Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Another Directi registered fraudware domain

October 16th 2008 in Uncategorized

It seems to me that Directi is not even close to cleaning up its act, and they certainly don’t seem to be keeping away from domains that are used to facilitate the distribution of fraudware.  Just over the past few days I have encountered quicktds.com (which had been registered since 16 Sept), pcvirusbuster.com (registered 7 October), vsemutorba.com (registered on 2 April 2008), quicktds.name (registered 16 September), trap17.com (registered 9 May 2004), orderbox-dns.com (registered 2 July 2004), computinghost.com, trusted-scanner.com (registered 30 September), antivirus-fullscan.com (registered 7 October), and now royalproscan.com.

Here’s the problem – this domain was created on 13 October 2008.  It is now 16 October 2008.  The bad guys have had 3 days to make good use of their latest domain.

royalproscan.com ( – California – Irvine – Go2online Corp)
ICANN Registrar: Directi Internet Solutions
Created: 13 October 2008
WHOIS: Hidden behind privacyprotect.org

Fraudware URL:





3 comments to...
“Another Directi registered fraudware domain”


it looks like “royalproscan.com” is dead, now.. i suppose that “directi” shut it down, once you brought it to their attention..


in kimberly’s latest posts, at bluetack, she mentioned several malicious domains that were hosted by “directi”, but, when i checked, many of them, if not all of them, had been shut down.. so, it looks to me like directi is doing good in shutting down malicious domains.. however, maybe directi needs people like you and kimberly to bring the malicious domains to their attention before they do anything about them..

Charlie Niehaus

“directi” needs to be PROactive and not REactive in this case.  Having a ‘bot handle website registrations and setup may seem like it will save you money, but when you look at the time it takes to hunt down and wipe out the malware sites as they come in and the loss of revenue because you ARE hosting malware spewing sites, it might be worth the $$ to hand register the sites AND check what is being hosted there.  

Malicious URL:mystats.com/crossdomain.xml mystats.com – IP – Bahamas – Secure Hosting LtdICANN Registrar: FABULOUS.COM PTY LTDCreated 23 July 1997NS: NS1.HITFARM.COMNS: NS2.HITFARM.COMNS: NS3.HITFARM.COM Reverse IP – reverse DNS – wc40-main.medialogik.com1,156,828 domains at the same IP address!!!! 208.87.33.% – 1,156,841 domains !!! medialogik.com – – British Columbia – Vancouver – […]

Previous Entry

Nope, no surprise there. Cite: http://blogs.technet.com/mmpc/archive/2008/10/17/sql-injection-new-approach-for-win32-fakexpa.aspx Check out the exploits being used: * MDAC remote code execution (MS06-014)* ShockwaveFlash.ShockwaveFlash.9 exploit* WebViewFolderIcon setSlice() exploit (MS06-057)* Msdds.dll exploit (MS05-052)* Microsoft Works exploit (MS08-052)* Creative Software AutoUpdate Engine exploit* Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow* Ourgame GLWorld GLIEDown2.dll exploit* DirectAnimation.PathControl buffer overflow (MS06-067)    As […]

Next Entry