Oh Comodo here we go again!

Visiting the following Fraudware Antispyware site … I always check the “Buy now” (purchase) section to see where this will lead. Sadly it leads to yet another Comodo issued certificate …

You can see from the Microsoft Fiddler output where the site leads … I pasted the certificate info into the output …

Comodo states: “To get a DV cert all you need is a domain name and $15..and no background check about your identity is required.” As I stated in a previous post … perhaps you should at least check the domain name … duh! that would be a good first clue … but I guess the $15 is more important?

These culprits were first reported on Thursday, April 16, 2009 – A Diverse Portfolio of Fake Security Software – Part Nineteen and later by the SunBelt blog where both these domains reside on the same IP (iSystem Inc.)

Seems iSystem Inc also controls several other (malicious) domains … including “malwarecatcher. net” which is associated with “updvms. net” and this is where it get interesting …

(Image edited for display purposes)

Well look at that! directories for (left column) several malicious domains … and the typical files found in each (right column)
Extraantivirus, Fastantivirus09, Malwarecatcher, Prestotuneup, and on and on … so you can see there is no doubt all these domains are malicious as well as the files … when I attempted to download “EXAVR/BankSetupRelease.exe” my AV (NOD32) detected this as a variant of Win32/Kryptik.JQ trojan

I mentioned in my last post a malicious domain (secure.xsoftstore.com) which Comodo stated they revoked the certificate … what gets me is I suggested that they at least should check the domain names … well it seems they didn’t look into this either …

== Server Certificate ==========
  CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
[Not Before]
  4/29/2009 8:00:00 PM
[Not After]
  7/29/2009 7:59:59 PM

If Comodo had bothered to check … they would have found all these domains are related … [Whois link here]

All this for $15 … my things must be really bad? …

Comments are closed.