Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: change of domain details – newstat.net

November 28th 2008 in Uncategorized

Those of us who are regular readers of my blog will know that newstat.net has been associated with malvertizing in the past.  Its WHOIS details have recently been changed.

Old details:

Serg
Moon
moon.serg@gmail.com
Krokus str.
Amsterdam
NL
31 334558757

New details:

John Brisbone  (larsonown@gmail.com)
Active Solutions
8255 S Michigan Ave 
Chicago, IL  60608
US
5676876812

John Brisbone is associated with 3 other domains: aboutstat.net, freeorangestats.com and newstat.net.  Note that newstat.net’s Website title, at time of writing, is “BurnadsHome”, and aboutstat.net’s Website title is Uniquads – both are names familiar to the world of malvertizing, as is the name Serg Moon.  As you’ll see later in this article, burnads.com is now defunct, as is uniqads.com (both have an IP address of 127.0.0.1) and it seems that whoever it was that created the sites for newstat.net and aboutstat.net didn’t bother to properly edit the new sites’ code 😀

larsonown@gmail.com (which is used in association with several pseudonyms) is associated with 6 domains:  aboutstat.net, freeorangestats.com, getmosales.com, newstat.net, sexprofit.com and softwareprofit.com

Let’s follow the bouncing ball for a while – take a little peek at the ties that bind the above domains using various tools and services and see what we can find…. for example, we discover a couple of email addresses – admiragroup@yahoo.com and burnads_c@yahoo.com that might be worth a closer look.

We find a copy of other email addresses during our investigation – admiragroup@yahoo.com and burnads_c@yahoo.com.  admiragroup@yahoo.com is associated with 6 domains: admiragroup.com, antispyexpert.com, antispyexpertpro.com, getmosales.com, malwarecrash.com and malwarecrashpro.com.  burnads_c@yahoo.com is associated with two domains: burnads.com and the infamous netmediagroup.net.

 

newstat.net

image

—–

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Website title: BurnadsHome
Created 1 February 2008
NS1.NEWSTAT.NET
NS2.NEWSTAT.NET
IP: 79.135.187.69 – Turkey – Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti
Registrant: John Brisbone (larsonown@gmail.com)

Reverse IP – several familiar names here:

7636071.ru | 9796933.ru | Advokatus.info | Allmas.ru | Audio-knigka.ru | Audioknigka.ru | Baza-inform.ru | Bazainform.ru | Casino-goldmoney.com | Cd-dvd-diski.ru | Dating-s.ru | Dating-start.ru | Dick-mag.ru | Disk-magaz.ru | Dvdsbornik.net | Help-nalog.ru | Kvartira-na-kurorte.ru | Mag-disk.ru | Magazin-diskov.ru | Money-company.ru | Moneygold-casino.com | Podarki1.ru | Sbornikdvd.net | Seowin.ru | Site1day.ru | Spalero.ru | Spamsoft.ru | Stkhouse.ru | Storcvist.ru | Super-disk.ru | Vahdom.ru | Vertu-elite.ru | Zeuglhaus.ru | 1000-ga.ru | 1000site.ru | Dispetcher.org | Findfast.ru | Horoshiy-rezultat.ru | Kredkart.ru | Newfindercards.ru | Vam-pismo.ru | Vam-pismo.su | Vibiray-nas.ru | Sotana.su | Cashpopup.info | Cashpopup.net | Cashpopup.org | Searchonlineweb.cn | Casino2009.org | Rx13.com | Usdrugstorebest.com | Abt5.biz | Email-marketing-easy.com 1 listings 0 listings 1 listings | Englo.net | Lux-life.net | Pornoplanet.biz | Raskrutika.ru | Seopaket.ru | Sexzon.info | Spytec.biz | Ventilsys.net | Pc-protection-center-2008.com | Afrogruster.com | Agiromentop.com | Agrostergio.com | Akierodentos.com | Aportobrasok.com | Atopresorgo.com | Aviorebato.com | Awrentoblasgo.com | Beshragos.com | Counterprise.com | Diomertona.com | Dresmondas.com | Equalcrowd.ru | Findsss.com | Frododkoone.com | Frododkotwo.com | Hortesoda.com | Kierodentos.com | Kioretions.com | Kironegas.com | Kordanoser.com | Krombustor.com | Martobare.com | Massachuret.com | Miforbalo.com | Morganiver.com | Notifisarto.com | Portobrasok.com | Rx-online-order.com | Sohurando.com | Topresorgo.com | Twopgoslyso.com | Viorebato.com | Wrentoblasgo.com | Ypsss.com | Bb-statistics.com | Bucksbrothers.com | Clean-master-2008.com | Av-adv.com | M-s-a-v-c.com | Ms-avc.com | Ms-avcc.com | Sentrymasterpro.com | Antivirussentry.com | Av-ultima.com | Power-avc.com | Power-avcc.com | Pvrantivirus.com | S-a-v2009.com | S-av2008.com | Sav2008.com | Sy-av.com | Sysav-pro.com | Systemavpro.com | Security-updates-network.com | Winsecupdates.com | Hibucks.com | Moviesforall.info | Musicscollection.com | Welovemovie.com | Xpbooster.net | Winsecurityupd.com | Ab-outstat.com | Index849.com | Index938.com | Aboutstat.net | Newstat.net | 69loadz.com | Mloadsbiz.com | Ab-outstat.net | Officialstat.net | Ne-wstat.net | Of-ficialstat.com | Statgroup.net | Of-ficialstat.net | St-at-diagnostic-imaging.net | St-atgroup.net | Staticglobalsources.net | Mldsbiz.com | Station-appraisals.com | St-athisranch.com | St-athisranch.net | St-athome.net | St-aticglobalsources.com | St-aticglobalsources.net | St-ation-appraisals.com | St-ation-appraisals.net | S-tatetstr.com | St-atetstr.com | S-tathisranch.com | S-tathisranch.net | S-tatgroup.net | Freeorangestats.com

