Directi and EstDomains continue to suspend thousands of malware sites

I have been keeping a close watch on the amount of suspended sites in the MVPS HOSTS file … rescanning everyday lately and removing the sites that no longer return a valid DNS … the number is huge yet again …

Strangely enough not all of these domains are related to EstDomains … but who’s complaining! Sounds like some of these other hosting services are getting nervous about their reputations or being exposed as associated with these cyber-criminals … folks I’ve been doing this (maintaining a hosts file) for over 10 years and this is the largest clearing of malware related sites in the history of the Internet!

Interesting enough Brian Krebs has another in his series of articles “Fake Antispyware Purveyor Doubles as Domain Registrar

“Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing privacyprotect.org service for all Web site names registered through Klikdomains.com, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone. Directi currently is investigating most of the remaining 50,000 domains registered through Klikdomains.com, Turakhia added.”

Imagine that! … those of us in the security field have long known of the antics of KlickDomains and their related domains … so I thought I’d show a few examples …

Notice how this site is designed to look like one of Microsoft’s pages … now is “petitmortfilms” really a search portal? … no there are literally thousands of these type sites with content and links provided by the KlickAdvertising Group …

Clicking on a few of the listed links … you can see how Klickadvertising routes their search thru several IP addresses and setting a 3rd party Cookie (so they can get paid) and then to obviously malware related sites … now the entry for “r.looksmart.com” is listed in the hosts file due to LookSmart’s dealings with Klickdomains. I’m not saying LookSmart is evil … but if you deal with scumbags, you’ll get blacklisted …

Speaking of Blacklisted both of those IP addresses are! [here] [here] now here is another example …

Gee … does that page layout look familiar? … I’ve highlighted (in red) the next link I clicked … now imagine where that really takes you … yup Klickdomains get paid to redirect you to another malware site. In case that “virusremover.dll” doesn’t look familiar, I reported on it here

If you look at the below output from Microsoft Fiddler … you can see the same IP addresses involved, etc. not only that the link I clicked “spywarexp2008” wasn’t even real … so you never know where you’ll end up … but you can bet it’s not good!

The download from “av-xp2008” is detected by Kaspersky as “Backdoor.Win32.Frauder.ee” and the site is maintained by the “Pandora-Software Group” (innovagest2000sl) … so not all the evil-doers are being suspended, but we’ll take all we can get!



2 Responses to “Directi and EstDomains continue to suspend thousands of malware sites”

  1. Mike,

    Please see this forum thread:
    http://www.malwarebytes.org/forums/index.php?showtopic=6159

  2. You guys are doing a great job there …