Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Malvertizing domains: go-scan-pro.com (and friends)…

October 19th 2008 in Uncategorized

image Hit this one today:

go-scan-pro.com -78.157.143.184 -Latvia, Vdhost Ltd
ICANN Registar: REGTIME LTD.
Created on: 7 October 2008
NS: NS1.SITELUTIONS.COM
NS: NS2.SITELUTIONS.COM

Registrant:
   Petr Bernatzik
   Email: feetecho@gmail.com
   Organization: Bernatzik Co
   Address: Dobevska 877/4
   City: Praha
   State: Kamyk
   ZIP: 14300
   Country: CZ
   Phone: +420.60176712
   Fax:

Shared IP:
1.  Cokiran.com
2.  Go-iascan.com
3.  Go-scan-pro.com
4.  Goscanpc.com
5.  Ia-free-scanner.com
6.  Ia-install-pro.com
7.  Ia-installs.com
8.  Ia-payment.com
9.  Ia-scan-now.com
10.  Ia-scan-pro.com
11.  Ia-scanner-pc.com
12.  Ia-scanner-pro.com
13.  Ia-scannerpro.com
14.  Ia-scanpro.com
15.  Ia-stat-ia.com
16.  Ia-stat-pro.com
17.  Internet-antivirus-2008.com
18.  Wa-payment.com

SITELUTIONS.COM – 69.26.178.224 – New Jersey – Englishtown – Inforelay Online Systems Inc
ICANN Registrar: Enom, Inc
Created: 11 July 2002

Exposure via:
boldmoves.net/modulesBAK/mod_wrap/cnaeldr.html

Note: The browser hijack does not occur if the URL is accessed directly (404 Not Found error), but will occur if the site is accessed via a search engine.

Nasty code:
image

 

 

The directory boldmoves.net/modulesBAK/mod_wrap/ is wide open (see screenshot), revealing what must be hundreds of different html files, all dated 11 December 2007.  There is also a IMG subdirectory that contains a couple of image files, and a 0 byte PHP (xmlrpc.php).

The site’s admin and technical contacts have been notified.


3 comments to...
“Malvertizing domains: go-scan-pro.com (and friends)…”

Stephen Knight

Got redirected to http://Iascan-pro.com while googling HDCP-compliant graphics cards.

Took me 10 minutes to cancel the download and get away from the site.

A less knowledgeable person would have installed that and run it.

Not a good site at all.

http://s145.photobucket.com/albums/r225/lord_english/System/?action=view&current=hijack.png



sandi

The site owner, and technical contact (according to WHOIS) have failed to respond to my email, and the site has not been cleaned up.

I have now contacted the hosting provider, Host Rocket, and asked them to get the site cleaned up.



John L. Otto

NOTICE:

if / when iascan-pro starts up the BEST & possibly only way to stop it is to Quickly hit control alt del, go to processes tab click on iexplore.exe and end the process.


Nope, no surprise there. Cite: http://blogs.technet.com/mmpc/archive/2008/10/17/sql-injection-new-approach-for-win32-fakexpa.aspx Check out the exploits being used: * MDAC remote code execution (MS06-014)* ShockwaveFlash.ShockwaveFlash.9 exploit* WebViewFolderIcon setSlice() exploit (MS06-057)* Msdds.dll exploit (MS05-052)* Microsoft Works exploit (MS08-052)* Creative Software AutoUpdate Engine exploit* Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow* Ourgame GLWorld GLIEDown2.dll exploit* DirectAnimation.PathControl buffer overflow (MS06-067)    As […]

Previous Entry

Adobe Flash keeps its title as the “Typhoid Mary of the Internet”. Kimberley has put in some hard yards, and posted a comprehensive article that proves that Flash 10 is NOT stopping SWF malvertizement hijacks. You can read all about it here:http://www.bluetack.co.uk/forums/index.php?s=f3bfcacbac0c1eba459283546fb127e9&showtopic=18064&st=150&p=89649&# “A perfect Flash file is the one that is never loaded by […]

Next Entry

Archives