———-

aboutstat.net

image

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Website title: UniqAds
Created 1 February 2008
NS1.ABOUTSTAT.NET
NS2.ABOUTSTAT.NET
IP: 79.135.187.68 – Turkey – Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti
Registrant: John Bisbone, Active Solutions (larsonown@gmail.com)

Reverse IP – see aboutstat.net.

———-

freeorangestats.com

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Website title: None given
Created 3 October 2008
NS1.FREEORANGESTATS.COM
NS2.FREEORANGESTATS.COM
IP: 79.135.187.94 – Turkey – Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti
Registrant: John Bisbone, Active Solutions (larsonown@gmail.com)

Reverse IP – see aboutstat.net.

———-

getmosales.com

 

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Website title: GetMoSales – About
Meta Description: SoftwareProfit – affiliate software application. Earn money with the leading security software WinAntiVirus PRO 2006 and WinAntiSpyware 2006
Created 7 April 2008 (note meta description refers to 2006 fraudware)
NS1.GETMOSALES.COM
NS2.GETMOSALES.COM
NS3.GETMOSALES.COM
NS4.GETMOSALES.COM
IP: 67.205.102.229 – Canada – Iweb Dedicated Cl
Registrant: Billy A Schmitt (admiragroup@yahoo.com) – associated with 6 other domains
Admin Contact: Jason Lawrence (larsonown@gmail.com)

image

———-

sexprofit.com

ICANN Registrar: TUCOWS, INC
Website title: Sexprofit v2.0
Created 11 May 2002
NS1.SEXPROFIT.COM
NS2.SEXPROFIT.COM
NS3.SEXPROFIT.COM
NS4.SEXPROFIT.COM
IP: 213.189.9.106 – Noord-holland – Amsterdam – Trancepitt Services
Registrant: Adult Profit Inc, Carl Morrow (larsonown@gmail.com)

———-

softwareprofit.com

ICANN Registrar: TUCOWS, INC
Website title: Free online security software affiliate program – Softwareprofit
Meta Description: Free online affiliate program. Earn up to $30 per sale from your web site on any kind of traffic
Created 12 July 2000
NS1.SOFTWAREPROFIT.COM
NS2.SOFTWAREPROFIT.COM
NS3.SOFTWAREPROFIT.COM
NS4.SOFTWAREPROFIT.COM
IP: 84.243.252.175 – Netherlands – Gfx-cust-worldstream
Registrant: Softbuilder INC, Gary Berton (larsonown@gmail.com)

———-

burnads.com

ICANN Registrar: YESNIC CO. LTD
Website title: None given
Created 29 June 2006
NS1.BURNADS.COM
NS2.BURNADS.COM
NS3.BURNADS.COM
NS4.BURNADS.COM
IP: 127.0.0.1
Registrant: Ines Hadden (burnads_c@yahoo.com)

———-

uniqads.com

ICANN Registrar: TUCOWS INC
Website title: None given
Created 27 April 2007
NS1.UNIQADS.COM
NS2.UNIQADS.COM
NS3.UNIQADS.COM
NS4.UNIQADS.COM
IP: 127.0.0.1
Registrant: UniqAds, moon.serg@gmail.com

