Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Circulating malvertizements: driveway and dreammates

June 11th 2008 in Uncategorized

First, driveway:





Next, dreammates:







You can see that both malvertizements use the same waytotheprofit campaign URL.

I ended up at goldenantispy.com on one occasion, and antispyarewaremaster on another and performanceoptimizer.com on another. You will end up at different sites depending on what country you reside in.

goldenantispy and antispywaremaster try to download software to visiting computers using the infamous Microsoft Dynamic HTML Editing Control (Safe for Scripting) that has been removed from Vista.  If a computer is running Windows Vista, and is up to date with security patches, then infection is difficult if not impossible to achieve without user interaction.  Be warned, though, that I was testing with a bare metal version of Windows. There is every chance that other exploits affecting non-Microsoft products could be used at any time to attempt to infect systems.

The site also utilises archive.easydownloadsoft.com to distribute its wares, specifically:


I’m also seeing adnetserver.com and b2adz.com, as well as prevedmarketing.com, waytotheprofit.com and statgroup.net.


There are several domains related to goldenantispy.com, including:

meinbesterschutz.com, virusvakt.com, zebraantivirus.com, pcprivacytool.com and virusstopper.com, as well as antispyarecontrol.com, antispywaresuite.com, winanonymous.com, winpcdoctor.com, winspycontrol and anchisupaisutsu.com

goldenantispy.com is registered via tucows, and has as an admin contact webstarhosting@yahoo.com.

Its mail server is mail.prevedhosting.com (regular readers of my blog will recognize that name).


antispyaremaster.com is also registered via tucows, and has an administrative contact that I recognize, being “no_name_inc@yahoo.com” aka “John Green”.

antispywaremaster.com has “relationships” with diskretter.com (a name I recognize as being involved with malvertizement incidents in the past), schijfbewaker.com, toolsicuro.com, exterminadordevirus.com and securepccleaner.com.

If we dig deeper using robtex, we find relationships wiht antivirusmaqique.com, defensedudisque.com, erreuchasseur.com, fairukyua.com, qubbishremover.com, limpietodo.com, as well as name server relationships withadvancedcleaner.com, antispywaresuite.com and avsystemcare.com as well as old classics such as drivecleaner.com, errorsafe.com, systemdoctor.com, winspycontrol.com and yourprivacyguard.com.

Comments are closed.

These criminals, whoever they are, have absolutely no shame.  I thought that they were the scum of the earth when they impersonated Oxfam; now they are getting their malvertizements onto popular chidren’s sites.
As reported by Kimberley – the malvertizements have been reported to RealMedia:



Previous Entry

The full press release is below.  The section most relevant to this blog is the new laws related to spyware.  A change that I anticipate will have a great impact is that the new laws “Create[s] liability for web hosting services who ignore violators’ use of their products”.  I believe that this new law will encourage web hosting services to […]

Next Entry