Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

akamahi, newbieadguide, thetechnorati and vozemiliogaranon move on again

January 24th 2008 in Uncategorized

The malware domains we have been featuring have moved on again – they are no longer hosted by Denit Internet Services, Amsterdam.


But it looks, this time, like the bad guys need a break from moving to host to host to host [H]


akamahi.net (190.15.64.185) (securehost.com)
newbieadguide.com (190.15.64.188) (securehost.com)
thetechnorati.com (190.15.64.191) (securehost.com)
vozemiliogaranon.com (190.15.64.192) (securehost.com)


Now remember, there is a slew of malicous domains hosted within the IP range 190.15.73 (also securehost.com), so we are not at all surprised that the bad guys have come to rest there.


To recap, first the domains were hosted by nine.ch but were dumped after the malicious advertisement that appeared on blick.ch, then they were briefly hosted by netrouting.eu, followed by FastServers, then by Denit Internet Services.


I think the next thing that we need to consider, bearing in mind the deep involvement of securehost.com in facilitating the distribution of fraudware, is to include SecureHost’s upstream provider in any complaints about the hosted domains. 


Securehost may ignore complaints from the world at large, but if *their* bandwidth provider threatens to pull the pin, well that can be much harder to ignore…


Is it any surprise somebody has gotten grumpy and has been subscribing one of my public email addresses to a slew of mailing lists?  Oh well, if they want to devote valuable time to such games, then they’re welcome to waste it – it will only take me only a few seconds to set up some appropriate mail rules to automatically delete the results of such shenanigans once I decide that the game is boring – there are plenty of common, yet unique, characteristics in “welcome to; you have joined; you have subscribed” email messages that make filtering too easy [8-|]


 


Comments are closed.

IP 83.149.75.50 detected as subscribing one of my email addresses to a mailing list without permission.
Reduce it down to 83.149.75… do a Google search.. and what do we find?   Connections with malware…. “malwarewipe.com”????
http://board.protecus.de/t25767.htm
“http://malwarewipe.com/images/blue-gray-stripe.gif – deletedhttp://83.149.75.51/count/l.php?pl=Win32&ce=true&id=rrd – deletedhttp://www.surveyswages.com/img/laptop9.gif – deleted
http://dl.web-nexus.net/exclurls.php
“83.149.75.” is a blocked IP.
Coincidence? 
What’s cool is that I have only scratched the surface so far….. […]

Previous Entry

rhapsody.com has been hit by a malicious banner advertisement – rhapsody.com is owned by RealNetworks.   Victim site rhapsody.com (207.188.21.32) SWF host RealOne / Doubleclick SWF Source   Target fraudware domain scanner2.malware-scan.com Banned cities, countries and IPs 207.188.0.0-207.188.255.255 (note this IP range captures rhapsody.com)newjersey, newyork, california, washington, […]

Next Entry

Archives