Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Malvertizing domains: go-scan-pro.com (and friends)…

October 19th 2008 in Uncategorized

image Hit this one today:

go-scan-pro.com - -Latvia, Vdhost Ltd
Created on: 7 October 2008

   Petr Bernatzik
   Email: feetecho@gmail.com
   Organization: Bernatzik Co
   Address: Dobevska 877/4
   City: Praha
   State: Kamyk
   ZIP: 14300
   Country: CZ
   Phone: +420.60176712

Shared IP:
1.  Cokiran.com
2.  Go-iascan.com
3.  Go-scan-pro.com
4.  Goscanpc.com
5.  Ia-free-scanner.com
6.  Ia-install-pro.com
7.  Ia-installs.com
8.  Ia-payment.com
9.  Ia-scan-now.com
10.  Ia-scan-pro.com
11.  Ia-scanner-pc.com
12.  Ia-scanner-pro.com
13.  Ia-scannerpro.com
14.  Ia-scanpro.com
15.  Ia-stat-ia.com
16.  Ia-stat-pro.com
17.  Internet-antivirus-2008.com
18.  Wa-payment.com

SITELUTIONS.COM – – New Jersey – Englishtown – Inforelay Online Systems Inc
ICANN Registrar: Enom, Inc
Created: 11 July 2002

Exposure via:

Note: The browser hijack does not occur if the URL is accessed directly (404 Not Found error), but will occur if the site is accessed via a search engine.

Nasty code:



The directory boldmoves.net/modulesBAK/mod_wrap/ is wide open (see screenshot), revealing what must be hundreds of different html files, all dated 11 December 2007.  There is also a IMG subdirectory that contains a couple of image files, and a 0 byte PHP (xmlrpc.php).

The site’s admin and technical contacts have been notified.

3 comments to...
“Malvertizing domains: go-scan-pro.com (and friends)…”

Stephen Knight

Got redirected to http://Iascan-pro.com while googling HDCP-compliant graphics cards.

Took me 10 minutes to cancel the download and get away from the site.

A less knowledgeable person would have installed that and run it.

Not a good site at all.



The site owner, and technical contact (according to WHOIS) have failed to respond to my email, and the site has not been cleaned up.

I have now contacted the hosting provider, Host Rocket, and asked them to get the site cleaned up.

John L. Otto


if / when iascan-pro starts up the BEST & possibly only way to stop it is to Quickly hit control alt del, go to processes tab click on iexplore.exe and end the process.

Nope, no surprise there. Cite: http://blogs.technet.com/mmpc/archive/2008/10/17/sql-injection-new-approach-for-win32-fakexpa.aspx Check out the exploits being used: * MDAC remote code execution (MS06-014)* ShockwaveFlash.ShockwaveFlash.9 exploit* WebViewFolderIcon setSlice() exploit (MS06-057)* Msdds.dll exploit (MS05-052)* Microsoft Works exploit (MS08-052)* Creative Software AutoUpdate Engine exploit* Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow* Ourgame GLWorld GLIEDown2.dll exploit* DirectAnimation.PathControl buffer overflow (MS06-067)    As […]

Previous Entry

Adobe Flash keeps its title as the “Typhoid Mary of the Internet”. Kimberley has put in some hard yards, and posted a comprehensive article that proves that Flash 10 is NOT stopping SWF malvertizement hijacks. You can read all about it here:http://www.bluetack.co.uk/forums/index.php?s=f3bfcacbac0c1eba459283546fb127e9&showtopic=18064&st=150&p=89649&# “A perfect Flash file is the one that is never loaded by […]

Next Entry