———-

admiragroup.com

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 19 October 2007
NS1.ADMIRAGROUP.COM.LAMEDELEGATIONSERVERS.COM (has 261 domains)
NS2.ADMIRAGROUP.COM.LAMEDELEGATIONSERVERS.COM
NS3.ADMIRAGROUP.COM.LAMEDELEGATIONSERVERS.COM
NS4.ADMIRAGROUP.COM.LAMEDELEGATIONSERVERS.COM
IP: Domain On Hold
Registrant details: Billy A. Schmitt (admiragroup@yahoo.com)

—–

antispyexpert.com

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2 April 2008
NS1.ANTISPYEXPERT.COM (has 1 domains)
NS2.ANTISPYEXPERT.COM
NS3.ANTISPYEXPERT.COM
NS4.ANTISPYEXPERT.COM
IP: 89.18.181.13 – Noord-holland – Amsterdam – Ion
Registrant details: Billy A. Schmitt (admiragroup@yahoo.com)

IP Range: 89.18.181.% – lots of fraudware-esque domains:

Advancedprivacyguard.com | Advancedprivacyguard2008.com | Advancedprivacyguardpro.com | Advancedprivacyguardsolution.com | Advancedprivacyguardtool.com | Advancedprivacysuite.com | Advancedprivacysuite2008.com | Advancedprivacysuite2009.com | Advancedprivacysuitepro.com | Antispyexpert.com | Antispyexpertpro.com | Antispywareexpert-scanner.com | Antispywareexpert-solution.com | Antispywareexpert-system.com | Antispywareexpertpro.com | Bestpcprivacycleaner.com | Cyberadvancedprivacysuite.com | Globaladvancedprivacyguard.com | Globaladvancedprivacysuite.com | Pc-cleanerpro.com | Pcadvancedprivacyguard.com | Pcadvancedprivacysuite.com | Pcprivacycleaner.com | Pcprivacycleanerpro.com | Personalpccleaner.com | Spywareremover2009pro.com | Swiftpcprivacycleaner.com | Yourpcprivacycleaner.com

—–

antispyexpertpro.com

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2 April 2008
NS1.ANTISPYEXPERTPRO.COM (has 1 domains)
NS2.ANTISPYEXPERTPRO.COM
NS3.ANTISPYEXPERTPRO.COM
NS4.ANTISPYEXPERTPRO.COM
IP: 89.18.181.13 – Noord-holland – Amsterdam – Ion
Registrant details: Billy A. Schmitt (admiragroup@yahoo.com)

—–

malwarecrash.com

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2 April 2008
NS1.MALWARECRASH.COM (has 1 domains)
NS2.MALWARECRASH.COM
NS3.MALWARECRASH.COM
NS4.MALWARECRASH.COM
IP: 89.238.137.75 – United Kingdom – Paradigm Systems Inc
Registrant details: Billy A. Schmitt (admiragroup@yahoo.com)

Reverse IP: antimalwareguard.com, antimalwareguardpro.com, antimalwaremasterpro.com, antispywareguard.com, antispywareguardpro.com, malwarecrash.com, malwarecrashpro.com

—–

malwarecrashpro.com

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2 April 2008
NS1.MALWARECRASHPRO.COM (has 1 domains)
NS2.MALWARECRASHPRO.COM
NS3.MALWARECRASHPRO.COM
NS4.MALWARECRASHPRO.COM
IP: 89.238.137.75 – United Kingdom – Paradigm Systems Inc
Registrant details: Billy A. Schmitt (admiragroup@yahoo.com)

—–

netmediagroup.net

ICANN Registrar: YESNIC CO. LTD
Created: 2 June 2006
NS1.NETMEDIAGROUP.NET (has 1 domains)
NS2.NETMEDIAGROUP.NET
NS3.NETMEDIAGROUP.NET
NS4.NETMEDIAGROUP.NET
IP: 127.0.0.1
Registrant details: Martin Such (burnads_c@yahoo.com)

—–


Comments are closed.

  Announcement:http://www.icann.org/en/announcements/announcement-25nov08-en.htm It is important to note that Estdomains designated Directi as its successor.  This is despite the fact that Directi apparently dumped Estdomains as a client a while back (see “Historical Stuff” below). It will be very interesting to watch developments going forward.  What Registrar will the fraudsters use from now on?  Will […]

Previous Entry

What I am trying to do is show my readers not only where malvertizements are coming from and what they look like, what they do and how they work, but also reveal the ties that bind between the various domains associated with the facilitation of malvertizing.  You would be surprised how often the same names, […]

Next Entry

Archives