTI
Created 6 February 2009

IP: Suspended domain

Historical IP: 79.135.187.62 – Turkey Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti

Other suspicious sites in the same IP range include officialstat.net, statgroup.net, st-atetstr.com, staticglobalsources.net, station-appraisals.com, st-athisranch.net, s-tatetstr.com and of-ficialstat.net

WHOIS: Hidden behind privacyprotect.org (as far as I am concerned, once a domain has been suspended it should lose the protection of privacyprotect.org)

 

clickanalytic.com
ICANN Registrar: DIRECTI
Created 6 February 2009

IP: Suspended domain

Historical IP: 79.135.187.83 (Turkey Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti) then 212.117.165.128 (Luxembourg Root Esolutions)

As noted earlier, 212.117.165.128 is the IP of measurehits.com and waytotheprofit.com.

WHOIS: Hidden behind privacyprotect.org (again, as far as I am concerned, once a domain has been suspended it should lose the protection of privacyprotect.org)


Comments are closed.

I received this email a short while ago: “We have been getting a lot of ads accessing scripts from this domain statisticsishere.com. So far there is no malware redirect or download but this domain looks suspicious having been created less than a week.” I have to agree that the […]

Previous Entry

For heavens sake … according to the news report at the URL below it took “130 experts” to “find the problem and fix it” – the “problem” was, apparently, the fact that the “hacker” (and I use that term very loosely) “deleted 10,475 user accounts”. The incident is explained as: […]

Next Entry